Malware Analysis Report

2024-10-19 10:43

Sample ID 241008-v93q4axdml
Target 22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118
SHA256 96542c8ee4501ee802f5af3f8788eee478d0a069f34995f811170504552a1f91
Tags
xorist discovery persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96542c8ee4501ee802f5af3f8788eee478d0a069f34995f811170504552a1f91

Threat Level: Known bad

The file 22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xorist discovery persistence ransomware spyware stealer

Xorist Ransomware

Detected Xorist Ransomware

Renames multiple (2214) files with added filename extension

Renames multiple (2187) files with added filename extension

Drops file in Drivers directory

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Browser Information Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-08 17:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-08 17:42

Reported

2024-10-08 21:19

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe"

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Xorist Ransomware

ransomware xorist

Renames multiple (2187) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nPde7iS1iFO7aSy.exe" C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\@AppHelpToast.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\SecurityAndMaintenance.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\@AudioToastIcon.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\@EnrollmentToastIcon.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\@WirelessDisplayToast.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\DefaultAccountTile.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.ppt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\SecurityAndMaintenance_Error.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\@VpnToastIcon.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\Bthprops\@BthpropsNotificationLogo.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\SecurityAndMaintenance_Alert.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-150.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\index.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-40_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\adobe_sign_tag_retina.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close_h2x.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker33.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-250.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Campfire.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-40.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-lightunplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_email.gif C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxAccountsSplashLogo.scale-180.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-20.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d8.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\TracePendingIcon-glyph-E72C.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\Square150x150Logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_contrast-white.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check_2x.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\bun.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\MedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-400.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left.gif C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-72_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceYi.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Preview.scale-200_layoutdir-LTR.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-20_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-125.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_contrast-white.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_hiContrast_bow.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\3039_40x40x32.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1_none_d0af17ec366548f3\TinyTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare71x71.scale-125.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\emulation\emulation.html C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.746_none_0b4ed891dd9ccbc8\Square44x44Logo.targetsize-40.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.19041.1_none_91b1f58702057373\NearShare.scale-400.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\500-14.htm C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\previewTabClose.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorUWPSquare44x44Logo.targetsize-96_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.1_none_03928ee4a9e5894c\RequestedDownloadsLargeCloudIcon.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\InputApp\InputApp\Assets\SquareLogo71x71.scale-100.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\Media\Windows Hardware Insert.wav C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\PhishSiteEdge.htm C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square310x310Logo.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\403-6.htm C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\http_500.htm C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-usertiles-client_31bf3856ad364e35_10.0.19041.1_none_df86f0e7b84bf07b\user-40.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.84_none_24f8aafdaceaf0b5\square44x44logo.scale-150.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\unknownprotocol.htm C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..ntscontrol.appxmain_31bf3856ad364e35_10.0.19041.423_none_6c3451a09cba3850\SplashScreen.Theme-Dark_Scale-140.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorUWPSplashScreen.scale-125.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\Assets\WideLogo310x150.scale-200.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Exchange.Theme-Light_Scale-400.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\splashscreen.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..honyinteractiveuser_31bf3856ad364e35_10.0.19041.906_none_a6600355b5f69459\YourPhoneCallingToast.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\YourPhoneCallingToast.scale-100.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\retailDemoMsa.html C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\Holographic.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\activeFrameGlyph.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_e95531bdadf3df5c\DMR_48.jpg C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..honyinteractiveuser_31bf3856ad364e35_10.0.19041.264_none_a61d15efb6291d40\YourPhoneCallingToast.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..erymanager.appxmain_31bf3856ad364e35_10.0.19041.1266_none_20804a45b5801645\BadgeLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\502.htm C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\InputApp\InputApp\Assets\SquareLogo150x150.scale-100.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\colorPicker\alphaColorBar.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\debuggerNextTab.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\Assets\SplashScreen.scale-400.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\i_sort_down.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1_none_97b0a47239f6db64\PeopleLogo.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ast-white.searchapp_31bf3856ad364e35_10.0.19041.1_none_2f147508fcb33106\AppListIcon.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\unifiedEnrollmentOnPremAuth.html C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-iis-startclient_31bf3856ad364e35_10.0.19041.1_none_689a6c454db469ea\iisstart.htm C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorUWPSquare44x44Logo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_8a237828132e61da\about_Mocking.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\http_400.htm C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\pdferrorrenewrentallicense.html C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\logo.altform-unplated.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\i_save.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\http_501.htm C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\image2.gif C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\views\tokenManagerErrorHandler.html C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.ParentalControlsSettings\Images\MicrosoftFamily.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1_none_97b0a47239f6db64\PeopleLogo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1e502c19c2a358b\Square44x44Logo.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\Square150x150Logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\f12host.html C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\Square44x44Logo.targetsize-44.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.19041.1_none_91b1f58702057373\NearShare.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\needie.html C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-filepicker.appxmain_31bf3856ad364e35_10.0.19041.1023_none_374973298940e35c\SquareTile150x150.scale-200.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1_none_d0af17ec366548f3\wide.Devices.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\saveicon.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\feedback.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\DefaultIcon C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\shell\open\command C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nPde7iS1iFO7aSy.exe" C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "TBFZLTGLROVAHFH" C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nPde7iS1iFO7aSy.exe,0" C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\shell C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\shell\open C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\virus encoder.exe
PID 2712 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\virus encoder.exe
PID 2712 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\virus encoder.exe
PID 2712 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe
PID 2712 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe
PID 2712 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe
PID 4976 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4976 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 3224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 3224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 3224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 3224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 3224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 3224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 3224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 3224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 3224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 3224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 3224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 3224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\virus encoder.exe

"C:\Users\Admin\AppData\Local\Temp\virus encoder.exe"

C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe

"C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.crazyfrost.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdce0346f8,0x7ffdce034708,0x7ffdce034718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,8391056898994570236,14843547783528746274,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,8391056898994570236,14843547783528746274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,8391056898994570236,14843547783528746274,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2456 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,8391056898994570236,14843547783528746274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,8391056898994570236,14843547783528746274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,8391056898994570236,14843547783528746274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,8391056898994570236,14843547783528746274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,8391056898994570236,14843547783528746274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,8391056898994570236,14843547783528746274,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,8391056898994570236,14843547783528746274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,8391056898994570236,14843547783528746274,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,8391056898994570236,14843547783528746274,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2736 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 www.crazyfrost.com udp
US 104.21.5.49:80 www.crazyfrost.com tcp
US 104.21.5.49:80 www.crazyfrost.com tcp
US 8.8.8.8:53 support.cloudflare.com udp
US 8.8.8.8:53 www.cloudflare.com udp
US 104.21.5.49:80 www.crazyfrost.com tcp
US 104.21.5.49:80 www.crazyfrost.com tcp
US 104.21.5.49:80 www.crazyfrost.com tcp
US 8.8.8.8:53 49.5.21.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\virus encoder.exe

MD5 63101d9664ce362eba241e2bddc54a74
SHA1 3fa8190d6a1fea2b54efc6804dedffc6d29c4221
SHA256 20c262be3ce3269b1c2d0f6af38c189c69e22ccbdf0942a23c89073563445326
SHA512 118d99caaf939ffbf3b213a1c51f3933cc7badd737ecc13b9ae1c85163d352d8b10e7ec65158070860b0b78b50a50b3e2d416a9f1910aad0629ee6560a4435cf

C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe

MD5 3ffc01adf1bdd98bc7675450ef673882
SHA1 7c8226cbc5dbd32fe8553fd17edaf7f4b946a039
SHA256 75920af382027dfc7baba45e56b6e007ff6d5a5dd7b1506bbb98e08ddcd6742d
SHA512 875b7d94482c3ee7a20fff9b49f56a502f7858edb9a47c61c7a4918bd9ec6bf67ef72b4decd5a68775237ea592c27b75fb3126019b4ef7743aa0ce6a9e3dda04

memory/4976-24-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/4976-26-0x0000000000400000-0x000000000049A000-memory.dmp

memory/4976-25-0x0000000000400000-0x000000000049A000-memory.dmp

memory/4976-23-0x0000000000400000-0x000000000049A000-memory.dmp

memory/4976-41-0x0000000077550000-0x0000000077640000-memory.dmp

memory/4976-61-0x0000000077550000-0x0000000077640000-memory.dmp

memory/4976-52-0x0000000077550000-0x0000000077640000-memory.dmp

memory/4976-40-0x0000000077550000-0x0000000077640000-memory.dmp

memory/4976-39-0x0000000077570000-0x0000000077571000-memory.dmp

memory/4976-208-0x0000000077550000-0x0000000077640000-memory.dmp

memory/4976-231-0x0000000077550000-0x0000000077640000-memory.dmp

memory/4976-257-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-273-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-297-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-295-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-291-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-289-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-287-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-283-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-279-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-277-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-275-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-271-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-269-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-267-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-265-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-263-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-261-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-259-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-255-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-254-0x0000000000570000-0x00000000005AC000-memory.dmp

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

MD5 4846e06f8c4e12a788aecad18f1cb3d0
SHA1 71d4055dbee8cf298bf438312619ce1adaf0f20c
SHA256 fded5ad3099491c3314a3c41c8d5a69d27bc4e77ab195edb1b8db8e44a8b9df4
SHA512 bc6bc5e775cc54e00a3588fecc35366c2104ab55cdd4decaeedd6e3716108973beaa2eb7e474a4ce5db470ed9ba717aee2d1d198afc4516d926343730f125e6c

memory/4976-249-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-247-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-245-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-243-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-241-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-237-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-236-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-293-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-285-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-281-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-251-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/4976-239-0x0000000000570000-0x00000000005AC000-memory.dmp

C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md

MD5 8ce4eb635bfa51442f07ba9bc5ebbd11
SHA1 e18ced501cc96c0274705b91430c7942658bf13f
SHA256 f93a5d3b2a9841dd2cf8d9caf1836afa68ab7a6aaef441b4f3794da0327a083a
SHA512 2fb76d369da854d91aec8d7290c9bb6eb0c35df8ac49a2a5ed9f4369a029b3d35f1e23f0da2435dbcfa8d1b3b02cf244c8a4f08d561391fa298adac9188d0fda

C:\Program Files\Java\jre-1.8\legal\javafx\glib.md

MD5 ac1a3aa57d2c4d2a0f18f33b0e042951
SHA1 34e323047fc98e4e99ffe6b5f7cc5d235b25756c
SHA256 2276e2711ded2c55124c6ab4dda28683b434fed3031614e9523ff207be0537ed
SHA512 43c531f64d5c87d565738a3cf7117e8cbb664ba444f53d425d3020c76c579d34b5f0986504c7cf30cec0cac98e959a3e2cff12dc59130613c2b2e3cb78526686

C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md

MD5 b01b7a18f0e6cd300f936960cb53cfb4
SHA1 fab9ebfac62da8e8c171224ab71381d0556f0d5a
SHA256 555f8baa5198c3668e355dc6a1a66ee76a725f71dad91ca2947d77644bf05d64
SHA512 d1a74620609a9e5850de9ec973b183b6c41c7844fef19764c4a60cddbe0590d73032967616b40f523cfe2262778504044f50e1a832ddc9f70bf68563aaa3072a

C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md

MD5 87aa240bea5939c1293bfe320bce3551
SHA1 580e7188e3ff27c547f9ccd85bcf1d4f9c39aa3a
SHA256 3b289c6dc3d8e25993f9d472d18682959a5129f6617ad4e6a518c9eb49420974
SHA512 3a05ba386ceecb8930a5cd442034073ff980dd3776dd92957ff806d83bcbc3875d6b2ec20a098cbc072888c890f45c7a705c1141fe39762637c1fa5fe805423d

C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md

MD5 914d6db719e8a76c2387f10b81b2758a
SHA1 d569b2d5b88d7a6e58caae4253eeecd762b1de06
SHA256 3a6267cab60a27adbb17126349eea7df21746014465b4f3cb9b6d535c1ac9814
SHA512 cdf112d4a7a981feb50b50779c0284ca7c45ee08aeedba2a0f0b8c4f129808dae4a3bb85abd0a9c6e904aca895029257badfa16c5b91ce57dbef487e37fc52ea

C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md

MD5 72c8a48215da2fb8f02b87d745ebf03f
SHA1 5dc7bae96c63964a0b8c60ed0eadf25091b2153b
SHA256 fc54d12fcf62ff011e5b5e4c8af451909f84ad6780a8efc208596032fae606bf
SHA512 7fc12862fdaef48deb991ce679dbfa38f47d07e3cf43619c0d43f83916bb5804f8cbac7efd0a8a2f9f0edba2924d6d295328b0ef27591496ad44445e8fc63453

C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

MD5 f0cd38b20aa90e0d5963cd602a76b745
SHA1 fbd2a9bc90982b0ae99231a0c6844945b6f50144
SHA256 f13cd10291bec64e0883a4546af1eec73109be31ce86f6d22e8d5908ccf5592c
SHA512 13ad8d736a43490c0f3e35d8550e5d25108f61b619da5042074506afbb0a7edf305ba505166ee08c7d21de5dd3387a0ff574bde99231e892dd167fe2073c1dfe

C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md

MD5 6f3874364e3e76083908ba5bf8bc892b
SHA1 dca8ffe879b2f32007e9de9596a8bcfbdb12e572
SHA256 0ef060ca304619f3e207f32ca2d6c6f1e87ef0033060378654c0fec4a7d0f164
SHA512 206fba42917b11d77337fae92aa73ea992968c5b9ed415a7971a82b1324115d89b3850f1a6c40efdc88e36a60b9f5cfabf760374194bca41277f06510391b2fd

C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md

MD5 7b890090f67bd04a02a9e58935a19a09
SHA1 ae8a97416a082d7afe5bfb8bb2ac7ca70b1d82fb
SHA256 30af35197e548659410b0d54ada06a208d278baf4a9290eccf1591fc72df9ce6
SHA512 32dae9fd890dda15a05800572bdff71e6b890113b64e2890075c6d91aec024dc7ed2a05b6604c8ab4e4d1c64f40e1c50a49926a1cb5695d8d82300b30a8d994e

C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md

MD5 9619e4074abd50d647784777d3e97aeb
SHA1 88deed1015840e9db98ab7fb5d71b5edac08772e
SHA256 fccc839440f60633a55ad5e1f1c9df075b3073fd7fc231caf004ddd80450cfb7
SHA512 ff7a8aac2d1295ebf7bfd6e51e5446dc16f10eb0ea72694e8b1c510f1c6bbb5855921b1ac49eb2079058358fcf4162363056bebe303778f13c63d3047dfc8362

C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

MD5 b5c83da35eb713576d94a1391e6f5a87
SHA1 95b2487b8907fdc64634ba3bdd911c6e55986fe4
SHA256 d2d8cb2ae71154d6fa1b1f508d0193c80df231a96b728e46f980cbc1add28dfe
SHA512 b0f615fb3051d421e5061358de3e38f04a8533b84519bc809c48cfb73d62ca254786a57c4d327e9caaa84f3d7bd8816f69fa98e8fe4964492d651d40c62d8b4d

C:\Program Files\Java\jre-1.8\legal\jdk\asm.md

MD5 f7ef9b44ec588d06aeeade8aa2fa4876
SHA1 ac60c20f4e072b77974617060a451dfefcc82b6f
SHA256 a0aee26f00898ea108c99a3249dda9840515f24425dbb13a60de969e0e5345b2
SHA512 f877b0fd176b5bc598a9f450b8d50162bd703cd2a287cc00086ad83e3ec89ba1f75d347ee92e05fd953a87efecf86c64b91a2d22ec7829255a97994289835ed4

C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

MD5 ad63721be6d3403046238228cde310cc
SHA1 ee0e1b8ee6c9525cf21ea12a43ea5d6e60c10973
SHA256 bea9e0e00d1ff5eadd5ae3e6c1a7caffeda5255d39a637583c8f2e5a5b1f77b5
SHA512 4f1c22c22ad4731f1e35c62447fc25b35c04f5ab8f036ee2e97c42e79ad8bc80649babd3312d7f57cb1dd3e0562bf76559126d069980d35341f3c95792fd160b

C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

MD5 3cf0d867c54db2f44875236885faad2a
SHA1 d810c929efad6b9871ed3eeb616f03aa25959da9
SHA256 7dc27bda443727b77a17708be870d1f40c86f4b5182cb25f7f89eda115c54e2e
SHA512 4324cc1e1d53519456b4e90c7e1179e8b3f526f489aaaee804c2e4a8d1ed9eda57c402eec97801234f09159b4db34e3cbdd376529297bfade72e50ecb2690ea8

C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

MD5 c37f9b9f284de4055bd9ee302673d317
SHA1 51806b8afd67a6e6275c18a1486d3c9e924f3bf5
SHA256 5d8dcab3b8a69a51215999cb9a63eda0d50bc7601d30da4fb40a1d43de5c6665
SHA512 6f632a80569af40f56982f865ad159427560c8bbc954e8ab716da1bc230844569fdb52f6e23a0783cbc2b18fb2206c4bcb33c64fe339ed869ac97883af04d19d

C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

MD5 23ad19d465a688120231e042fb3a810e
SHA1 711088a70ce8d9eb55d6c786064fdf4d9216c2c1
SHA256 1bd041461329a6850633efbee4b9858bee39acb5c354995664fb0022858c9860
SHA512 585ce1e5133f0ccf240287300040a9ad66fa6e5cdad85947e859fd11adfde50ae8f0db013fe01db2c55e3fad847858c12034ff93c20b4a187f05f7cc37d9a37c

C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md

MD5 74ce92d30e43861163befc80e61aff73
SHA1 8d297ed7247567eb05d32685b437f85115d118cb
SHA256 1c86c5bb5ea6d603f572015337a814c3dd98a0f8fb08068d215da97bfb4f834d
SHA512 88f160e41f8249d50e292fc4433c30164738840675eade27244ecf12daffc7d10e070828abe05418a304925aa86d2f28cffafea64f7ef2995e88d6a2379d0ff9

C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

MD5 235cc6536787eadafdcf899dada3dd65
SHA1 50f7b5f413595f067493de4eedf2fc0504ab8b8c
SHA256 3e9d24f108976352ef4db164f8bb2cfb3525eeed4ebbae1c924ac048ae68d94a
SHA512 14a8dc0a6d7523d35cfd0a3ea188886ef500f3fe875786a1ea8d2432654d716180250946c81eb896403457b1f91dde39d5ec9f271a6898b0284843b61a8c80a9

C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

MD5 ff532133514f3f5d690826315318a6f1
SHA1 d8b2b252777d00e6372262effde8aa97bd36ee4d
SHA256 b694542853f423e01694a971c3a259370598cabce9700c4c1b5a5ce15e4e204d
SHA512 d9c14fb7501ef68ce481454f815a2d00ce83c19418ff50ccb0c0c0caa936876d016d1523d024e5d2b935d6037a6e51a8d20742aa0c94452dc1c79a0321146666

C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

MD5 d47ccd77323df46e2cbb13410da7d250
SHA1 abb431965bd65c556b6971d4dcc94d3d976ef37a
SHA256 0bcc4ee9df6eb760d43920b8ca499782ad1a7b59835331c9a0a0b937e2631e76
SHA512 799f0daf05cff62c633e83e53022ebad26619d987c119ed702d6fd451ca1b40fef724b1d39c82b16425f83276fc2a4e7a7fcca515912ecda3f5d42ecf9b0391e

C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md

MD5 d708f8cb7e71f6a577ecee40e89a38c0
SHA1 8323b1ad01dc9ec4c993dd07003140015b2bddfe
SHA256 ef4e696ae71db13b94dc826ece5d19735df5f1be10f850540e2261e22951e691
SHA512 bc32a4ec8e0e07cda9a3f8bad4e167b80e0d0fb9a31718e2f7a2d6f7965edfd5c3f6457dd047b888d702a0db7cdb9a83f108b9916c9df56b83c0929086b4f73a

C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

MD5 4d51c17cba5f820a39a31e29cbd9bc33
SHA1 1feae540f21fd524ccbe83010b34119a13ecb495
SHA256 98151e6474a19809e76df3db5f3890a7cd82c321b20ad50d07fc59d28580f1d0
SHA512 939087d58e5ae5f18a7b4efa3a703f9fb93a60bb613496fd60a73e9137fc875ca7beda153c4d429b7ca972d40f74c191213b6b7534f6ce5fffc3f15b2a124a0a

C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

MD5 23c908c8c35b9bd58399fc6405826360
SHA1 9ccda3779496c106dd9853f813b8131af08454d8
SHA256 628bed7e8bc1ae530ded12d5071196a32ef01cf619dce64d7d1d9b51f7250456
SHA512 cff1af7258168acfd9ab75e93feb0784a9d80eb52cb198e312d8a90cafca36d97e657dba92bab17f01746ef4bccd55d005ad1d9afc94f8580b5bbfd3f5650d5b

C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

MD5 699ccb24640674674a9e275e2a8cf42e
SHA1 639a00059d421aa6729c2bb88cff406d4551b6a4
SHA256 0c2f26a032a1a372aa1838c8ca294217e78f375c2fb5abc1b432cc6050d989cd
SHA512 9443131b6ff9e82b3d950f66716a7966dd22d23670b29c4053f2798650756cb3f9046bd91a4c20a233a6602bf407b8f5e5475384ce7158834d3ec5828d645dd3

C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

MD5 3ecf220c998b00d7155571ac76adaf7e
SHA1 40120faa9000f9b2db3ed974d222788bd46f76c1
SHA256 53abe1ce7ae8332eee032dc2461dbf5619010f59dcfe1da24e880747acfbc292
SHA512 6649f0a95eac7356d5b816d175ef79c2e78eecc50c4c3c9dae0ae5731868ead3aa02e17a6031377b25bbca8e98ae2d5cc2e717fba5fe3557effd931b17e902aa

C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

MD5 e61d9e048aa3273d9190314b2e4299c3
SHA1 242ed6770616a6f80241dc81ca4a1df12a52c46c
SHA256 e56bf14a11b8ba2a1d86d59660bbe724b35a1142c623d3f9b957d8f40c376ab8
SHA512 f1e3fade052b0eb0e5c30949f8868113014e1af51a731f4d18df6f0e6096ba3dcc08d1a6a06126df73e05c62abd5c1e11d0fe7e98ba8cc8cbe5cb718e8e4562b

C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

MD5 0eeeb96f7194cfdacbece47db63a3a6d
SHA1 e5b1ed351bb5a51075f05279e077617ceb3a205d
SHA256 25217c768750ab30f7c0a4f3796e78775ed9a9b55b4f97fed06f39cbc99199e8
SHA512 8344e7952fb80603559c2738737d19d96ce0dc1ed34302238257a15ecb9c259794098efb57986d2e3696dd81eac3d5de589b978e449fdbe988f4bbbb38f646c5

C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md

MD5 e9fc345dd779e4120ba11114278baede
SHA1 895747b146a4dd81ca661c5d0fdc4541a50cbbaf
SHA256 b833dd75374f753308cfa837ed501206008a023e514b7cde0c9775a6fbf009ca
SHA512 d0c2a9dd68cdc0ddd62d94577225781aba9825fc8b519f92bc06b3e779a99e87568ad6e4cf3e19ccc31c65bb9b58b182d855e93822a2834cf1801b5b25f66289

C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md

MD5 c308fa4645757cc716120a47ff6c0ed5
SHA1 3b3997a4a5d5681661d8bb94e649c5716863589c
SHA256 2532037c61753fe8d30f01fa0ad0ebfd7bde0a9c3988d82e8b24bf2d63f9ba98
SHA512 3aecd4545560b8c373050086924aea56ef12f641f4b9bb4d9aabfaf4cb9adc6318522b5e7e6feb0a4eae742f7960ac21c8cca1e4a8690dfc4a2a78bef4669006

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

MD5 65866fd549f9a0b48985defba785d7c3
SHA1 b42c95caf492d48ca8251cb135e189056b4956ae
SHA256 e9850c9962377139d461840b58c19a23950c6d3f9045fcfca9b3b971d04bd80c
SHA512 005f3f4f918193d085be184b302b1f803319512d0ada5c65f717a3bc96a8a95a192101893d7a52c2163671a0be9aa4bb678b95b9ea0fd1f7ba15366bdcf4914b

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

MD5 af0b4dcd5b69277b3b2149d22f153e27
SHA1 d0e31925cfd7f4443f1b48037f67e6f09df06435
SHA256 bc334e0b71894abd4a86f669ff25a614e161d74823a733f9da6eacc470b91103
SHA512 eb2d3c243f6320743450c13e6e29749ca65905e3e32bc745d10cb5ef820118a773ff0a5906748b68d292f9d2abd177b5fa88485b223741f047298d3a38976305

C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md

MD5 b1d54b5bb1f09d021b5764a8b1a3548c
SHA1 7c02aab92098ee63c69315eee6df22fbebe948b6
SHA256 e754ed4e95ded565a44fb641e1326b574e9258277558accb852948ca82b56ac0
SHA512 a2dee1ffcc4c20413d44f7286b934351fe06b80f045aa6114a0173c1644937f436ff69c31e31c0ee6dcd7d587f8890c7fbd98ba2f913af30443ce78494542c8f

C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md

MD5 0529e4bbd7e489c69bbb0249696db914
SHA1 3c542065141a53d6aba3d3efad45c1a1cfdaf2e5
SHA256 dfff90ef9db5a06a8b8aa546f6e2fe5b1592c866f6c158437cc0d538108b654e
SHA512 5ea50f994782060a671140d015045d8d90c7c2ac8339888587fe22ca83cfa3b5cedfdb48543eec3520025eadd7d09fb412336e57d78dfa522e60a5b3faa4b83a

C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

MD5 06f9270d4d5103827fda4a4f1a465586
SHA1 c0c689f3ab0ce5126fda998cc9cde1bd0c0a5214
SHA256 34ad7d9b5748405fab86ef40af5e86381f189e084cb6164b0c4a44a4cc07fd41
SHA512 e1efcdb739f4c8f50c122c061539a16481e0d92edce47049caf2e08f94e76c9657672b21fdc2110c50b9bf96e1c59c72995ed177e2c83cb4009ec8419f227612

C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md

MD5 efcb2c5a3abddd577462b360ef3b6e41
SHA1 315bf862544f12fdf64a7d815cc8ae1c55051554
SHA256 d607f9a6b8ed10cbe4fbec172d80e91d895b0530d48ec49a6c559ef310138f3d
SHA512 2312ff70adafbd668afaae771038e19fefea65be6d818eaa015d360efec97625da1b786f45a9a637dde342bdc01aa1f5efd6be1ad633f7b0fa71dab639a40eff

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

MD5 89294e74a00cb29b7b568b8f1a87f5db
SHA1 04be93e35cae1a566ff1d4a23c54848307ddc68a
SHA256 b5d82d5bfa1107ee67cbaba66d4298915d0b03e731dcfcb1b97e47bb7d1df180
SHA512 88484da3d775ba3446cebfd4d91e7ddea381b9f2b9c28a55ea4f1ba52f6fd77cefe15ea663da02fd13a8c0e4a91fd35b49bc6003de7395b59b44f1e268020a9b

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

MD5 d0e53a14a445a58c7c873bd5c2e8fdb3
SHA1 256c19ed35c3550607180e1e920a566e87459cfa
SHA256 d275e12970c93352da7ab572170f15e49e0b5adc87ae00df5ecaa3dc22cb0092
SHA512 d7e9704b058b291bc5b55bdc2b73e2b6eedf7d071fde0aa4410d928b958fb8e05c42efa9ea05aa0e436b6a11f39ca3cbbb05f69d6807623d7cf8ea4feff6b5c8

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

MD5 cf84def930e2d95097d3fdc820b3c875
SHA1 6041ed4d2fbd62fe44fede71ac2e7b73eaaad408
SHA256 2be8e085e7ae82154c920b3d608da15d383c31fc7f0fc002ad9afd9837034c5b
SHA512 4a3f12cdc7c3c0d4e5a41dafd0910058541fbca5892a085b4d68169e0b9d31137cb3e3b64446233d1858df57e3fa25b4f90b6ef4751532e3cfe0cdefffb76a88

C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

MD5 90c08a272fed4135b9df2830154156ba
SHA1 4c960b529336f7cb8c9bec4264635f8bfcb50920
SHA256 1f1ec720f492c0f3715aa726970783ada532e52cf149034e925e7ea38b1b04c7
SHA512 542eaf6769ebb7ebdc2d66de299e45011ea2ff875538eb0c2ad65d0b04ef2c3f757ca76429e46f91cc1f3b3da51de434fc892232fd732034befe448b76f00063

C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

MD5 a2ed9278b97e59a4c254e527046210d9
SHA1 72a43b970eb10e3a7f1bc503079832b93003a071
SHA256 ae5655e012ac1833f81cb8e9af71943f67b2ed6f60b5b7de3a61aaad53b02859
SHA512 fe06a2633ea23146766a09ccda3f427a93c1d36c15312500172ca726a02db940d5807a85eac2469d715126f73a1fa53df58164b684d789e5afe871ca90919f4c

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 eef6f664bada7096843208e0c492eb52
SHA1 bdbe1b2c6e61559f7bb118ef3501733b6b020923
SHA256 479e5bf0ef457e9d2683dd6357fb419d5a326ce39a2aaa05ad01ddfea5f118cf
SHA512 8c1df9b6c66749a821f134b6acc31c276df6d8d9881bdede6cc5ac9d9a699bd8f96ec70dafc1d9620e04c709ca7f04ad92d1e44559cc9c2750cd0b50c93bf373

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

MD5 d950d8716bd20c86c119bf176e110ea7
SHA1 1b067f6e40958361225bffa96502fa94fc6daa1c
SHA256 0ff4ff36e7bafa2f2edcce9dd5540f4129d7664704871e1af889ea8cf3938b05
SHA512 2a23953e13359a5268ab6a79c6720f590218931bb29532768a02213e718c6ab4c52d5a7771ce74ba0e083b71664ad159f5e2aa8fcdbdb718e27b50955a575f59

C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md

MD5 4a76709d3e1305db81c37acf3159ab33
SHA1 7af99a3814679a50e35a193e04fe597e114c3611
SHA256 d0345ce819200e66986431cbf772c97d91f1381057b1abf1fe436a877a0205e9
SHA512 9c17fd3d48f8b601740553b930bb118bb984c1655270b5c0fd0bafa847fba5aeb5a4eb38bd4c42bb4b11b16bf20cf05530087891f4d129457ffd0a65318c54a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f426165d1e5f7df1b7a3758c306cd4ae
SHA1 59ef728fbbb5c4197600f61daec48556fec651c1
SHA256 b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA512 8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

MD5 7cb64b5e0a8da09ba33d01dc9e2468f9
SHA1 0abd38866c399d7d36fc9bc84616e5ed54edcf0b
SHA256 68614df547f96d930b2bfa449e9a8ea7e29abf09985929ecb0da3a7ba619ecab
SHA512 c5551fecd8e36e62a68383f7d9b5aa98080ab31b4461b72a84f9f8663ee4696c442085d2256558d0993792de0cae53f3c0382efea0441ffc065a3d2df854e404

memory/4976-856-0x0000000077550000-0x0000000077640000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6960857d16aadfa79d36df8ebbf0e423
SHA1 e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256 f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA512 6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

memory/4976-1180-0x0000000077550000-0x0000000077640000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 af4ecf91bd1104a72fb5d8ab7822dc81
SHA1 e6aaaffd377737906c9b4d5ad5b0f4ecb899721b
SHA256 4e3af3d09fc8a9d173b9b40ead34fc8dbe87d04dda034fb5c74407122ffc6269
SHA512 c365d9af9d9fcb5297e1e6cc826f560f9761ae36f6332042cb97e0a86bf1ff8f2c0f3493beb39ae6656bb24bd065450134b359fa300f0a163644baccc01a491f

\??\pipe\LOCAL\crashpad_4472_PNZTDUNVFEHSIXJE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

MD5 1d519bf88e5cf1830d3b90edfcea7f34
SHA1 e602b309bc737fccfc580a22583148849ac70a2d
SHA256 a40c1007f86d8e69340d256189a2c0f727ce08f71bc1a73cbbcdbc527feb2230
SHA512 e65bb96a50331e6bf0f08511138a9bfaa89c117519e2b35155a5a93031e5381fe3e410ca0ff81898eb5dd7cb490b15594c3e3938cc7c9aed3ac4c123ecb77317

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png

MD5 61c14d075017074e8a3b7a622b10bda2
SHA1 5442df128a8e8c417ad2bd5f5d110f3f87ef0052
SHA256 fa4afaac3a71b3889d6c50bc6908295b650111b3fd4dd82ca107288bf7c44c67
SHA512 c578035a50252cf54b897ea00b6b5d5b0782334cf07d14ebf6ac291a1c27c3a46e3b9612d2392a14606c564ee9c403b9e0a83b5108254faec3acc9e33aa64eb7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png

MD5 5626465c11c2ae34c5d5249c2534c23e
SHA1 cf4aba80bbb8dfbffd9c3ebaa38aa6f949cfb996
SHA256 d648f9f80c0bddc08a7d60480baa42e48d11190e84a8afeeedba2bc8baacdbf4
SHA512 0c4934c299f0345751d5756c22b7ffc79d27e837d7c78ea092d0eef0d5b2c0f68526b0c269bf190347e4d9735e5dd837fc64c29506c1a908d9fabc6a37323206

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png

MD5 5c59a3dbc9f6cf9e886dfc2900684c24
SHA1 68805bc1b9d8c6997fd4b61f6dffb55fb1a91bcc
SHA256 edace7ed21f32d1c436954e72330282e100e228be5c435886ddf12309b88f08a
SHA512 e47c271c4f642fdaee004486c1409902687578254bc3cd4ce00b8e5245d6090c9470acf39cd543f1d9a91493bf39485538c93cd6f3105b824dbc93bbac0fc189

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

MD5 b96f035fcd3bd17dafd808d6227c3608
SHA1 48eac48461f68e95ae785116fc85b3a039a4c5be
SHA256 8871eb853be46a2e3f02d493c43ddbabae50a9ee9755ed365a07d93bd885cea9
SHA512 be09828fbe12fdb3a9d9ef709064ba259d6693bf98e3339db629c5739af9ad4bc6abfa204c0cd32185e779856ba54fafe4d443e1a50fbe727b5f3e7cf02f6b49

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png

MD5 12023acd07c78a1f81d63fbfa8e9dfff
SHA1 2ab4c3297d2c0d6e89b0df75484ee6d9f6529b5a
SHA256 a5fc1c269640754a33fe841f9fd5f71e75fb264666c17a2f61406f485bfa2804
SHA512 7ace5c6659631fcb8999ae8ffa9769ec0d3b07bb16c0b5ef0ea7ee2b87779f533493f9517b3c9f570483fef4ed701d2d847b7c3b88bd18a27c4343aa85654fd7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png

MD5 e36f2027e814a6c2c44dac57f3efd4e1
SHA1 d513f3ca00facdc857f990aaa7c56bf8931b2c26
SHA256 14e38cfd657b9ea67efc71ef2b2500da623a977ad73e533e9eaf0628f5ecc202
SHA512 3925167634458b444ef2069cb648f86c5f1f15dde6e658d83ea9b16cbb5fb3500705bdd6f275047b67e86f2294eddfa98724a86da4cfecc289e2b726dc01ef5c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png

MD5 be86b259cdb4e1bff8dc6bb7fe3c2177
SHA1 5085d68751928cc7e1c47c42799fafd49dae30a4
SHA256 68f3a25f8181bc914d6ee18993e6a3097e62d71895fba1e529c4629fdf7acdb1
SHA512 c1e21f7b4b45639fc6303ca2e982d4af9b69508e22d878e6dbe628f50be82d25f4fd0903fb032dbe4b5e14cc7e56dace20530be2bf35081a17345601a85858d8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png

MD5 1b0e97786ceb99175845e62618d3ca92
SHA1 7d359ff85f01266209f10121bf2da019329330eb
SHA256 3df74537ef2a5e9118910bc3e419fcbd61e18aa0204f08c32dd511fde8eec0b5
SHA512 db234c1024f42edea545e16f079b491ac212cacfd455d55afa699acfa6f64c491b91aba2bd0914a4768446b97fc96c7a1ed850a2e4f058e74106912eb8296241

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png

MD5 50703b0dcac7dc6bdb7385b1ddd59c2c
SHA1 5e28c6c07b1f98b1a16bbc1d22f418f20d0e14bd
SHA256 9b0200a2b8a5a299b4a07ae81a7b797eb5499c980fc578e57309f826a28ef0f0
SHA512 4b3290e85b00b42db6347ca456b37254e5610f33818caeecde424f64406d5a36781488966d0909d231e54c87f2fc7caf69ac9848ae4c464d867c3b53c34b1a01

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png

MD5 38c00d173f13e79cc872215059eddf99
SHA1 3f6b9165ab0efdecc45d0f131746993fcbbb14b5
SHA256 72203297c463dac9687833034559b06b211c20fbb9d89f6e4d3fafb7df59b756
SHA512 15377d65f47b61f26df14e78d0dfd2e2f2372b3f404395cce7a22da6c97b0a1087d1360be3fc7a60ba0a3e9e75521332e9d6333a453f68713af52f69518e5521

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png

MD5 949cf3fbd8ed2de3e770b25635147175
SHA1 345430a33608f8b967ae73fdb13e42d37f5346d3
SHA256 4fd91663a7f01977f5d6527e48e88df8baa0a862639b16bd18a3ef770a6344c6
SHA512 255577a1e3273d1d90a879514813c3b3162b9972e5b19c302d7c8e7297319b008910f49a7d56b78f62b6c232bd8ad30539d15fe2fb5a27f690860fddd0d2c333

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png

MD5 eede219ed4676f3ff901c047d67eec6d
SHA1 69789bd7935bd5e9c69edb93105bc5dd9db073f8
SHA256 f5e422c0170b6032592ed1b96a0754f9718f18cdb52f0d09feada0de2502e3d9
SHA512 04bd8b6049015c2d75c7bafbb935aa86ff7266624bb006acfbf62e8acc6f76c820a5e844bd108cd1f2cb176a6ed2dc14f23b144ae8bc7344e324f1d0ba3a8f94

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif

MD5 ef98aafa020c6796c236bfbd9d914dd1
SHA1 506ce5d6a671970bb51451970e52517fbadf3797
SHA256 8a163812f93f6be9c662d5d8e80f5f3dcea879578c7a5e80a574feec9813fdde
SHA512 6547bb413ab1e7c091051b7a3446bc81e3c5427b3770b4b9c073a343fed88df1b56ffbe08cf0591e1fdb02ecb208ac63b309a65879f61f57b1bf87c68f1db60f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons.png

MD5 386e3d159d7ca1461427aa614168b1c9
SHA1 eda7a3ba7da109195d25f3e4e5298833be7dfe36
SHA256 9a065b0f62845c91818c830098d5cdf00623f199a1bbed3f4fca7e3fb6f27bd4
SHA512 40951859d56324b76d5b0f8d67b700e567f98f153da6a43273f6a068064963c4d9245b0bad1a3ce15372391f3e4eb8f61ee65af74074084f9d7e1d2cfca95804

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png.EnCiPhErEd

MD5 9419983e91b6739e33a1bea5df727f3e
SHA1 c8bd10aaeab272dbe74ef629acd81161fd1fdb2e
SHA256 095cbf3edb5b56b0c69d50e0278a22187a6a2d1613bf12eeaad45efcfb758e64
SHA512 7635701e6f5b9ea3c94f98b3b6edef9ac810d357df5885f44ef87241c6102731bf526ab65bfea18047b6348ad8b76a53a332ff83c8d6d9073aa6d90cd6593c1f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons_retina.png

MD5 3a3d71a3cbb45809b6a40e58fd844226
SHA1 ee113bedb2ebe96313f0af3af9998a4d579c3dbc
SHA256 e166465a05c304257fb607a1ff021b7fed2b42a2955b79324ff72ab4f17cc948
SHA512 966aef6c2fa1979f5cd348a539eb707f90fa1b55197e05207c5eb3c6a31c77542f37d492f55604f1370962cd12644e3b0d20ec32daa1c251328fcaa5e4f0289d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png

MD5 5af4aa8051e1c91b06c4c697578f1f8e
SHA1 a607015c2c3caafb2baec30a01add02d3da0e73f
SHA256 e0a0057c925d8fcb822136db8650121f82441d0d725942d3fb079112ac69bc73
SHA512 208112464a98c184c93ad247fd131b925cb2557c86987e219f5c664a9219362dfc65a3f73610babfdc570f13a6dc09288aeebf5ab6471970e95f74d072e86ca7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_patterns_header.png

MD5 1540990ad4ab365a9ce864ec50a27529
SHA1 2e0d66bc8ccb383e55cf95ea76a8b0cdf1b09a30
SHA256 8591254ced0c1e29e55593e7d5a9f9cafe9f253333f079b4bce0214c61310503
SHA512 31cb1326986eb3f1cc96b4ae7ebf561d12c0d7834aa13bd6fe12cda09e52f392df5b645bca231bf4af0d5a6b6afa19404b004be9db370b51ffb834fe4ee71550

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_pattern_RHP.png

MD5 280ccc7c2399abda7dccce5d8b744e90
SHA1 3560adcafee18e7830aaf90e71a4030309e07c79
SHA256 5246e95783e5dcb915d4c38925f87d6852593f8276ff07faed33c7827be4a5d2
SHA512 1a62dc0d2dfb9f05096844051c8a081bebe656c4afc20845a78fa6046e9caf001388ee32aa575189b729f1a1de3dab72fe5c17df2dc5f5b5661fa4ee47b36b3e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations.png

MD5 74079a74e1862bb80b1b96716f195a14
SHA1 86af278d1860f134c00ca5f0541beab50fc827df
SHA256 6c18b7c6a0597b9381f8385a7c5254ca616b326792115cf5cc463863a52355c6
SHA512 c395d806f45317c8e0d4b89d9e4e628b2e0f40f4e1fc60a54ee5852c946702d8744a2699eb007be439459d53e11c967ab99d98153c2065b651ef3d98ba43b44c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations_retina.png

MD5 135907e8f8951957503b8dabca4a6bde
SHA1 5179db5ce270452b7508b3e46ce8130a4ae846f6
SHA256 c4c924f087a3758ba094a554d11859d9ceb4514f06ad4061c506c8b6f01e445c
SHA512 020c8ce0ca896a52674a1eb868d6d9aaef1053f1591a3c1846cd5de2bb8fe14a144cf9747b8ede710d7a7bcd845bc441864ee7c306b34a1455ba21390e88affa

memory/4976-2516-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/4976-2515-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\faf_icons.png

MD5 864daf7ee48c384b017b8051ba275963
SHA1 d8bf20470cebacb4d33848c608ae41f22286ace0
SHA256 38594053fb11f839b9f51086fa3a2b9eb63beed365cdeb0a662335af8d3aa0e2
SHA512 13a5a0ba25ffff1d9bb644d929bf5b3522532299cfbcf0846afda311fe38fbee85702317d9244380c1e5be26cba769cce34912a96f35da043ac88bbfcaa71a80

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview.png

MD5 f1a8a9967928582885df1e0fa5f84e41
SHA1 5a110aef4d13eb27bc4bcbacd7c5c21059c93237
SHA256 f809a1962051b73cd2858fed9036984764bd7622894d76abba9fb62f8ac8b77a
SHA512 268151d78796f0910044cb26065b354f86c2ff45802b5b35db2891bb7220d459f69b12f6563f4ea68d87fcbc2a831b60b76a888da87b3456ad6c043cdcf2909a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png

MD5 b30c4f85bebc101981a7b8b12d55f0d1
SHA1 61a6f2bf2b6bc4b24c1496e993da46a0501c0408
SHA256 2829c472e856669d75ae7641211735b73b1ab9eea112b8d1c2406751bb80ee72
SHA512 ecc35fd7d5df0b00147c9f085734590ad72d3df0f73ea60d880dd62bcb3fa9f8fd596ccb429bc7ca56a50cc3da4a4d6a2511b37634a45096c09272f49c5aa9a3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png

MD5 3ca2508b2fbcfd9a84454620d8de75de
SHA1 bcd85c424795a8396fa9094d67b7fd8b6a2af53d
SHA256 9f8b6ce225b994ed30f4ecdaae6586acf2f539b53b1522bb9079f5bcb6e85e7c
SHA512 e94492d3a32405a2239e7397d68aed5bd47e109eba8fce27e6a2ff6ef7554e8a49d0d078dc39c693a345d62d020ff4f47e05c636151b59509e9a3d45044a4d2d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small.png

MD5 537b95190fabf160bc5960aef75bdaec
SHA1 9d4923cfca871221a700e9528431bc1ffed90f3e
SHA256 22dec97ff4b070444b5c343870fc9fdda6d14cb6f33ca26d2847d0fea6a14737
SHA512 1cfb3be7815a6190cfed9b9f1bedd7360832fbe524d2a2b884e6f6e220c18fa4baec0dc8d309f9ce9c7fb57a0416e58c897bbd6e16a24511e9b9ea4e66145e34

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small2x.png

MD5 3a0abf1cefcbacd925dbe91e5e8940c3
SHA1 383d41ffbc5d917c9f5d97637663f90fcc4b8eab
SHA256 f8344198118aee446249b19712e63d7c8b08951801754c0df07c7ccb6ef2fece
SHA512 62953c4e13f85e887175d3625442242b0de19e655b741605db4427dc92d342eb16b11c06fa9a0ebee1faf8dd3590d5d2e513b5181346557f4e58a10e3b65ca01

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\nub.png

MD5 8c442d0be5147b9b9413ee7f60227378
SHA1 2bf19b4e8dfe83e8df683544aae32799818d753e
SHA256 f7f6f03d0397c01ea21858cc433afcf7e814c7b74fbf575c74536c68a9241586
SHA512 7aecf644437b9b6f12955afb9764a72541749f2f6eb330e3fe612af91ec9ef124f01640245ff45c6b9bf8bb1de3bee19aa0feeb8005a87be7addc5ee7f3519e1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png

MD5 4363755aa59f84d2f4040165ecba0006
SHA1 c6ba552b38b49b8059044db3d411681bbbfbf807
SHA256 6eb19b4ce139e9a30c033d8f1bb2d4eb02aa9de4accdf30530f305c02aded9df
SHA512 dfd2fd3ef9ea087380d092ca5985d441c0d396641200428ab324790dc624cccbdc719502115889ce127923f564d50ebfe6fa609a8c6c639f0ac14a78ff585ce3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.png

MD5 f3f63b115984ccee22c59d488d536a9b
SHA1 e040431fdfa9438732c214103dc83b2476172e81
SHA256 e7ef09e3a2f7917f6d5c6eb0e725d89857ef91fc82a20d215a0a8a1b9e57d742
SHA512 d78c7599dba7761ecdec7f8b704599a072e2fc768ada2455c410bda55ee72d8960525d336971556d7c5663e5a228abecff6e59624e8b9c2e0e737b80a83aa38c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\illustrations.png

MD5 29863a355ae71bb521fce7862aa4b977
SHA1 18dbb655396a316f80e667257efd9aa71b9ee061
SHA256 aab1bb93161d97de9c0cfa02444b6ed0beb66ba9aad2c1551c716501ab9b8115
SHA512 fa2cd41b513c5f3153e5bbf635d864dddc8064399ad8fb9927ec6339fa410bb131a290d433be97fb0aa82b46f692f3ead0da9cf3993b679adee0cb1922be2e57

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adc_logo.png

MD5 d004591440483faee0feb03be72987f5
SHA1 d7dd32c000847f416d6053693002d4224fb7a2d7
SHA256 50e26ac4c7d75321038319b0adc6d3fdd04536e73eab27c276f63766e8d6973e
SHA512 2586a8a5c2405244d37d7154e2dd73e43261a4fa0cb19dfc6e7a04fca9327cd10030188cf60d365bf0d2499233279415f8fae58c4e46f0b2603b5b53aace151b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adobe_spinner.gif

MD5 17d36e479d6e7db3897b8649ea89a562
SHA1 ed6aad32e3fabc2aa23b41e30f07dae89403bfab
SHA256 4db61108f7658dc0eac4f39ed5bbe06319f4f9414c44d74517e6ce7aa5fb2304
SHA512 f411ac591524a52d5646c7d9388d1289fffa29855e892f7f52906fc8d36f0a3a3dfb672bf3fd25d4be00b3407699f6dc9bccd947a3bfdeb5d5c87da672cb65d1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\logo_retina.png

MD5 69c093872a7f25d89d2a8f309da5dbe1
SHA1 27ad94fb2647cc52e6f44c63259d1a83fa321efc
SHA256 33efa24989df08d7e27000a81c1cfcf765be154844dcfa9f887de4c25739701c
SHA512 a3af7ab7b10197d4ab282afb5789208b29a0300d456d4d72590acb6e942c8a4f20da200e524d357a89968f45bbfca8dd9c1cec713daddc8a528fc0b88e259f79

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png

MD5 4135f082dfbd716d177e62ed0827013a
SHA1 69a6bfb5de3c04982d08c00c548b7462db2be37a
SHA256 4b2b37ebb8290f56eb023b66c4e268ec96e003c2b6346c26642adcb8d959b3ac
SHA512 dc34330ab3838b6f3c393743080e976fdbd3c1697608b9e17edf8da2e731c01dc2023f4cd49d14c5b4c928c10ebae2aa17972a0e49859bddf421e34b5c4c65e2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo.png

MD5 60a1c38521a0dfe8397f5c480087e37c
SHA1 6d41c46f300cf303cdc2c2629dcb3c8859165dad
SHA256 de268b1aaac1d4e72c19b4ade7f740fbbd67a22ad844130602b4f8c367939775
SHA512 5ef98ced691aa455fd156a5e57a3511a2c17518b6494bab9c3a179fe1317b3f290134e9309beeb12d64c24fd930d27c97ebf112143b0ccf506853e3d6a7d6e99

memory/4976-2934-0x0000000077550000-0x0000000077640000-memory.dmp

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

MD5 68c9b2541ae3b321d34ffc380d7e6af6
SHA1 f44f1566956ac9ef13fe4a09ddc5af736d46572d
SHA256 9b9e8e3e3aeda847815e977daec918ee8982f56ab80545e2829728574c4483c4
SHA512 49258dcfe676b6f35a19a32ca0eb2f1ed452ca052fc07b025131a1040073195b968e1f69d3c30b18dcc1f6156bbb28c380372a4b11d1752147b68ad59508c6e8

memory/4976-3386-0x0000000077550000-0x0000000077640000-memory.dmp

memory/4976-3387-0x0000000077550000-0x0000000077640000-memory.dmp

memory/4976-3388-0x0000000077550000-0x0000000077640000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662498327333.txt

MD5 e987db698265d924a5d4836a358ee168
SHA1 e9e14661da393225d6054c358c7e1d568f2176ed
SHA256 f39d8c35bb84a776648c8369b520db8f25c3d35c0fac880b665e4e844bc3bd68
SHA512 c8e61b252602f99eb779702d02e5e2928dde0f8072f40aaa56f7dc48786613b60adb7f9d69bb8130fb3a1c8b71ffae9f851bda5f88cf4ffe5ce5214963b9fee9

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663013511623.txt

MD5 35cdd76ac67443c74dc0a24905efa8fb
SHA1 4228e0f93f16760660ce4647874370b19d9a5540
SHA256 40be6fc03c71cd9eaa52da6552692d6e9f96b245cf54c9a8731ab757298ccbee
SHA512 9cfca839bd187d6ed338b3b86490e4ece5ff4b3cc4feea32b3b8a4b75029f387a05df8d6454b3c97bf9c4a13010f8da1c92ec2ca1e8aeec73f23f58de59b7fcb

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727668912544901.txt

MD5 418572c46d9a4a32a1675016538c1723
SHA1 0a1b038091b713d9a2b458a370fa1e77773f413d
SHA256 8b256dd35eaa4b647afdff78aadc2b3d7a6776a82cefc14a4ec37c00a21be2c7
SHA512 eb10813f20af259fc010fc80b4474b37b6efcb159e65561ce82c7b97bd54eee3ca21f635dc3bc73512659b9b0baef84918afc95d8425b81a5f9623de06263beb

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727671578469739.txt

MD5 2ebc7490e9b2ebac5e6f94f5c0bc9d8e
SHA1 b4457867e73d90b261fab7760e2fda0b56c2e545
SHA256 17b79f31c6f4eac47ef6c2cf4609ec4becaa1e74a2ffb084aa84ed23f41c66d0
SHA512 cda5722a0a6a09ca1a9b9d8e8b17e80d8e2a7fdc8f5e67f6dc8b126c26cbf0ce98835b6c657db1e1f9fd51da0313e5dcdcb1e26058edd0f340db1e9de7ad71eb

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk

MD5 b3c45031f8e832ed3b6adfc3d0236f1f
SHA1 5513dcbb467854a77113f9f4b7ea036b9c73acd9
SHA256 13ac6bac80fc810c69128fe6226381d68088b4a7c6db15a492dc3543b15c0068
SHA512 22d8019c96cc273cd8817eccbfe4ee5ef5ac4ca6c47e7a5969c1656568832a2602fda1dd516d87cc20a11093d655c9ca73c0d71ee64c420194b3ec26f5653cf4

memory/4976-3935-0x0000000077550000-0x0000000077640000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg

MD5 3223456ef16cfcb0a110c5b2dc087484
SHA1 bcd57bc34f16314f55b2709d2ddd36f693d8dca6
SHA256 a89a178908b46e50f03772da2544e28dd6e81c264f80aea2eb989dd0bfe31982
SHA512 b87f762706f50273153a4f6820130129fae3bec00aadcaf96b84f964446a871847d14427482141c4db71b2d8547c543325d1bb93b75e503af460b041df14cc86

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_lrg.gif

MD5 712c270596192cc191a891f222c6de32
SHA1 d2622900405f2faa7993610a19369dcf921573a0
SHA256 703c224ea50f854b58784f75c928ec5d9496d56e57d15653a76bc7201e1f3b10
SHA512 5532cd1df504b39ce5724fee8bc1e510254c2610e020c95ef20158f706d1cd63551e83896261e531cd78fe308c2e1bab20373ce92198308031175fd0b8f81001

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

MD5 bf04dda9eafeca1ff7460356a0b0d2e3
SHA1 2cc1dd2f5095850930d0f52395d2e9ce103827fd
SHA256 3d4afbcc6e1fc187c51081cb0991b0e2d0599b5b5612eacd0b0426cb8315fd2b
SHA512 38b7d295537d1793a7c9014376f763ccc3e11c3beea2a3e6d04ea5433599a0cfb66599c0ea4b733ce7d61cd2e21a678c37b356ae233f609e139a3c17e5dc57ad

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\aspx_file.gif

MD5 9329ee8a81ea6cd13942fa1eb6b771a3
SHA1 fd8ca48ff7095675928506e45fe72ab47e1ea473
SHA256 ac33ed626dcff31c5dd7399e8c29a391261e77ad0c7c92e285d8d41300b63b94
SHA512 17f3723c2a19363522b01539584a8bac50d0270a0105a090cb958935f48efecf8db10b50b085814e68db66757d11b45b44aac65c2f96658a711c08ba0a4b6b68

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\branding_Full2.gif

MD5 3654a9ff4dce6d01d5c64927c708aafd
SHA1 22a0b4956f8ee9c4c67280c28333f1840c6ac430
SHA256 e8b6e42d2f8b3015806859681e6347da2ebb7d23cf0962d01f3cfc4f33391ed9
SHA512 94082e4938ab501c6e44847315784f4d8c06a5129db78811e43412e1c1b03d4f85cd85c078a871638c9c8b08b335f9b5ff6169f72f2d06b850f4ff3d1a100b3a

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

MD5 f4fb6d351b3b0165bcd49367eb4ffee6
SHA1 0b91cd8acbd331eeb7516a28f46cba263d3caa59
SHA256 063baed3d5e33361eade9a32df9be2d4da7ac00640109ed76301ad25696a2f91
SHA512 86b2c18290305780d0c37470d050d9b36cf7d630eaf2d1db1dd7979bb62eb9fedc57a9c55a5d01800e3af2847aa91d9669b3d01ff91946e00ea3d4f4d4a68cb6

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

MD5 3dd3a9d6d0897ec02d63f4bfc44f2729
SHA1 7ca87c2fb8231500093531b13f0a59d3c96ef481
SHA256 47e0a48454ef73a425423ed2768e58018eac35e9e90c528eeff9655a6810e3f4
SHA512 33547847f4affe36f4944fbd6deae29dcac4acbe1a76cbf941c5c6d31644a6aa456cbdc90a544a8556969e67528f66856a19abe76eece6ec25b0bf8c482aae4b

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\folder.gif

MD5 d5915a7450d365d4b98bbb2a23d35568
SHA1 082eed7453c062e03e62c3ffe07d16121d78ce16
SHA256 d502f46f0b0f36d1ea0b48eaa59f98c1586065364e2a48e1099119ac1f22edca
SHA512 7c2958738f6ea99f552fbd1adec23ec2a4aa19af4cdfeeb99e0dddae0a3fe8499194d2d237c763e193278a7fc23dc4c6768f34d2b4e841cd13f610511be08bc3

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

MD5 e698ccbde1772e46e60b5dc5653bf9f8
SHA1 12e5fc8b0dd0ce2a723232ffa4111b5d52b764e1
SHA256 540d847750f72eab316e99703a6c3250dd0fdbfadb1487bf9a8fcc926b35198e
SHA512 b8d998e497d92559f299f7cdc0022310e9afeafa2b8d59c4114884fa599cdf7cb3e56099b9a94899216bc27ac6661dc4db9efa06b4947a796ce489bd7ebc5fd8

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

MD5 c56e24536ba6c3819fa32ab29c1af148
SHA1 231cce2277a6b300224f7a989b21687e1ff55988
SHA256 2ba83a2963d53bb663747cbcdab16ffe14ad955a945bfadf6a98ddbe1f9c8a81
SHA512 5f45df71aeb22c9d9a2a5d7f56f2bfe7455a9f542ebf2e88419066d21e8afdf73cc53f3c165a417e2fa98e99612bdf6aa360fe4f32d9acd4311d7099ccfdd0d5

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

MD5 88541ea12723a5ab50a255b7bf61e792
SHA1 6cbdfd969a73c2cf50c6eecec94c16610ad55b18
SHA256 207907024900891cfa97b635c47ee8b52e1a953765a567cd588a199269cc60d7
SHA512 d4a10f5e3389c15747f1b9f3a2fb9d6b11b429c086b7a3e24dc62a2db83fcb099447e8bf3c4fd5b6d46aeda756fb68eee504f1da1a02614219664ece37be7c62

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\help.jpg

MD5 6d82f17fb8435ce1501753f94159209d
SHA1 7f831f88bd3892ab4251492a1e2b6419f6a8d2a0
SHA256 bed08cfcc23494f3408668e494c7462195f471c6c33263ad9e17d0ea0914ed54
SHA512 40cd2dafe00cdddbdbf8eab5848dd6d013af597da983dd196b0e1c580644ced1774cb670dcfd3753daebfd35409d9ef78d83e6a645c2f3cde6f82ea922af722e

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

MD5 058a42dcd5ea0da05b4978e759ed91be
SHA1 8bc48dee9bca0ea921f3c364210269005f41929f
SHA256 05361a6898a7a529e931fd750ff8cda48cb87a5c59afd155f7b5372e1f1cb626
SHA512 f3e6c0619975c01b83e6fc74149b8ba7a9ac43f969d862c9dbe235be0c95ea407142aa88127fcd83e0b3740bf90b30a00e5b0660aeab7cea2462dc4c3e581bde

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image1.gif

MD5 0e12bb23ae932054b2a896dc9cb279aa
SHA1 84dda25e3e6f93f3e75139ffeca22146cc3a0a72
SHA256 66d394255390be8386193902a6a7017cef999aafd70fb2d23d8713fc9c565f77
SHA512 db4d1a0dbb0f93d963d10e739ee70f7af16f7dfb7a89422b5c7a2df7f3b40cb8c07f6f326a1a7e91bf71cca277b6e30dd06017919a38516b59a15e0829d55685

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image2.gif

MD5 35bc541ef2081aa9fe8c3d401c447c5a
SHA1 3f6066b7c61f7f8a1e4392cf20296f38556a9aa9
SHA256 c3a09246ef916012aeaab6de8b3170c90495eb1af4f2f70b27cc88a5e06744dd
SHA512 b7431c830abc7a9628b3d20d4e78f506575f416acda1991689e99861c3c9f2a81469c9dae92714661ca21aec0115cdda010700f55004b41568e7367526091403

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\requiredBang.gif

MD5 cd9399f9d13099e5e76d17507a2524c9
SHA1 307c429900cecb2626d03f053b3192fca50969aa
SHA256 d5f2c702de271f9117976246a454a068319c9252d0a953c9813d54e3ab23b699
SHA512 1006424a76750beae5ab2314137eec88896b88413c48a330b9ad4e704c30190e87443726994b698912977b805c3fff228fb7d726e1674a1407c0e5ebc6db263b

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

MD5 8a0f6446250b6edfedbe9513dd2e4e4d
SHA1 8e3b4448eb354a2fd0450bb2696947035df9e084
SHA256 46555cc7cc7713c4ffbd276a124e93da1eacd5c8eb55a48475468ba9fbc9877d
SHA512 680e831ccd8d2b22339b569d618e1475767a1d95ca2843692336ddf45f930bc760b9ae2985a9fb4209070e64fc0d0716a5814819ac5b5fc2945e7a4f1f549ca4

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

MD5 7ce7ef132c4034838543becb88009c07
SHA1 e0d4ce9cc8a9d63a7b75e2582a84f5a0319c2b73
SHA256 3691a7a6e5a811d6968103f971fe82a6e37e8d030cee522241ed9ba534f65a02
SHA512 3825b464d62b7653108535131663710e67991a54f2b346711c9d7c29d62b9351d7c0053959042e8696f6a2e456b2ed658876d0d352f66a5b4904a5505220f831

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

MD5 6dd1f9458f8228b139c22dfafa9772d3
SHA1 e3ede18c4861a14642391a4c3d73215a67552446
SHA256 c334bd270afc1f789edff34cb0d7026d527a580eedcc0ef5f14d23681b4fa2f0
SHA512 5c27bf2420c11d5680bb8de8e5a2f91c3c724944f246a37d378dc3f89be9fedf4da6d08883770c376cd44701459761b1d7edf5f82fadd4be3e24b0957d5238b4

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif

MD5 c0770e4ed01b239995d60aaa83764edc
SHA1 97e7ad58881cf3a0f181b173280c40478c9a2a30
SHA256 5211aebceaa46deb0223de6b43dfb49563adac97a56249df7fb05032361223cf
SHA512 e25278a9dc1d8f999d69640de0c7f6df7fb35931a4e203afc7cd9421a867c8ec1ad6cd52e342227c049551f99f91d2b529305c995eef73fae4c20fbe762bb156

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif

MD5 a68c26bdc1c7ede5b72da2ee48ec4aae
SHA1 ae19030d9383a9b1186bff44929a42f3ab707990
SHA256 e755f3e461bb5419c9b1e6c450428f884f5c8f3388b2351c59cee61e15084c3d
SHA512 d22fa487d9f3cb97d0e3c679e72335780defc83ff5f0ad724e50ac031a51c0250b588870a39c934fa6e4da33ea1708bcf2d4f3136e64335e6ac0dedb31824c8c

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

MD5 8c90010720422fc3bcb76594f97b743d
SHA1 33479b2b525673acec785a05f21f62f84a858bc7
SHA256 663d08f7a2fa652625afd1d6cacd7057ce0ecce9963475aa4b06ad7aa7ed82ee
SHA512 8eb92ec485fdfc607bb7c2c3912d8c9c6f33926981d155577f3faaf72e0fa9e3b46b17cd99df668a264efb407ce362d92e0e7d9bf4cef0d4ad854adf97103c4d

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk

MD5 25b48853352eb8440ab546cc7536db6e
SHA1 398d855494b0b8196a20d3ece5597b4407813d70
SHA256 6fda95b1de6e26ec2984fa93a76b27deec6b2bd605b068febb543eb5937eacb1
SHA512 d876701a344f1599624fbd42ea9d3ad99a98b56d584bfc4678ddbd57804bb6dcab8f4c793b6d7adf7c8ff1c5c78f4d278cf16b35927588880bd08ac1a4db45ff

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk

MD5 8e66ada90daf75efc2175c841ee15de5
SHA1 b88e156c92c7b43dd061c3bcc989b144d20ea37f
SHA256 a56debfd4f0ce62dc82ef6534897fb294b4b43f31d974f8026b7aedff015fd1e
SHA512 4fb5cf8cd6d06ded13e410b3adef795b01cbd94dd943c6b6d15e296f4d050d00b428ebd77da25a21693f069407a21c88d21fa10587c1b7578a0961651868aa95

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk

MD5 45f4cdaf00c9dfb1dd3238295ca9ed04
SHA1 ef58b272fb73085bb900d03cd6efe7e1908353da
SHA256 6e641a4fa2a9ea49d1430a9c2a9023a2b764192ebd079f68f52c323188850194
SHA512 afa53452a184ffd9dda4584aaf47d56fc519b6a25116c15e8c21fd9dc7dc358c6f1799c4170b9e43ebe30c00bf0c099eb492c6675282c42c8646800a88cc841b

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk

MD5 25fb5ea876bc36904f664a80ad17ef4a
SHA1 1b572d9cc032269f47b943d48cd158b1a824f858
SHA256 6193fc254c1193dc98975fed1da9d07270fde6057e50a56f2532c6b54fac5661
SHA512 4d4ee9989f94b4d4aec64be314baf35072318fa3930ee951f5697fc7744dbe5c13f2218db29f945b08d3272a254bca5488d951c463856344374ed2c9e18ecd09

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk

MD5 5cf5c698b732788c035c2a76b6ca7039
SHA1 1fd7293b1f9f27457f4de598b3b5ae28bdbcaa2f
SHA256 3db2e0a0b3108d7b186828260b6683ba6bc71fb44cbd7895a1edc2266c622176
SHA512 d2408626b91557fdc1d553553731c0fb398f8ba1e41a2b59f490e269f4d573432c41174ab75d7c0bf0993ab63a30d7c5563321b5e07736276b0eedbcb57e121a

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk

MD5 c05b89ef5ecb3616f0d13248ec7b2df3
SHA1 90ea821f818284376d470ad9f029992606147a6a
SHA256 587469fc2c07548d158729a19fa6e98f416ad20fc411778338a629bd26e4f6b0
SHA512 cba0ece53034f007a0325877696a758107d37f8b59b5361e4629a6b47931834f74eb63af4c016c4d65ff2a027e799baa63afb2fe21888603a299daecd4501492

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk

MD5 dd11d32c1afc3186d308964680137e8d
SHA1 b6468253189f7b35dc7aa6b3b256c75b800786cd
SHA256 7de15701059231d059f67fc24667ba5d5c38e2b5ebd15315525843615dff4352
SHA512 18f54a6c2abe7b75e9d97a9553b68cdb11806c9a40bd5fac9fa00ae3727555f24d44555d92a7a379df463133f4035a5c3e844c60b4e3061d1c4c7602c9b81d71

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk

MD5 ef51326f31b9b1ff359559fd09b5c641
SHA1 23c444282472da76433b66dfb5b4ec194ba42806
SHA256 1ac47d7fecd0d61c792e67bc37b37386aba4c89c76c162d8c2b62e350f018054
SHA512 279b9721fa6e8e106fe52f0cb82939f1170aa01e3f57e0283a3b742a9d98b1454721a20d55e6b58ce8d02ec2fdf00477ad6a5ee7ea126e763b910d8611577f7c

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Command Prompt.lnk

MD5 14ba33f49fa83ccbc760e76302e43e8c
SHA1 c684e5c699bd0aa1ce9f6e8a4a9bb42d8be9452b
SHA256 c958ff139151fcdcc01e4772a5f13471a740e0ea30e324f9873d815f49d3a282
SHA512 09ee244203eb501b285901319c25aeba668ab1bf7bd497ae67aec49de337976e88c771b1a95d3831a7d4b5ddf4288649bada9bd564308b39895efd1b73bfaa8c

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - NetworkStatus.lnk

MD5 16896b75c0fb39534f31bc5b726151b8
SHA1 ea279cb63e5b0ec2a6917394b9a351c9b45d64b6
SHA256 d7f3992da7b6f1d7a88cfcf51bf6b636fa06e01b9c2d70653149e66c41e1fdee
SHA512 8711eed1de602f4b6fd4175eb25007c3e84dbafcd1d8a489f2aeefc6b7f7b231a17f64fd63900b6960c7b9700f90b053c8afe500b9d1d8f45efbd473aa41c86d

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk

MD5 17b47b2ee4ca638dabfc9988ff704ff5
SHA1 ac0b6ed300c53840c81d929d9d4440bfea761516
SHA256 8e3b59d386f5c4f225e4467734c6c651fa9281c2bcda3c696e138d419454d105
SHA512 1c939e674a12b98d281fa515d772f8b0fbe6a7f9aa911236a2f263bd254387471df899f05cdac0e2baf0b6ce6efaa4824b375c36d73f9ae81abc265ddb22ad2d

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk

MD5 99cf6c3026dabbee7cb879849ab21b5e
SHA1 fa574d80cc95ff9b959e9ff1fa393ca5d6ca0c04
SHA256 4619b957d4989b08e049a23f8bcd367778d8373c6725f259dd49a86312f07dbc
SHA512 ad6e0a6a209c10974973dcf4f18db61389694820940e59a21b9b4d20b2b1a9b3225a7ce331f199deacaa68b304736434a3c05411dd88d8b31760fd07718f2692

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk

MD5 fe7a37997f3b6737950d8d047418c3e3
SHA1 72ad475b5de4495e1c2a2d4e1416101ec40fc6d9
SHA256 09c4418267ed5c2fb4fbac3a9b1697a151ab2794a902212a97ae1f8241723114
SHA512 02ce135fa5f498953dfe2b5af42e28b63c5720ac52c5ff219c513fb25a057bb64ba663ae18d552738c6c9b785441d0f76b4075be7d6e10a3dd6b1c866e7c5edf

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\05 - Device Manager.lnk

MD5 40fa0819c357050ba37f822bc2338574
SHA1 358a0f111570f00db58738bf3451cb12f4186ae2
SHA256 b2bbb6d75790e8f7f8013994a9f072698be8520a31d0bb5dbda8218d494abc1f
SHA512 596cbaedc507bfce3f44bd85a7780d01f7f4c4f1e0787b3634f7f93940773567fe1a9e4f2f7429cbe1d9560978afbaf62515dc23e53f0c45bc12a878b51823bf

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\06 - SystemAbout.lnk

MD5 1541fc3fdaacd6c4ed0e3cb6f7a85876
SHA1 df84f1044e75b3c05769430d220629532ca6a050
SHA256 affe5a559916de3cd38d6b4a5dd8ac56dc0a1c380e4a2f941a20eef828490e21
SHA512 6ffd5c5459ebc2428dae87168e7d337e75b19d19ec17a5b4f0ce5d7a7be78d75d1ce5ef2a1d6f98f13684a3222a57ccc1a40c6a10ee5239879070f164170655f

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk

MD5 23c502377b97f175792cd9570c2d21a7
SHA1 bf68771510c47afcbf335dc8214119e647bc7a41
SHA256 cfb682279d5488ad8807140c77d0cf37d4986ec7f50a6c3b3d3d1cb14b41c4c2
SHA512 58410fc103ab1caea92e809c6a07498cfdf35674970539309f35f56c7dd5f9143ae4af6068985791f5904c3a5e803a02fdccc94e855cf96ed1c649ebcc77fb27

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk

MD5 7f26b7c15b4f5ee5c90eae07b1bb08aa
SHA1 cd50a6288424dd630dd1e4e0b129f6be3f590d22
SHA256 1f9d817d5a7221c04c1cdc05c8b91f118db860518487eb418b2bca2c8cf85bbb
SHA512 ad506b1ad63d2d36ada1a17938af769b38a31703b67f47f819ae919c0a0832d8d5ec47f6346e55f516a4d0d8ad04320c107342eeef28c8fdfc1f756c320e375b

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk

MD5 ffb22e03a634b573722f4efc533bf737
SHA1 951a6ea51e54d0913333a82bd3f5dc37261fa3b1
SHA256 e3b676c46c4b920e99138cee1aff5227afc93171a90d720f4f961d1fd576e6d3
SHA512 826b9ef469b37ce6aeae10c0527b41b61d11d376f7517ed8fffcf054e6d147c3f8e645f3ad593976f47e81f484caf110891313b53ebea7ac4925be0af22b8fac

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk

MD5 455284717fa5de19ab8b2bbda8508ad6
SHA1 490d774f36aaee7022913804f922a1ed6aad0234
SHA256 daf20628a6b525b05f8e79e430112d519238d22944221e3c84b5549b89871229
SHA512 560dd48f6b5bce08542844e5bd7e9610e1bd56005ebab26a7c406eb09d1a124aeb8b5aece2385b083c3c99b8de7acfe54eaf1aefb9de801206bceff1302f11dc

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\08 - PowerAndSleep.lnk

MD5 aefb16fe063d8552feddf30d50c6f4ac
SHA1 bbd3d2ba9b29097df8a8b994c4877c922792789f
SHA256 efc4e18eefe45e640c4652923068a205d743f0dc995958f044736f6a771c73b2
SHA512 1951f863df78685aad61ae597be3f8b61b7df79b97019d9c2776abb495ed5f7de3e923ff3a56caf6769d9433f47ba9c21009f9375c32d19f5c4a2ee9196bba71

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk

MD5 482fc111692357231a121a17f0ebf006
SHA1 141bb3b806b706a51b386b3314f6757a106e3809
SHA256 e6a57f4dc690c4bb80eba5667272f86e9740b8f17b87c9c52ff02070153d7109
SHA512 cd52ed5d775dbbbffa8b608b7c481b382c9e5fab44e558d03751d11558e3c0ca455b5ab3bfa84a0d29e4fa121e3cfeb82b82bbffd33eb304adc4a5b37f2913c6

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk

MD5 f945482918a8aefffa251748ef4b66d0
SHA1 c5cb0042c665eee0bb830c27f46b5c7a26a53479
SHA256 908560817aff36ae51413adaa6d449aa726bc8614f8978e02de0fd015670740e
SHA512 afa716efa18e3242e4073897b482cba2f6077ec070bd883b27f0e051d06a0f1d3121e73e6d9be5e41262d89a29f576ba476c48404209341e3b1488c8aa01a947

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk

MD5 f1fd3b1c98592088ad14b0433e781efa
SHA1 9c128f9667a976c2f4a76dc94925f2fe08e518e9
SHA256 8818ce614f7826c28e661d0fb51d36e97eecc6f89def9d59ed9254398a292a0c
SHA512 7ef9dd85ddafac04e7268bb482c30edd498916f94ceece6e98c7ad2586cba635c31cc5f6a40d17a20e45525793d2f6a9d615761efb3ddd4fdfaf927e59d091db

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk

MD5 b0559879a36ab3730858522251723506
SHA1 8345f9cd1bc4b7965eccc4b7ca14de01f71bee90
SHA256 57594051d5238c736b304a907a27dbd8e5b2c37e64ee86f08abc535a9faec1fa
SHA512 a08598b39b2e350ef7cd26848427f72253148357be01377383ceefa79c997481af70329189086262ff244ff2d9c9fba052e60de6df7a3cb2f1223383aadc6ba5

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk

MD5 cc51b9d4ba573459685c8965c4b4c1cc
SHA1 d7e665100c1e9844c21194c134e3afc9cda1aa2c
SHA256 ce8f9d759e652e744ddf8a0944f7d920fca58d59e65f9bb6f4788c27f27941ce
SHA512 7da4faa2024806dddaaf4d3823a38627f79334dec191656a5c79e340f7d39c2e3149cfa2c5b8061332d10b76fe437dc9e507ac585a52386200fb5db3d6556dff

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk

MD5 af3c6af70526c75fb84273ccaea2d025
SHA1 e5cdb03887fc905fa170c44298de534d206ac380
SHA256 79062de7b0b15cb7581f420a1635c93d0ba164bc67cd739b85ecb01e173a9717
SHA512 7254dd4ae94d614c5441bec82042bcbbd99ec943dd249e4a750f06b710c45e753ac40b679f78ee0149f2902eef4e939b2e3418886e4afd49e3d56f521f5cee70

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk

MD5 75125560c2d0b734769e0768c8bc8a9d
SHA1 f44cf186976040adcfa7585c0866bb20b4c0eb4b
SHA256 2b4cae0fb08f2e1379dba8a1a93987131398e21ae1431a778982db4a346e6ba4
SHA512 f45d5faa5e9aa7500ba5297c3c8d6e3d08f6b44db6878b5b95a7f161f8678820acc46809867d19dd896f44bf194ee7b93cda3452000c7640fbd4a88a41f73b1e

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk

MD5 7c4c8ef15630ccaacdc067f78f6ebb17
SHA1 3de1e7c1b0027f9aaf02c6a9400f2d6d8ba73e82
SHA256 e94955c067cdbaa4c557b7954ef0e933319b39a9c489970a5b0412ee6dcc2664
SHA512 ae49ef7d78a515bbf42ed0d37fbaf99e612eef7ee5b50354ec48374524e0d97db57488eae28828ca450f4d30c0db6ca9e1ab21bc1e7c31e2309b4662c105d20f

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Administrative Tools.lnk

MD5 c48bb2883565eaf989df5b0e02c17c32
SHA1 3e4d1820790dada49fa9ef9688f6a206d14db610
SHA256 9cea4931ca346a08cc5c180dd6cbcd638f13c2612e114c26a32553e630418f9d
SHA512 afcdff4fd47ab1a03dabee76823220dbc4a6cfeef2f2f1db06f9975c04eb4485b8d367a034163a79044bad719f25ed611ee201a0b7469e6f84eef70082a99d13

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk

MD5 1da13517714536dd0b317953c88d16c8
SHA1 3c34bf8254ed5f14f85f7102c0cb27cf7bd8b4ba
SHA256 2d03740f73a0f31256ffa93533f7365df23668fd4e1bbfc01cc60b946b1ee7a1
SHA512 26a0b1f1482c6cf493608c900a4c5ed78d6d5ef3a40f49b2104848194ed1be7c5b009acee9600b99cb8d93cd52c1f306564df82e34921b0f77dbeeb6d14dc0a8

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk

MD5 79fd2a72efa59e84f9b7eb699ba13a48
SHA1 1c732a8e8787c5dbad58e3b03861a4c15b7d6c2c
SHA256 3ccb3e6d686d469f513d98373b9e0cbaab274d3c8f78ee6c2fd4e50dd7543752
SHA512 3e822c3d8596be9c59ce32de4c79defee1b38309489bba28cce0a93bfa7a8f728f2f761455b5cd83e087a0dbe69bd6d8cc613cd1eb8202af2367730a045d5b97

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 215c53fac64728bf18407dee1dc650d6
SHA1 55009ae96f4fddff86dbec6c453dbba5ce7484cb
SHA256 ac94091fc5d6ceb02f88e35e738799e8ad9e44af0ebfe6a0ad8f3abee1865e5c
SHA512 ebeb290d1534af422378f003424bf9c595067d0426959227f91e053aaad0dec58fc1d3a85ad1f10cffaa9582c64174b59f2357859fa7d2e54e7f52f48246bfbd

memory/4976-4219-0x0000000077550000-0x0000000077640000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f0cacdad35097e76b3e0b2d1b84c1dcb
SHA1 26fb50ec682f4bbc6c121d5a3e98b5cb5bf9668a
SHA256 504aef4415741b03424ff58598222a9abe52f8389905cc1d1083d970891a92d1
SHA512 dda4f252475e31f8d52ac622441d6c5aaee28e41f7264efe791df9996d184250ebe4df11189116d7ae29bbe39d86957ab8e41ed54ae0cd35da8ad732b7872a9c

C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.153_none_90dc0b923cd83016\Square44x44Logo.targetsize-44_altform-unplated_contrast-black.png

MD5 32f023ebfa0576eee14aad85d7977526
SHA1 dd5d1a576fff87d7646427d8223b6fb50573260a
SHA256 7338fd943c729c37eff1882eef8c0075169a2a8f1e5c8256d5f884b84509b771
SHA512 6a8a86b1eb783c4a5d8fdac4281a6685ba1dfb8907280463a896a9f31ed20fe0e89b33bea1440b9a602740cfd07ed7e19125a802a288ed560f63a44d5d1d0c4b

C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.153_none_90dc0b923cd83016\Square44x44Logo.targetsize-44_contrast-white.png

MD5 895ff391f338262b6c5c865598f997bc
SHA1 c68cc2ece9312d74368cf692646e43e35a635c87
SHA256 690d51c8c5152717562c5b5b9565e71e2688ee97ab8144fc75015341a9882765
SHA512 4731d2db31cad9d56863a7782244d2d5193478f2ebc01f4b0c12feef580d00483c1509ab11f700b8d413f7a0f00709ea2e2273cb00574b00baa3bc7a8ac20822

C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\Square44x44Logo.targetsize-44_altform-unplated_contrast-black.png

MD5 eccdea9512d9b17d86e3cfcdd2ca48bf
SHA1 3c860b43c252cf0dd3859bdd67503c5633e314a0
SHA256 9a10e770d519279879bb4552550c8ed88a4ff54f31ada4827dd018fa72a4d0ea
SHA512 c80843172f5303bc8c5f9de70f26848428b3ec044e848bdcd4fae50e0dff58053ba20f59d86d3d8d7de78c1f47b15e6291c219b061cd1345a21e20ae5748b308

C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\Square44x44Logo.targetsize-44_contrast-white.png

MD5 213294bdc322caee25abef783e137679
SHA1 1ac33ccf770388e63b41e3c1d11154d30ea3a75b
SHA256 ebf24b5204059bb0f2f04f7747913c988f02f402224236749905155eac95a389
SHA512 72a883a8b539f24b5e5c64b4e8197be2c49feca6b3ba16c312ab7023fbfa80742665f36970eb9049e6d4d0ba9d387beca86dbb1af74ada765a7d0b7614cda311

C:\Windows\WinSxS\wow64_microsoft-windows-onedrive-setup_31bf3856ad364e35_10.0.19041.1_none_e585f901f9ce93e6\OneDrive.lnk

MD5 7086a715b6ffdd70ef6fd43e7764c382
SHA1 9fcb28049923fab340d2a28284b482f3df98c97b
SHA256 a0824374736d356c2383be16b04ac51af416e8300e037010b079343e4da937dc
SHA512 cfb1e65d2bef7ac42fd3ec83233a55528a322ce1a71dd4538b2c1821adc2292d1f05b3cd80c3f635e780accb16d1e89e244b420bcf46d7fbcd9a400e9ef9de5b

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-08 17:42

Reported

2024-10-08 21:19

Platform

win7-20240903-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe"

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Xorist Ransomware

ransomware xorist

Renames multiple (2214) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nPde7iS1iFO7aSy.exe" C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_If.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_troubleshooting.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Switch.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Throw.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions_advanced_methods.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Foreach.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_History.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\System32\catroot2\dberr.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_type_operators.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_properties.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_transactions.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Path_Syntax.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_pssessions.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_prompts.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_CommonParameters.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_format.ps1xml.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_pssessions.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_transactions.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_CommonParameters.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_script_internationalization.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions_advanced.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Reserved_Words.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_WMI_Cmdlets.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_jobs.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Session_Configurations.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\erofflps.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_logical_operators.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Break.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Core_Commands.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_escape_characters.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_aliases.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_jobs.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_locations.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_preference_variables.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\Programs.gif C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_For.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Automatic_Variables.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Comment_Based_Help.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_script_internationalization.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_While.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_output.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_parameters.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_escape_characters.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_output.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_jobs.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\en-US\about_BITS_Cmdlets.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_modules.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Arithmetic_Operators.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_transactions.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Session_Configurations.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_profiles.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Assignment_Operators.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_CommonParameters.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_pssession_details.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Redirection.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Command_Syntax.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_objects.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_command_precedence.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Continue.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_logical_operators.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_pssession_details.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Special_Characters.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseout.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099194.GIF C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750U.BMP C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15276_.GIF C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21305_.GIF C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR24F.GIF C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\ARROW.WAV C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-desk.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\clock.html C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\header.gif C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\drag.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387604.JPG C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR11F.GIF C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sw.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\19.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\SoftBlue.jpg C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02082_.GIF C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\HEADER.GIF C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR5B.GIF C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewTemplate.html C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\logo.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_hail.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15184_.GIF C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\BUTTON.GIF C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_over.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02758U.BMP C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR30F.GIF C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43B.GIF C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\GIGGLE.WAV C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\SUCTION.WAV C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AboutBox.zip C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)notConnectedStateIcon.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10300_.GIF C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21295_.GIF C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115843.GIF C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Media\Garden\Windows Navigation Start.wav C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_c3b9072b536514f6\activity16v.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Assignment_Operators.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Green Bubbles.htm C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\Media\Heritage\Windows Ding.wav C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\Media\Landscape\Windows Ding.wav C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-epgtos.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b661d7abc4d159c8\epgtos.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\500-16.htm C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_hash_tables.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_black_windy.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-full_31bf3856ad364e35_6.1.7600.16385_none_ce3a164d3f0fa152\1047x576black.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_arrays.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Windows Menu Command.wav C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_Line_Editing.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_725857cf41f74c3f\3.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\bg-today.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-8.htm C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\ClickDownExpanded.gif C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..eady_eula.resources_31bf3856ad364e35_6.1.7600.16385_en-us_95d36ad13a0d3d1e\playready_eula.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-babygirl_31bf3856ad364e35_6.1.7600.16385_none_b2bd01695c9021fd\btn-next-static.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..ional-chinese-array_31bf3856ad364e35_6.1.7600.16385_none_c0cebfe77b9f6973\TableTextServiceArray.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_eventlogs.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\US-wp2.jpg C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\default_thumb.jpg C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Roses.jpg C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Windows Hardware Remove.wav C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_functions_cmdletbindingattribute.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\47.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\ehome\fr-FR\epgtos.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\Media\Delta\Windows Battery Critical.wav C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\rectangle_performance_Thumbnail.bmp C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_transactions.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_profiles.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e0e7b1171f7308f0\about_BITS_Cmdlets.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\shadowonlyframe_videoinset.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-huecycle_31bf3856ad364e35_6.1.7600.16385_none_810df6f57d9f2a73\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Windows Ding.wav C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-6.htm C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\TravelIntroToMainMask_PAL.wmv C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_prompts.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Windows Exclamation.wav C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_job_details.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\btn_search_over_BIDI.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\WindowsOutlookExpress.bmp C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\16_9-frame-image-inset.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Core_Commands.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\Media\Festival\Windows Hardware Fail.wav C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\7.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Pets_btn-previous-over-select.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_functions_advanced.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\SonicResources\ClickMe.htm C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\ShellNew\EXCEL12.XLSX C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\42.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-11.htm C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_operators.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\ehome\de-DE\playReady_eula_oem.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..tyle-resizingpanels_31bf3856ad364e35_6.1.7600.16385_none_bc51073aee3391ed\bandwidth.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_remote_FAQ.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\500-17.htm C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_preference_variables.help.txt C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\Performance\WinSAT\Clip_1080_5sec_MPEG2_HD_15mbps.mpg C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\3.png C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0347581c719db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AB2D78F1-85BA-11EF-80CF-C28ADB222BBA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000d4169c57b616600b9c2bf25a6b1f932d328a658b1b60dc516a4bf0034cc35ea5000000000e8000000002000020000000eeeb852bb388b48783badd06bc94fd45b407de94b6efca6f7a081f065344a6d9900000005fd5eec0194376b90f893e978ad2af1a24116c8f787ccfdb066bd8407a1532774367e0f57f48fd024807910292396f52a0e91b4449a396c1e5af4e83ab216dcdc228a064f332282dec897da858ddcde72b6e6cfc465a5726ca15e23d09f023bba9e85ffc67604fd2e554bacc38598dc7d69558e0d43b4bda1feb8d30b409aa373e0dca552087aeae0b8d563a3dfb305d4000000037c8b96db5a3804965b8903f0a8115998f610caddea8b55b8f9b55ff31fb221855f3c9919f8630f4c44d4c68bc013a829affde80405d9e077d9865a9092bfaa3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434584093" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000fe7ac597df2f317924d76a47fa068e30511f572a0ff14cca5a894285729b6283000000000e80000000020000200000000dc40565d8dcadb61b81eab066d917fa4624b3be283c73a531b6b2a09ffbbf14200000003815de0bfc428012a3fbb5405c39904fb6e9b0be98e4a0da62801fb78d5186134000000055a18d3d6ab6796f050ae7e8e2ec67b254256a3b2a034be4008d149033296000d4dd8184243f2fba3dcbcc5b2e38693b64c1f551910884edeb4169ca3722f438 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\DefaultIcon C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nPde7iS1iFO7aSy.exe,0" C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\shell\open\command C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "TBFZLTGLROVAHFH" C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\shell C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\shell\open C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nPde7iS1iFO7aSy.exe" C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd C:\Users\Admin\AppData\Local\Temp\virus encoder.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\virus encoder.exe
PID 2316 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\virus encoder.exe
PID 2316 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\virus encoder.exe
PID 2316 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\virus encoder.exe
PID 2316 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe
PID 2316 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe
PID 2316 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe
PID 2316 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe
PID 2164 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2164 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2164 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2164 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2940 wrote to memory of 908 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2940 wrote to memory of 908 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2940 wrote to memory of 908 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2940 wrote to memory of 908 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\virus encoder.exe

"C:\Users\Admin\AppData\Local\Temp\virus encoder.exe"

C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe

"C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.crazyfrost.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2940 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.crazyfrost.com udp
US 172.67.132.250:80 www.crazyfrost.com tcp
US 172.67.132.250:80 www.crazyfrost.com tcp
US 172.67.132.250:80 www.crazyfrost.com tcp
US 172.67.132.250:80 www.crazyfrost.com tcp
US 172.67.132.250:80 www.crazyfrost.com tcp
US 172.67.132.250:80 www.crazyfrost.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\virus encoder.exe

MD5 63101d9664ce362eba241e2bddc54a74
SHA1 3fa8190d6a1fea2b54efc6804dedffc6d29c4221
SHA256 20c262be3ce3269b1c2d0f6af38c189c69e22ccbdf0942a23c89073563445326
SHA512 118d99caaf939ffbf3b213a1c51f3933cc7badd737ecc13b9ae1c85163d352d8b10e7ec65158070860b0b78b50a50b3e2d416a9f1910aad0629ee6560a4435cf

memory/2316-18-0x0000000003390000-0x000000000342A000-memory.dmp

\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe

MD5 3ffc01adf1bdd98bc7675450ef673882
SHA1 7c8226cbc5dbd32fe8553fd17edaf7f4b946a039
SHA256 75920af382027dfc7baba45e56b6e007ff6d5a5dd7b1506bbb98e08ddcd6742d
SHA512 875b7d94482c3ee7a20fff9b49f56a502f7858edb9a47c61c7a4918bd9ec6bf67ef72b4decd5a68775237ea592c27b75fb3126019b4ef7743aa0ce6a9e3dda04

memory/2164-27-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2164-34-0x0000000000400000-0x000000000049A000-memory.dmp

memory/2164-59-0x00000000754D4000-0x00000000754D5000-memory.dmp

memory/2164-103-0x00000000754C0000-0x00000000755D0000-memory.dmp

memory/2164-104-0x00000000754C0000-0x00000000755D0000-memory.dmp

memory/2164-233-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-252-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-262-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-230-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-271-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-231-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-293-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-235-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-237-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-239-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-248-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-255-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-289-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-297-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-295-0x0000000000230000-0x000000000026C000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

MD5 4846e06f8c4e12a788aecad18f1cb3d0
SHA1 71d4055dbee8cf298bf438312619ce1adaf0f20c
SHA256 fded5ad3099491c3314a3c41c8d5a69d27bc4e77ab195edb1b8db8e44a8b9df4
SHA512 bc6bc5e775cc54e00a3588fecc35366c2104ab55cdd4decaeedd6e3716108973beaa2eb7e474a4ce5db470ed9ba717aee2d1d198afc4516d926343730f125e6c

memory/2164-287-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-286-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-283-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-280-0x0000000000230000-0x000000000026C000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 d31b75b7649eb6fedbcad2b74b5f2232
SHA1 b429f1a512082e969a7354e29c18444cbd502c34
SHA256 861a6bee23f2ef4cf92c145c220244b362eb14cc81df9ac1970807d14036c479
SHA512 43c13d1de8ea04db3a82883a99bd1f40e1285c7e748183770f252e62a4b91a4fcd60697a84af6ef395f07893181ab9f65f0391a0fd5a181057410d8d99bb4faa

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 d7bd2ab23ad2dcaa879a773a455e4edb
SHA1 1fe314039d05df4048d4b368b84df0d9efb0e14c
SHA256 671b09870ccc14bbef6ddffd327a7b3e03a1f1b905e31599a4cee5a45ca7dcbb
SHA512 f65aa307bbd5003d04a15aa55e3eeb568b8bc4db3ca071fb7056c755bc193d78f58ba700957880526dcc1d8e852cbd2e1ef04bbe54ab0bc5721b7d36eb083595

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 bdfa643dbd542c6907730680756f3a16
SHA1 c79bff37e072a6236733342d8176012ba02ecfa8
SHA256 67b136d710780b79162821680eb2f65b685dd062788da0fa6733f64725e32fc3
SHA512 c5ad8fee2bc7272400b99f41027911ec49cdba22c186039f1420240adea2938f4242edf4a4c842f052c88511959bad92e612183e0bbfba3f727a8292b04066ee

memory/2164-277-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-275-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-273-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-269-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-267-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-263-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-259-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-257-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-253-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-249-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-246-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-243-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2164-241-0x0000000000230000-0x000000000026C000-memory.dmp

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 9f4795f5306bc18e6dc1e976cade5c3e
SHA1 cde94814d9f859c1a756cdfd8c4286c6fda00437
SHA256 f2fe82fa51ce58e1fdf498b377641af759a0a5837f70d1df8d3f6902f86b11dd
SHA512 fc85999810dd6417b2ea570b73390b86e4b655436b6f0d8943efacec533340f26fb23ced769b461b518c2bb254dcd952f9840001ad543473f8a48a00a29d853b

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

MD5 009f8b570d00e9b31d1ecf4c22059ed4
SHA1 860484304402e861b6af771de1861def962367c1
SHA256 f18d718ac2dd2bc2317a83dde21cdbc82e567e2cf57cfdbeedec6f970a95dc54
SHA512 8f096eec56c11d7b4e81e822fa7a7d6a0e5593836556b1919bd77a21348a4185f87c7ef889d54c1d2eba189baec0333d4b86c194eed5cfa17258982f59baa30f

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

MD5 a88d2aa6dbb3e2c73e7b1b6ab4d6b11a
SHA1 255282528af78b6f62a8627b48d25de0b8828c28
SHA256 52c1659da674c4b74218f3b3e375fe79404d08d52656f9fa1393db3233007dd8
SHA512 63a844a2e1fb213382e704288cbd398bcae53f1ed413f5d33a409b98dbca5fd23736ae60bbc02ea3d8f7a043b59924e8f579676958c82244340b356ecfea27f0

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

MD5 43b6d1a581e0d77e38cf3765361ff3a3
SHA1 eeed2ca2df8060df2efef6da72384bc408e17be3
SHA256 bb07c18028d169443c79f3d6b4da74fb75412c359efb68c44e9fd15e0dc91157
SHA512 150b563ad32f1a42406df896ab12d9506e25a0f6ddc7a25e88a4e247c46a5a75a1c1fa9b3de25c1f6f477e05079a60cf928f4405be343774bed7ee185146f28a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

MD5 4a26f4c98d293d9e93fcbc48bb4bc7c5
SHA1 099b57db24726173c49a56629dab2e52ff2780ea
SHA256 c4958eb9188a2112c0e6e1d2d55cd1bde9b935332933d791b2a94e52bfacf832
SHA512 47343f1f7cc00e34a9e8df8b219220364690c6d5bb86d4b93fca447ceaf88d989233382ef0712dbb2e2bc6b1f89082827a64689dcffab68fa5fba2ffddb334c9

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

MD5 338da3989217f19ba4fd759b0cddc944
SHA1 35b2f2e5f61b4184d833723b0930a2cf941e16fd
SHA256 81b094eaf1469a435ba7dcb98bff47154bec836973ebcc4efdac9abd94d65327
SHA512 0b77fe5ad291b8a4c0b21bd304d319ac4a0ad53d57313dc00784ad1aeb663792ff9fdd1ad19633dd597c278070ae61af8486ae78ba290b69519e6679063e3b77

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

MD5 c9dc598752c2951697eaf2e0bb5e817a
SHA1 1e605dcc8fbad52ccffd0447375f24d86fa36ab8
SHA256 5cdc6dfc2c3c54996feee3d7e1c3cc8fe811bcd8a933da7d77060e9086fb7d5c
SHA512 49b70592b9db7859f0dd733a1cb28cdc7dd7666270eb8489efa795a343e9914cbf7018ed792c5c8879bea708f7290b785f4e091cc6141d1bfdc1bd04ffc29cea

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

MD5 6fbf57b1490ae97ddbed6c85ae814b4b
SHA1 96b3fd36bbef13599fe78db9338c1cfa1239c5c3
SHA256 1bc9de48e5bf004fd43de1908d9a88c8348066f52fb1dbbab4801ea8cc8e029d
SHA512 e043fdc82f7bbc1c92a6923cff0b3bf08d07e493947c7b47bc9d743e87a71e329f036e1f6f69cc1ac02741b835c1f9373a5c18147ecf832c9302f5b65b7c0df2

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

MD5 e8a08c9a0bc973881e7fc53e57fd4aec
SHA1 4705bce16b7e6ec2ce43aada279281370835e188
SHA256 c850fd14c5bae57217c7e0290b612ca923b247053f7761ed23b9db66939a4a8d
SHA512 4b102e49bbef236e7facefdbfee40570b6834fd08488d727706b62b42bc01dda3c7a4f0f639110430e7aadee403114e77f463688d2659426d5c3966aca094180

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

MD5 3194f514da4c06164083e8ce20fddcf7
SHA1 f1a135319ca46aae0b6aab4a9edb3374c006d73b
SHA256 28f8ab582a3e1f6cb17cdda0522924196bc58d0a10be7ff6c350aafaa063d9d3
SHA512 4e059b121e1028f63e62d0a56c08873c995800648a701788b0b68fde6bd8b40d97ba71b4ed7775036dd2f54ea82b9d0a9a6be646ef842fdc79ada3faec541056

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

MD5 0fc758b8eff9750da1c03c89f76a6d9e
SHA1 4bbb162df4a58ef50065a86defa60c0cfe0d74b4
SHA256 2bd8492d0754c8f2928133fcfb6aee670e3429fbb54b5cfd9f2626383a6fc926
SHA512 24ba500c5bb3684792d961b776b39f6a33653c391606527e9a87012b27a0aeabb90bbfc3239eb0a7b9a64f45cf01adf5dd58e5851ae0c5a4c776adce8753d88e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

MD5 29be77f3f16b1341ce7fa22ef272b63d
SHA1 443729efaff96e05fbb0763963719082e09a6194
SHA256 40d5bbbf5a746802e9d6b806b486857ff5bab15b659300716bef8b5f281fe095
SHA512 46582bc6aa99b4d0a516cb73530dbd8b8b2ac0e2547cfdd5aa2a468cecc418adea9516925cc9160cc2ad7bcdbcea43283eb73c668bd16a698f85ca658bc492eb

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

MD5 fd4627cdeac9978636e5deada6bbe777
SHA1 b1b9d618dc147addb668bc5a1f8168f30a0c8a1d
SHA256 536fb77e9b0774dff3bfd5906c4e48cb1255507c4b24f625b3d7d01ae5e5a54c
SHA512 49f3ae8b7fed04d53809f37e8e80d8ef5b5a423e655f612e4bd8fe0b5a6735c54ad1539443bf3369cb98dc1cb51415b0805d2560dd18d33f991ea6042cef1dcd

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

MD5 673048ed0ac2f98da4d4f149d6a194c1
SHA1 f32d8e385ddd4b75ee6aea17e844fa7d47058fe7
SHA256 7a2a9f13d4e66c3170ca3e2297882dcae71bda19ee320e3e76e13f5c61ec01f7
SHA512 609bec85de07efdd82b6bbfd7dba5b6c622ffdb2d29dc155370c7dc2dcd02c5bdda75e02169f5dd71241f85dd9bc90e51319c7f4be73083e6e423a9ed5e525e7

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

MD5 67da30c6131d598126057973854c8257
SHA1 853df0fba612c4fed2778a75930d5a4660754e9b
SHA256 6153276be8148175c482f006c76bb1a52891b20998ad2795a96ddf9eb36dccc0
SHA512 c8cd47f0bd2249bab689a699912d8885f2e7d7f6f1b9830974b604663a8742c8ddb69a0633079b0e8596d5904bb462c93efa341bf8bb38453e73c66852832447

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

MD5 bd4f6f96d184364e2c97a15e0dbe22a9
SHA1 1bb64348b1ce8f98ad9897c4326c514cb33991db
SHA256 0f2223b93dc7b16792de286d8f13f7bc62594dc3ab34e019e3df06c711643a56
SHA512 f02f6737cd0e70c0768dfad2563b246e3e9117d00f26ac7d82e4dd3c23e5360fcf63109289fdfb9db1187aa41e71861e0f5f5041491c3a6e55239ffcafd56cec

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

MD5 cf94f8a9278d39cbd83d6820ac932caa
SHA1 081278da4200d8fcbcde065de71e00b95f1b86c6
SHA256 090ae8daccad31686d3231a6afc6dd06d2fdd1cb625730e2c15ca761a976023c
SHA512 36b7bd3e35e7db8c87630a83525de85191432f19e37f7a5835a8c3214ccdf4c2ccfadcdebf3e3cd5dd13e043e8d0f036c65f7b92b2c25cb915132a9c43f40d71

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

MD5 9cfff6cb0b3006425ecb4b9abc6f8abe
SHA1 fea9b9ab9362ec020b261c07a2c86f0563cb47d3
SHA256 b83a7c7b00cc15ebb15b661af06a9a131413624424675840936b7db0d588a5ef
SHA512 b6365599144242dd18056b3f5e2b304c76ea86642906228489d1baaeac05c2fd0106712bca258488a8417d82cf9c7ae018629a10242cee9c451a8063f05fef3b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

MD5 80fac7b70d8efc9ce122cc18a370aa1f
SHA1 59c61a23ad4922751316d9d303a1b3d0531595e4
SHA256 62662f383b5c43c863ca8551cb4fd58c192557b60ce9dd18ebc91e883b7275ec
SHA512 17284f35a89b69fba66b837bf65ab34078c74ff480609a60df447d516a0f191e2f2ae785c8ffbfec2f0b7625552abcbd2b5c4d085006a1c1281f2a800fd4edf0

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

MD5 4be71cbd52acffd511eb807ff26bdc03
SHA1 200c683ebe211199e4c92911653ed35042600f1c
SHA256 039db77b1619fab242a39202aec8a531db61179999af4906c12021679a708e9d
SHA512 2bd4b068a56494ab12d06c7f33a89b057b4354529f15427599f5ae0e5f3064670748d5e634ba33089b67adb0ae4be818a81d8ac4a6b37edf802295ec95e2c10a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

MD5 e05b3e937c832476e6744def317f266f
SHA1 a4eede4cc99886c61ee544413662b40e8216dc50
SHA256 daa54a661b10acdc1f7e59562ac9f7d25db5fec12ed4c501f24b024304acdeea
SHA512 c0b9a3efbf26e8e63957dde5583833acf4dd1a9817c770884b3e095fa9dd395b0af6a145341f2980ed9eaad4560ef2f9ba1eda14b8b97dd3018e01379437596c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

MD5 ed860822c1f6a04b1e8a6ccbf76a2b9e
SHA1 700a85b977bbd08ecb03a032f27ea9cccd27f12e
SHA256 c7db1cb31d79a6b4ab6ba624bb47296afa848252764facec9a2dbce830315303
SHA512 4124baff19c01b8194e3e30a8d2bd41a3d41dd591e09fb3ea5ea394a9bc8448f3d04dd99570865ebc17d42d007c42e0cd4e2150116d0cb24c4bff2573d7b9aa9

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

MD5 23204f7590ddfb3296cc383151a2fae8
SHA1 a25eb3d647db67b4ef458ed9fd028043b05578e2
SHA256 23aceb8f6981bab9e44554ceee939b3b488d614a4430c7cf6e068b5ba3e95057
SHA512 9e4fc61cd2dcfeea46dc1b7cf5253bca13df1afa91aec69cd52a6b9f3ddb813655d6d5ac698d05fa42a25d584f08ec80c9fc0e47ccdb79726925f70d24b2d268

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

MD5 00704a55c4bda9e3d2a892bb2172c923
SHA1 26fcc2865e7fcfab2d6e23c1f35d6bd0a208c3be
SHA256 4fa9714e84ced35706f34ee872ac1853460a411c2fa79c7e1dd0e6c2db25d849
SHA512 663dbf93dc6e902f89dc99d432094be1fd0b35d5215402b4e56fa46e1d728c36df736da910b022dfa9c774cbd671e959a43df6a056e0b82ce1c5b5733e0876a5

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

MD5 4ae98c9b625c62165826e5079dee5c6f
SHA1 2ee117b2bcf99765ee1717852cf2d1e8dbd50031
SHA256 1e3ffa6b3fba8a4b39ab088ca3ea8b5c9beb1a471a66b081497e255985d572f0
SHA512 53d8fc1e5dcb17d476f4e748a7365d2f7d5e47a0b22d277d658873fc3bec4ddb8b1c682fe6d6618bddad00f836349bcd095a438238a96f4acd8c20b3e6fcdb9d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF.EnCiPhErEd

MD5 93ba6031dcfeef69a41a1aa439091dfd
SHA1 848ad6844f6ab3f9820f2a2edf6658ab2c111a06
SHA256 4d6c0560051af224c4ec2e3ce007813387a3bffbe40ee223829304630c61cd6e
SHA512 842463950f777c9df460c8e3ace098a9d8b75d8a9a4fc3f2997f3b49702ae5e708f5767c160cde63a5c5feb8821669400d9dc4839a1f11c14a39ec9f0b9f1c35

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

MD5 af9d37d310b911e1b96a59727dfacc76
SHA1 a9cc1870739ed98a57b1143ea38ada66e1b93cb9
SHA256 da55bb07289ebf361583b4b1fe37ae1ee940007f6661f173ff517f966c24377c
SHA512 952c9ef48bb23c9a25847fd3475ddc045895e4395eea39bc22dae939966fa922ca39f281c42da8e02c91e9115bbab5e15be4491a2fe64316ba528008bc79b50b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

MD5 56c9fa7a92cc59e3f0271645de1b46e3
SHA1 aeb635d414f2e3b1237a4f838bae7e2181a68771
SHA256 b0fcf4c9fe79de913f24449fabd435b8953551e3cc248792b102de6592ac0370
SHA512 099f116748a312f9616a38ace4e21951d428e913b8a675ffe8ae619fa28690efa6cda8931340a31973456e6c4710add0065175627fa18ed8f00d80bf79b0b1ae

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

MD5 f87f37021b8ca2f3b231df101ce0ccf7
SHA1 88894a5601ad0a73a170819ecafdbea13a1bdc45
SHA256 424d312ba300437909ca9b73e5318d8ba76c3b08b7e256e695fad5d198fd3037
SHA512 e832c176aef7f48fe367401e7158274a2f802b51049831d1a1726fa5f44366d98faacf0ee3a34f4ffeed45f45c08bdfec01a763a683185087b1896560d486f1a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

MD5 44c7ba4e28aad55885c8f23d3279ed0b
SHA1 6da6cd105ee8282dcf10139b4d2a9a7d19a2f636
SHA256 3d624d81eb171fabd5b1ef8bbae0afd29b8046eb5f8d9df7262ec7cd0ad17e52
SHA512 cf55ba219c50c3e54aa0acfb6deedd52e9c78f6ceffdd91b44187dc1b2a96f689e7c92224e00aca54c009f3c46bbc7ad3e5aa38e5edc3281c02da31f713a1b98

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif.EnCiPhErEd

MD5 a876552830e7d4660cde813f4881647c
SHA1 6ad0e279e64114ca225868b7f68f86e9a05ead52
SHA256 eb59f2f6c96c22089b9dff1c006d54e0a194eccace92a3ed7e72d7954aec526a
SHA512 fef4496451dcbec55ce00532ea4399d3ba5544063a1c2e4a03df8ec70115f80895ed118a59df320f1414bb097e4a54d9336fa147bfce58682ba5a1cc36bf3dee

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

MD5 e7ef91bf41c57a725a7a5df7b4119090
SHA1 9ac75e6c550890d422caa1c9b6789cd48c8291f5
SHA256 bd7bbf474ae974fa6c62165aa9a375e52399cdbf97e9ec5d76bc853c7e7ce317
SHA512 b263cfe9c29fd4a3694792f39cdf86f6cd2712f276c46a4f48cf1706676a0ca363642454ef9a139ffb205436ac407eed15334faa793516176f552987890c82ce

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

MD5 eb0b54eb83860911073002b71b3a6f38
SHA1 5893fc647795015068d60b1dd5d9ff18de936290
SHA256 0aa3de4735bbd9b2d634857398dd1a2b7e73f051cbdbd610fb10c705d7ea2ee2
SHA512 338e3b3ac1a249b3e67395f6bdafc33584dc514591871ab028d42d434edde8877fa8d4da7d31a7bbe5db876013239eee7a891a44d0fa9d8bd85e1341d72bf3d2

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

MD5 a7732ed41e4d7dc3ce97b7feecb4ad97
SHA1 ac708081f3bb15c6d4480bcff5f7d1de8ffd9176
SHA256 2a3877e73a04f18a06466fb845e83c18ce54fc04fe1dfdcd32ebce82a82e6818
SHA512 2463bf565b02c2bf4a6e66b97b4ac524e9a8414bdd7f15f04c7b3c35837028a4c111b1e3b6f1e7ade60d29394989ce3f6dd8b01b82cda902683dc8eac3b067c1

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

MD5 fe2ba3a925c0ac3c47196386042ff10f
SHA1 5ac61369bc977458ac6e748b0cdad67582243671
SHA256 14855a8fcf48809060baf542af2e98919195d3e2f68ca24e96c05a4e419beab6
SHA512 d4237545b854eac85bd06b9c6fadc3a79a8f9a95009b935a9889e18d16433f82a892ba1bcb142de93883a354346cc4fe96928423990e2edc7c70043810e932b0

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

MD5 3b0703669e558fe4963996b2d6a8c549
SHA1 59ec59e60a41c08c4c3c30fc21362d12c1068dd0
SHA256 b8a7004d63451469e047c41f6c58d00c7281688832c25da73b05285977a38080
SHA512 dcae9511824d8849a43d0acdf41f48a3aae238b3a62d2d5d7ab32ef2229a1abf3f838cbd01d57e1eb1a291d4e8646ee8535655881588ab78b0a335c5b2757319

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

MD5 066d165c3942022d5e933a3ff153bd3f
SHA1 0b1a1d1688ff1efc1dcb9669da8bb54bf254089f
SHA256 3def90248cb057e34c216931c438a5386ba781d9a564f443a460698dd7398425
SHA512 e768c9ab8c112dfbad05275bc2fa162a2905e5600b40d1275b5f18613269befdb81cca7cb3861c74bf0beabb220fce99c93e3a8651e9cd75e9040747afce1692

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

MD5 19de7be5299f2572d4f7924f7d6e77d8
SHA1 93e3f637398fbf3320857fdeb5fc0f80f661879f
SHA256 5191ba4703f2ccc8ededfbdfa8ecbbdc5faa2ffea9be56a0c7ebe6fb1fce533b
SHA512 55598a772743601e9315cebb3caabdc7714c33b6e7a008838a5f78915f3bb544e34ba46e38d233d719cd80448d1ad2dcece0864e6d22944ae2c8b03d0d220b34

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

MD5 a738712c0bed358aefe2728d48f54852
SHA1 c4ca704450de6253fca19f0b0f6f6fac99b563eb
SHA256 866d84b61365b76c5c9785248576ff216063aeb4a64388adb3f5ee928c69a3f3
SHA512 0aa4e9b328891c26d30393e5dd2d23cfad0d2ab6f5c53fd155a61711f8af4314c282b6ae84711f3b4d0dac4fe9e0847e08d764ea2726c507347dfb942a21a2b5

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

MD5 52b8c007c9e0ee44910a86851e50bcc4
SHA1 d74cd5abd2423cfc5e6dda4afd6a54b062b186bb
SHA256 a381054d80284fff53ff560f9008bdd841d14adc21005c1908ba1e630a563c08
SHA512 176f686e4ed5388a3cd64fcc4e2e7745d53233ba5ae0f680cce858805ea62c16aeea02b3ac761a6bfa58c5d694788b23f5f760e0b5a8365b5e0996854aa68f58

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

MD5 99a478beec48e4f4370e0d7e91f40c9b
SHA1 078ece9691de2eb1e0af199e7eca4fa839e982b3
SHA256 e49fa6e75b6036c8a73b105ea614dc76ff63d37f67639965f10e601ba26be086
SHA512 313548d37eca82b147f7b91ec62498741d91276df041878c11334d05d5739d99ea91105acb2186e1f54fb61046fbfab0cc6bc2d752da2bd23e8593ec03f2b8e4

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

MD5 00c6bbc56064cac80539a3fba1bbc9fb
SHA1 29008c60ea13842668034c951d0b50029ba332da
SHA256 38a195f3884a84e3c8fe870618b7a445576552bab2a4a7add736cc7ceeb294ed
SHA512 61eae13583394031ee10e8e5c3acdf724ba824d7f33ebfd7bad3679ebb289a041ef0e8e78d2419bebf2ff9cbdd847f5269a7e17f3eb40bdba7c05328c4abd854

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

MD5 dcb48c3d05de6f1688f42dd7c203470a
SHA1 cb67fbed8add33480733f2dd71ae095f9741f2b7
SHA256 bf5a44f8950334fb0eade07d991f98006313c0c167a5d589644145e2a12ae001
SHA512 099583be03f5f7d6e1095383aa27d3dc9193ddcd6f88cc3fdc7ffc4b71a7cab7f321dbdd5c48a446df9f6f609eaadee50ed15af11d59fdf0decc0626affc8446

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

MD5 11f866456a19ba4ba85687b56c797b66
SHA1 04e3838e21f411e22e2b5c8c66cea677a28d9215
SHA256 3d51e8c2046442d156f5ddaf86816eea289108f6b2420696a63070e0e0ab0e06
SHA512 b59185a880433bebda6b224efc12c9364f79a913f7260aa6e1358a0d623727af2f4b47d5ed5d0338fcaab76e16877f4c56d1a55e5166def939969bf75ed5734d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

MD5 ae81619d09af3db1e8f5aafc149d1ada
SHA1 48342cc04722eb05422dad49df4b18e2ddb21416
SHA256 451a6b4059302cb5086eb04d24f19db43ab0f8890553f2b386d03b4dc2b65b09
SHA512 81055a3aad6923157d7c33e6d5cd046ad20253e22c787e649489c4ff1d917ba8a186d06e17499d4baad74860409952df2ec48ffcf15e4c6b96b17835d7ced4d9

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

MD5 9a4a2913ce0214c11b01e9deba8ccea7
SHA1 42d4b2e0f161299d9e83bce73283128b8b3bd491
SHA256 4712ba39dc9b7b4f8904d9597421116ffaf4490892a9f216a5fa1d1db19389f7
SHA512 2f2d6fc67c944a13077aab4196ee18a7313681147e644a056bfda69beb24928c5ca5acad119f0e971455c486c0c6b305e464110c56ae59dcb2d1938a9a0cac99

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

MD5 149be76fcd1e36d7835cb0e7baf3daf8
SHA1 434ad6c320fb4a5f371a3933a58fd1e39ba1814d
SHA256 0c71c2d378e427d97ef0671fa3fe9bd7701a6b36d352ade6d531142cbae26e2c
SHA512 9a4d4023abadb16efb6250242a98b7a38eca2ae4629fa618769eb62a26c3d427f5645c1b2b781bec6222917b1c3b9d8bc0cd15f203cd98417c1cf6765f4d8c4e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

MD5 3ce3142e319f1c90f59f671b039d0e31
SHA1 2628345eb46430c403695db968394f6684418616
SHA256 ce48be520362b7262b7f77ffa7caf0dbfda40e71715b745485e8b78628c0f291
SHA512 47048a8ca8e24fa65bc1581dde92f0f11f0a021ca8231118c3006f9870d76e284cdb9c27e2591e4c5984556a0e50590f1f13a20ecb01830a280f282d7ae935ea

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

MD5 03a9e2f5145a559c759384bc3273e6f6
SHA1 b3310f92442f5ffe3e61af00ec99748d604611d8
SHA256 9ca98d2df032576456a14ce54b5e3101e83275fb9d5b54f9b2b0ee493b9f3841
SHA512 2773e89a492a301ae85ed344b0175680e3daf5b9be4d41309e9750fb23de479465a8785295ffc0fb7e3eceb8e6602eb12625131a0e0254d69b90044e237e70e9

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

MD5 c4641179f007fd5768743be3a944fd1a
SHA1 4303ffa654cfed796f02af37800541007ca03ba5
SHA256 1301ea64b08957813f00925499a97b87d23243a9f6b4425e684bdd3eaa7b7561
SHA512 bcaedfb93fad63815e905e90bda820460bb442a75774ec5ac1b276605bb664e5407e4499cd8c56a8a145961ba89c2aa642990fb52efb2dc54f589d7dffac22a2

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

MD5 8b259de478a0940b1a748dc91e230b4e
SHA1 f87b7aea0e784d013ca6f10a3d855431ca2ce65c
SHA256 3435f937e173c7ab63106032ca846b33e7a5af77b6de94eb9c9e3660e595eab6
SHA512 755c7a7b7b05492c8598b70d466908818de42b3837e3ffc2cae1d6df8840c7d33e1ec4346900ad508015784560bdda05823ec7f72a339538145d7a49c842fe85

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

MD5 3c91a72746b7f7389389b9eb50a5c429
SHA1 0668668c3395b14c717ec3b185ee299e031ecb43
SHA256 4425b8c859b8807bd7e3f73776faabf826d2de9a99b870697ae958235a84c24c
SHA512 768fb372a3483f3ce6d04831aeac5aaa52d14cce5c7258e09b5fe30f8452fd95d76ecb78aa8871c79ce85223b7edb04d668743070580e4902e0e34179d328794

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

MD5 9b8d3ad2bb27aabb682779295766868b
SHA1 18246bfc11f2356f29cc327fc166cf27938455f8
SHA256 f0392d716649d7d7eaaf1b34057e4ac7f8901e40f6d69a018cb668b8f70d4328
SHA512 e05f15835c684b3da86c87ae64d48b8a65e7f2081dc4e1d207a82dbe0b6d60db79ba2e2804505e7c8857ac3333d1b9d9f1e03d01de00fca555023aeb6cb56e0c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

MD5 4f56c5e6e04724f31d555b380598610a
SHA1 79cfe818ec04afd8d46b3dcea50b267070669f8f
SHA256 eba4cef19563977f08db316b23c4147f8a23edc8964d9f29a7a10ef0e11bee6a
SHA512 949f571930c3d504b6142cc44fd8e9cda58e7be65df022284f8bd946722b048ada8f33c660284d52d8ab36a81768c8bfc429195ddc304d5a305bfe6fcc701649

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

MD5 f4e88d9f4684c40d92c105eb0df4ebe2
SHA1 bf27ac025930408658b55042fcd989d7891ee9c5
SHA256 a30239ed9e98f03d260989af1f1adc12004cf20e2de217207196bb06c020b46c
SHA512 632f5d9977972826b8bef064314815c8e7065e042be3c6c1e653f3d6a3d3416a4a681bda6c774d5274233248c3edc43d2f33064cde8f4a2cd6c93fb5555bc996

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

MD5 3cc4de6df8d41a3690020600da934843
SHA1 8a3e30671c87ff1376d7c443e9b6d780f9db3118
SHA256 f34ed70cdecbbbe92325057624f07b03cae8352c76f1f248834037155600c135
SHA512 758e65129dacd3ca10cb2cfc97bc42af827673bad1b6954a6665d24f2b9c686fbf7f38dffd404a2cd978eddc4c4b1bea831c8db4bf4b3220e1d46164e22798b0

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

MD5 df37fce9d63d2614fd2f7b428282e983
SHA1 92db0aac07ad951b88061206716655696c1646b5
SHA256 13207641bdb532a64f2b1f0b23431d6f87d81f67d64d9a21b03cc2e3541de181
SHA512 870c621240d2493ac67d503cc88ea0bba0aa82c1057693991b0d785bee74c11be5d621fd15a546cc4e0c5d8ce68816718012655dd22a2c044e079122a1973dcc

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

MD5 9764db16783a653e3040c75b65096d9d
SHA1 611c30efc129e4808a1ae00eb855d2b2b832cade
SHA256 b43619dd43692635aa16ac8905f0f2bd81cf58baadc2bbbfc14c5f8fff128878
SHA512 598db879f3edc14b73a04924b9272adff4bfc4841ebeeb42bef5e58c5290b596cc9337ca84afb44fc086e100cab809041f266db61e69d186ffdb76a6c75d0a5c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

MD5 1e8c76e98e080dcaf486046768595a6a
SHA1 3e51b52231cc29879c89cbdd0b755feb79120608
SHA256 1c86b1d5311f4042e902fef3eb637941f5d3545908597c6330a1c988177a6905
SHA512 c75dc7f958fd0e0bd71d7dc52d02dfb48bb80a77a12e7497a06a848c7d23421865c0c30dba57aeb4e11b003cd7760c93c2942e234bc999f2538d7f77ba575285

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

MD5 be6ad15b668807972d2ad74bc28c0dd2
SHA1 5029fb67f18638e86a9ea9c343381273ba168480
SHA256 4eb9a43abcf7100278dcb1f42ec83440329ea8d4a7ab939ea00237891d6cf04d
SHA512 3a752247a6294d9ae625b05d60fd5582fb023560159a9f087d869db3b859c7192b7208f2d8860fbc9a8543c3f3bf59eb59bd45dad161fc13a71c82328a290394

memory/2164-4260-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

MD5 36fc4f4c5fb0c16f79018ba36abc103b
SHA1 a72a3e1c9a16a22a8d3490b3857323a8d7f26967
SHA256 72189fc7d9b5b40246dd60aeb71b8ceb903f7d2020f7e8b963f9202df26109a2
SHA512 8497d61c61357cc3e7f84361f24fcbbe080ac979567afe02e635d5688502243ec035e0df7e00342e98d3dc7127cb64de015a771d777e9ebc11060694255cdde1

memory/2164-4498-0x0000000000020000-0x0000000000021000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg

MD5 3223456ef16cfcb0a110c5b2dc087484
SHA1 bcd57bc34f16314f55b2709d2ddd36f693d8dca6
SHA256 a89a178908b46e50f03772da2544e28dd6e81c264f80aea2eb989dd0bfe31982
SHA512 b87f762706f50273153a4f6820130129fae3bec00aadcaf96b84f964446a871847d14427482141c4db71b2d8547c543325d1bb93b75e503af460b041df14cc86

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

MD5 712c270596192cc191a891f222c6de32
SHA1 d2622900405f2faa7993610a19369dcf921573a0
SHA256 703c224ea50f854b58784f75c928ec5d9496d56e57d15653a76bc7201e1f3b10
SHA512 5532cd1df504b39ce5724fee8bc1e510254c2610e020c95ef20158f706d1cd63551e83896261e531cd78fe308c2e1bab20373ce92198308031175fd0b8f81001

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

MD5 9329ee8a81ea6cd13942fa1eb6b771a3
SHA1 fd8ca48ff7095675928506e45fe72ab47e1ea473
SHA256 ac33ed626dcff31c5dd7399e8c29a391261e77ad0c7c92e285d8d41300b63b94
SHA512 17f3723c2a19363522b01539584a8bac50d0270a0105a090cb958935f48efecf8db10b50b085814e68db66757d11b45b44aac65c2f96658a711c08ba0a4b6b68

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

MD5 3654a9ff4dce6d01d5c64927c708aafd
SHA1 22a0b4956f8ee9c4c67280c28333f1840c6ac430
SHA256 e8b6e42d2f8b3015806859681e6347da2ebb7d23cf0962d01f3cfc4f33391ed9
SHA512 94082e4938ab501c6e44847315784f4d8c06a5129db78811e43412e1c1b03d4f85cd85c078a871638c9c8b08b335f9b5ff6169f72f2d06b850f4ff3d1a100b3a

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

MD5 bf04dda9eafeca1ff7460356a0b0d2e3
SHA1 2cc1dd2f5095850930d0f52395d2e9ce103827fd
SHA256 3d4afbcc6e1fc187c51081cb0991b0e2d0599b5b5612eacd0b0426cb8315fd2b
SHA512 38b7d295537d1793a7c9014376f763ccc3e11c3beea2a3e6d04ea5433599a0cfb66599c0ea4b733ce7d61cd2e21a678c37b356ae233f609e139a3c17e5dc57ad

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

MD5 3dd3a9d6d0897ec02d63f4bfc44f2729
SHA1 7ca87c2fb8231500093531b13f0a59d3c96ef481
SHA256 47e0a48454ef73a425423ed2768e58018eac35e9e90c528eeff9655a6810e3f4
SHA512 33547847f4affe36f4944fbd6deae29dcac4acbe1a76cbf941c5c6d31644a6aa456cbdc90a544a8556969e67528f66856a19abe76eece6ec25b0bf8c482aae4b

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

MD5 f4fb6d351b3b0165bcd49367eb4ffee6
SHA1 0b91cd8acbd331eeb7516a28f46cba263d3caa59
SHA256 063baed3d5e33361eade9a32df9be2d4da7ac00640109ed76301ad25696a2f91
SHA512 86b2c18290305780d0c37470d050d9b36cf7d630eaf2d1db1dd7979bb62eb9fedc57a9c55a5d01800e3af2847aa91d9669b3d01ff91946e00ea3d4f4d4a68cb6

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

MD5 6d82f17fb8435ce1501753f94159209d
SHA1 7f831f88bd3892ab4251492a1e2b6419f6a8d2a0
SHA256 bed08cfcc23494f3408668e494c7462195f471c6c33263ad9e17d0ea0914ed54
SHA512 40cd2dafe00cdddbdbf8eab5848dd6d013af597da983dd196b0e1c580644ced1774cb670dcfd3753daebfd35409d9ef78d83e6a645c2f3cde6f82ea922af722e

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

MD5 88541ea12723a5ab50a255b7bf61e792
SHA1 6cbdfd969a73c2cf50c6eecec94c16610ad55b18
SHA256 207907024900891cfa97b635c47ee8b52e1a953765a567cd588a199269cc60d7
SHA512 d4a10f5e3389c15747f1b9f3a2fb9d6b11b429c086b7a3e24dc62a2db83fcb099447e8bf3c4fd5b6d46aeda756fb68eee504f1da1a02614219664ece37be7c62

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

MD5 c56e24536ba6c3819fa32ab29c1af148
SHA1 231cce2277a6b300224f7a989b21687e1ff55988
SHA256 2ba83a2963d53bb663747cbcdab16ffe14ad955a945bfadf6a98ddbe1f9c8a81
SHA512 5f45df71aeb22c9d9a2a5d7f56f2bfe7455a9f542ebf2e88419066d21e8afdf73cc53f3c165a417e2fa98e99612bdf6aa360fe4f32d9acd4311d7099ccfdd0d5

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

MD5 e698ccbde1772e46e60b5dc5653bf9f8
SHA1 12e5fc8b0dd0ce2a723232ffa4111b5d52b764e1
SHA256 540d847750f72eab316e99703a6c3250dd0fdbfadb1487bf9a8fcc926b35198e
SHA512 b8d998e497d92559f299f7cdc0022310e9afeafa2b8d59c4114884fa599cdf7cb3e56099b9a94899216bc27ac6661dc4db9efa06b4947a796ce489bd7ebc5fd8

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

MD5 d5915a7450d365d4b98bbb2a23d35568
SHA1 082eed7453c062e03e62c3ffe07d16121d78ce16
SHA256 d502f46f0b0f36d1ea0b48eaa59f98c1586065364e2a48e1099119ac1f22edca
SHA512 7c2958738f6ea99f552fbd1adec23ec2a4aa19af4cdfeeb99e0dddae0a3fe8499194d2d237c763e193278a7fc23dc4c6768f34d2b4e841cd13f610511be08bc3

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

MD5 058a42dcd5ea0da05b4978e759ed91be
SHA1 8bc48dee9bca0ea921f3c364210269005f41929f
SHA256 05361a6898a7a529e931fd750ff8cda48cb87a5c59afd155f7b5372e1f1cb626
SHA512 f3e6c0619975c01b83e6fc74149b8ba7a9ac43f969d862c9dbe235be0c95ea407142aa88127fcd83e0b3740bf90b30a00e5b0660aeab7cea2462dc4c3e581bde

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

MD5 0e12bb23ae932054b2a896dc9cb279aa
SHA1 84dda25e3e6f93f3e75139ffeca22146cc3a0a72
SHA256 66d394255390be8386193902a6a7017cef999aafd70fb2d23d8713fc9c565f77
SHA512 db4d1a0dbb0f93d963d10e739ee70f7af16f7dfb7a89422b5c7a2df7f3b40cb8c07f6f326a1a7e91bf71cca277b6e30dd06017919a38516b59a15e0829d55685

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

MD5 35bc541ef2081aa9fe8c3d401c447c5a
SHA1 3f6066b7c61f7f8a1e4392cf20296f38556a9aa9
SHA256 c3a09246ef916012aeaab6de8b3170c90495eb1af4f2f70b27cc88a5e06744dd
SHA512 b7431c830abc7a9628b3d20d4e78f506575f416acda1991689e99861c3c9f2a81469c9dae92714661ca21aec0115cdda010700f55004b41568e7367526091403

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

MD5 cd9399f9d13099e5e76d17507a2524c9
SHA1 307c429900cecb2626d03f053b3192fca50969aa
SHA256 d5f2c702de271f9117976246a454a068319c9252d0a953c9813d54e3ab23b699
SHA512 1006424a76750beae5ab2314137eec88896b88413c48a330b9ad4e704c30190e87443726994b698912977b805c3fff228fb7d726e1674a1407c0e5ebc6db263b

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

MD5 8a0f6446250b6edfedbe9513dd2e4e4d
SHA1 8e3b4448eb354a2fd0450bb2696947035df9e084
SHA256 46555cc7cc7713c4ffbd276a124e93da1eacd5c8eb55a48475468ba9fbc9877d
SHA512 680e831ccd8d2b22339b569d618e1475767a1d95ca2843692336ddf45f930bc760b9ae2985a9fb4209070e64fc0d0716a5814819ac5b5fc2945e7a4f1f549ca4

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

MD5 7ce7ef132c4034838543becb88009c07
SHA1 e0d4ce9cc8a9d63a7b75e2582a84f5a0319c2b73
SHA256 3691a7a6e5a811d6968103f971fe82a6e37e8d030cee522241ed9ba534f65a02
SHA512 3825b464d62b7653108535131663710e67991a54f2b346711c9d7c29d62b9351d7c0053959042e8696f6a2e456b2ed658876d0d352f66a5b4904a5505220f831

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

MD5 8c90010720422fc3bcb76594f97b743d
SHA1 33479b2b525673acec785a05f21f62f84a858bc7
SHA256 663d08f7a2fa652625afd1d6cacd7057ce0ecce9963475aa4b06ad7aa7ed82ee
SHA512 8eb92ec485fdfc607bb7c2c3912d8c9c6f33926981d155577f3faaf72e0fa9e3b46b17cd99df668a264efb407ce362d92e0e7d9bf4cef0d4ad854adf97103c4d

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif

MD5 a68c26bdc1c7ede5b72da2ee48ec4aae
SHA1 ae19030d9383a9b1186bff44929a42f3ab707990
SHA256 e755f3e461bb5419c9b1e6c450428f884f5c8f3388b2351c59cee61e15084c3d
SHA512 d22fa487d9f3cb97d0e3c679e72335780defc83ff5f0ad724e50ac031a51c0250b588870a39c934fa6e4da33ea1708bcf2d4f3136e64335e6ac0dedb31824c8c

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif

MD5 c0770e4ed01b239995d60aaa83764edc
SHA1 97e7ad58881cf3a0f181b173280c40478c9a2a30
SHA256 5211aebceaa46deb0223de6b43dfb49563adac97a56249df7fb05032361223cf
SHA512 e25278a9dc1d8f999d69640de0c7f6df7fb35931a4e203afc7cd9421a867c8ec1ad6cd52e342227c049551f99f91d2b529305c995eef73fae4c20fbe762bb156

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

MD5 6dd1f9458f8228b139c22dfafa9772d3
SHA1 e3ede18c4861a14642391a4c3d73215a67552446
SHA256 c334bd270afc1f789edff34cb0d7026d527a580eedcc0ef5f14d23681b4fa2f0
SHA512 5c27bf2420c11d5680bb8de8e5a2f91c3c724944f246a37d378dc3f89be9fedf4da6d08883770c376cd44701459761b1d7edf5f82fadd4be3e24b0957d5238b4

C:\Users\Admin\AppData\Local\Temp\Cab20BD.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar216C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6153c5356848b8848fd368c700244351
SHA1 4bfa562e1906f5d26d12c65b233da009d1b2f28b
SHA256 891f73665803fe8a411b88f1425b59297767cb83b76f6a8b9881847542ead9bb
SHA512 e39feecd384528a5d41566ec6ade5300e63633db185d91f5c2fd5d7ac44d0cfe0e29f45e32cfcc404487a1cb1becdc5b2154a7c7cae7fd574b904568a6590be8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 688698ed11e9f50d4a961dd2c5eeb7f3
SHA1 4f1243ad395d268351e7f9e1b4c1f7d28ed28451
SHA256 4a2e741a4a239e89a97072cd6175f7020722b3591a1a44928cb2c76a7de64004
SHA512 ce05a8d2a2969226ce1be5b4d237eb5acd1b39d99b95184f2e51ca798e99489df8ef3344ac065e525bc2394ff74fc0efbfc49efdc91235e275779b7d238ac4a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4005905703f49c51b42cf0f9a412078
SHA1 9efeb66ea5bd3b8a05dc0aa1641cdbb64b0e5fb4
SHA256 d81b2a4bb2d91e28e007bb47452dcd5463fd7af0f2c1a14970ded0ffcebdc3ae
SHA512 01c944b7abd9d1e0c37973641bb53e4f6632208d9514ff98ab6145efe84b8ff6732c3156035bf8d56e5899d41efb9d2c392a5567f9ad22617c4118c16661f9a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef96af10ea6ef30df7b2127942290583
SHA1 798da422c088e9eb672b7d795d046f10450ff6e6
SHA256 2224b9add5f5e5520f92ad2aea48b76f53c5edc82298c0e3e5672bc1f17e3fd8
SHA512 adcd86a8107c499a2d954a46e223601f7b3323db7baa0c5407e792327745521ec4ee5e6fc8b14fd5ab2dc55862806c9e18ad174d6905d1d24bc8f30f454f3b4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 514ce4196efc0468d98bac1d3c42ec99
SHA1 e17a7f75bc95a37b0bc624ba6306547754030aef
SHA256 a2d4a3618c2936ad2a3522c330c002e93760d634adb5da823b4c7bc8ca80fadd
SHA512 3a8ea4b2125bbb4d4396224052a54ca9383bf355d579e26952fa70b3d1725efb2854fba40a0ac8b02fb6149c9e20ed9157b85c33bf80f4b67ba38ce464b118a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c53520bca533f12988ce69c39781a28
SHA1 8b4064128fb5c39a3849940ba93d35e1c8b0758a
SHA256 059009afbdc833c91e6c6e896272978b081b01e99655be7b8d5fb2f193d49fd2
SHA512 1bc97b578296c3c72d5e0755a564ba7d0f381a8272f2d04ad7382184ce2aa305ceaed853c0ef45abc088a81652da1e8054fde07975daa16267b0d552bb7fe23d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a07604d9ea0287147f2825d7a9b257e
SHA1 5d4ac553d54698793fecce66c87f72aa37b9a338
SHA256 6c3c08efb8a945823e7ee67d9081dc8264d6d717b0fb99c7f97c8d7ba65e16ac
SHA512 9cf5a0db619c3a3faafe873537cfbca788e64cfc651805d15bb87121fc63fd22ea3eb38edae65bfa1bae8a12c9851f2f695a10f7462d95a8dea211b34016d88d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e075626ed2d3bc8d9ce3488bf59385fd
SHA1 eff94c6a24e6051cddf19bf473e90260563b2d3a
SHA256 aff18023ae5c87bef68294a9b1190db04ae966428863b5415c38bb1bb1009515
SHA512 9ebca4c0d3eeef38e9598fda310da4a8bc38924521fcdfe69f58adbed9781bb82bc668e1ebbf63cd49ba78478149f8cc8c516d87b9d96fc0746ac420625300ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6296e06b55dbc2dbe605eb34d0aded6b
SHA1 e10e32510ac6bef69f7aabff35a4f79825ab50d2
SHA256 0f4ba9459ce63039742bb97a96d319a35785ee7f3faf445e7fb40a8d98c5381b
SHA512 c0c52b8f52fe878e0a6fb8c78457a86c70af68d12f2f83382971c607d43dd2001d36c852de691167f149c258489b68ffedecc26c6ebdf362245c4710b99af800

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc1d2014d2ce3079e48ebc8a9ded6b9d
SHA1 62088072e7ac33344788a80b52c1b40d616f5fb0
SHA256 3dd35a83d78abd0990e9feae3b3d11c376a05404f8c84c41b4a98160413e1544
SHA512 7b5af9e24f9157d96604250a18b890b24341b2f16c6717cc6f7763d5d2e409103c4416ac0a1c2d72963ed2eaf3876f17fb7f1bcc364e757d1c13e1ea76d6621e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d1323adb760627b19a8a0fdb09fe473d
SHA1 3459b274bbcdc8a75e4846f3004a769d2a4254e1
SHA256 e4cef9c16d27ecb1da81d61f13ed836fd108e6c2b1bf31ee3a727a2be17f9c61
SHA512 cad43ea8316f1a569a6859ad8ec010f993d739e654702a9135c3a99225634b89f3784098599b9dce4842bad666712f996a544c259e8c0f30ae1f42e536435a38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91b48aa4f8d6390e5b2b9c70499b95e5
SHA1 d25c4d0ce0eb9623d9bc5bfd4eff26402758d54d
SHA256 e47c2863d6f595f8d5b880b513e2d249302afa8718ead69511a4df31910de6f1
SHA512 58006757647afa38b4945205d302eef8ad681fed121b8c9732d1845fe0edfd7c501fd15775769f09c7cbebd1bd4e84e0adb30eccc8ce9b7b297610596420d9c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9cac34474f895ebab967336d8ac9e472
SHA1 a7859b0f3fdf1d46ec43a8d9c555146566fdfe1e
SHA256 f0f5185deaeddb32c61a7aa8ee1479c1be9e2e4bf2120b387c838c7f86d08da6
SHA512 e07897c3580ecf079da9d0338fe09bf6a71cb471fc3da2ac665f349a6434329541ffd662d5069f81998dcb5de40de1f8287d26c6da04942fc51b6752ed9b72c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70fde372b4555d218424cc925dc76645
SHA1 e95270ca642120956eb13adb0101232ee1460e80
SHA256 f9787ab58c8f8edcaf9c9d97b7ef80c01db706f445ebefe9025d6941490a0061
SHA512 5f311575b7c2aad5c28b1b1fee643425d9a93b79c56ccd5339fec78af5e95287a9b3fd94710b4aff0cea226814e6292d2bd5a8ae74198af14a212cf4803e5946

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2038db63922957224ea79a428654e090
SHA1 f5d552e62b50623b95ce30a28c798d0b07e41558
SHA256 4d2f6c92ea9ca06db7c9694052adaca1b79b8f8ceea6466a2ca76a184b72a6b1
SHA512 6aeb458384d1c360e09fef6c5e23d9fc255567c68691cb0cabf50a89d6a8c9d20523fe3a895eff7a081643c148a0d09e805d29aa6a1824b1527375a41f400b50

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5ab1e30b92e9fa43b742a62e0f49a76
SHA1 2999b84022f37c8cdc4de50c4fbe76deff501ecb
SHA256 a650cdc5fad85fb4195a338eb5870591b187ec51ef7ee8eba366710caf884816
SHA512 f8ff2e29d2ee7c0b8764f776b27bf56964779483392ac0aed09687ba876b1da3fc7fa2067975c7e3d42a1819738b849fe9774907203b3b55336d6b3f838f2a5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff7b60b11636461b656742d029f21f23
SHA1 1766bfd5bb5e6ee69cb8887b796c317c3eadb7d5
SHA256 15b4570b213fff83d0fa4751b0a3ccb3b9864387892ef5bc0f36b43aaba77ae0
SHA512 3efd271fc479c798391bafef9fbe262644fcf3076498a56c1c27ee501743710e9c7e1f52d2f67423c08c2b741b7cdc2815ec1ea3aa2cf2edd7896efed6face0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a50ce27fb7f3a92806c54222388cfa8d
SHA1 98e859996c46401189cab23d1cda5199f2c5b720
SHA256 1d13d72b926d71343b30295edaa7fa9821b4167fa2d9935871650d771f9bbf22
SHA512 3b34de4c675cef8133a777dc0e8675705eefbda60c42e41be8be58ab935149de052ec80c29bc42f0700f64927433a79e244854dd4dc606955c819afe64013cde