Malware Analysis Report

2024-10-19 10:42

Sample ID 241011-enybgszcqk
Target 332fc75edd44b84a3442e6f97076f55f_JaffaCakes118
SHA256 bf546fd45bf5b341a89f60a6b62b02fe2ff9020e1ebf36d5fdc2bbf90a817fc6
Tags
xorist defense_evasion discovery persistence ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf546fd45bf5b341a89f60a6b62b02fe2ff9020e1ebf36d5fdc2bbf90a817fc6

Threat Level: Known bad

The file 332fc75edd44b84a3442e6f97076f55f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xorist defense_evasion discovery persistence ransomware spyware stealer upx

Detected Xorist Ransomware

Xorist Ransomware

Renames multiple (2206) files with added filename extension

Renames multiple (2187) files with added filename extension

Drops file in Drivers directory

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Loads dropped DLL

Deletes itself

Indicator Removal: File Deletion

Adds Run key to start application

Drops file in System32 directory

UPX packed file

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-11 04:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-11 04:05

Reported

2024-10-11 04:08

Platform

win7-20240903-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe"

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xorist Ransomware

ransomware xorist

Renames multiple (2206) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kod.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Zh8yO5IGMxXepAi.exe" C:\Users\Admin\AppData\Local\Temp\kod.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\en-US\Licenses\eval\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_scripts.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_methods.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Switch.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmirmdm.inf_amd64_neutral_fadec14b0a37b637\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_pipelines.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_trap.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_neutral_4ab014d645098f5f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_neutral_f935002f367d5bb0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\migwiz\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hdaudss.inf_amd64_neutral_330a593eb888237c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmmc288.inf_amd64_neutral_c4a901dab689ad79\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\faxcn001.inf_amd64_neutral_d23021a1eb548156\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\rawsilo.inf_amd64_neutral_8eb7e6403ddbb7a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-NetworkBridge\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\wbem\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnlx00b.inf_amd64_neutral_89b555703683b583\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ts_generic.inf_amd64_neutral_1a5c861fdb3aab0e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\eval\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\XPSViewer\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\zh-CN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\_Default\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\Speech\SpeechUX\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_command_precedence.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Command_Syntax.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_arrays.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnbr007.inf_amd64_neutral_add2acf1d573aef0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky006.inf_amd64_neutral_522043c34551b0c0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\tr-TR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_requires.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\amdsata.inf_amd64_neutral_67db50590108ebd9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\bda.inf_amd64_neutral_41c6262952846788\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\v_mscdsc.inf_amd64_neutral_8b1e6b55729c3283\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\MUI\0409\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnrc00a.inf_amd64_neutral_565c5d04cc520c48\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wiabr005.inf_amd64_neutral_e14a0514f37611d8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0009\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_CommonParameters.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_debuggers.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Windows_PowerShell_ISE.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc3.inf_amd64_neutral_1da6abc36a79974f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-WMI-Core\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_execution_policies.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_hash_tables.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\arcsas.inf_amd64_neutral_c763887719bed95d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc4.inf_amd64_neutral_310871d800afa82a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions_cmdletbindingattribute.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hcw72b64.inf_amd64_neutral_023772237d3a4ade\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnrc004.inf_amd64_neutral_bbd3435eeaf576ee\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\Speech\SpeechUX\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_profiles.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnxx002.inf_amd64_neutral_560fdd891b24f384\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\it-IT\about_BITS_Cmdlets.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtx64.inf_amd64_neutral_410e89ed86071c9b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_120.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099194.GIF C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115875.GIF C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fi.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Generic.gif C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewFrame.html C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\LASER.WAV C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_orange.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\reader\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01238_.GIF C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)greenStateIcon.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01239_.GIF C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\HEADER.GIF C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_hail.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\alertIcon.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14871_.GIF C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImages.jpg C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Waitcursor.gif C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_up.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\HeartsMCE.lnk C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_cloudy.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21301_.GIF C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21329_.GIF C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR29F.GIF C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CLICK.WAV C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\Microsoft Games\More Games\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\amd64_microsoft-windows-d..fontcache.resources_31bf3856ad364e35_7.1.7601.16492_de-de_772af58d442606dc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-p..ntrolsadminoverride_31bf3856ad364e35_6.1.7600.16385_none_9e0f617f287893f0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5dfa0d6aae0352fc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-speechengine.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_477cb893f4cdb3d8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-devicemetadataparsers_31bf3856ad364e35_6.1.7600.16385_none_22e80705d605ae66\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\msil_system.web.entity.design.resources_b77a5c561934e089_6.1.7600.16385_it-it_f925620240523017\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a479cd0719d5814b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..vider-rll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8afb6612219902de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-msf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_518cae4ae00ff68c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-help-artcon5.resources_31bf3856ad364e35_6.1.7600.16385_it-it_30dd33f8e7823b5b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_arrays.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_prnep002.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_11ad1328609df59e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_providers.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-n..-statusui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e6717572d615516f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_server-help-chm.file_srv.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4d89a23c740117ff\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Windows_PowerShell_ISE.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\inf\.NET CLR Data\040C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-audio-dsound.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b7babad777271867\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-notepad.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a8ab11efa5f12597\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sidebar.resources_31bf3856ad364e35_6.1.7600.16385_en-us_922fed2783be58c2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_cba169dd0daf0482\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.Resources\1.0.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_68750ba1329f3c6f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-c..n-comrepl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7a0f362f3bc73d13\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-p..an-plugin.resources_31bf3856ad364e35_6.1.7600.16385_es-es_752d0cbaec4d2602\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-x..lugin-mui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3587445d017f747d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_Code\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_mf.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a97119d065e0832c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-audio-mmecore-acm_31bf3856ad364e35_6.1.7600.16385_none_3cda7ac5faba7582\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-photosamples.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e21c565bbeaf3080\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-r..lelevated.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2a0a13fbc301d180\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-directx-direct3d9_31bf3856ad364e35_6.1.7601.17514_none_207372147765c03a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\undocked_black_moon-waning-gibbous_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_prnbr005.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fb80a335d3ed8040\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_remote_FAQ.help.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-openfiles_31bf3856ad364e35_6.1.7600.16385_none_e6fcbd244bb7bf74\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-speechengine.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a557398701b2a1fd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-dfs-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4370608a2e5481d2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-n..framework.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c91ca004ad89a3ed\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..cingstack.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e87a094cae9b1ea5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Windows Information Bar.wav C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\msil_system.data.linq_b77a5c561934e089_6.1.7601.17514_none_b58e250edafa4a30\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-charmap.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_89981d704c19f8e5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_bdatunepia_31bf3856ad364e35_6.1.7601.17514_none_c81348afa0c88995\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\performance.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_server-help-h1s.itprobasic.resources_31bf3856ad364e35_6.1.7600.16385_es-es_45b44e8617793380\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\shuffle_up.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7601.17514_none_61fc33a326c6a0f8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-udfs_31bf3856ad364e35_6.1.7601.17514_none_049f9db233833b25\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_server-help-chm.eventviewer_lh.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ae1025f3324a51b2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\assembly\GAC_MSIL\ReachFramework.resources\3.0.0.0_it_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..rendering.resources_31bf3856ad364e35_8.0.7600.16385_es-es_83630149944716be\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-clip.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f93ee61c3bf31686\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Activities\bf808b9c0c44745fc6bf261c44003c7a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-mfds_31bf3856ad364e35_6.1.7601.17514_none_03b45f76341c9aa1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.mediacenter.itv.media_31bf3856ad364e35_6.1.7601.17514_none_d1ce91acb3723e8a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\msil_system.data.resources_b77a5c561934e089_6.1.7600.16385_fr-fr_3e49fa1df2105ab5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-w..ty-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_16231a77350a8eae\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-displayswitch_31bf3856ad364e35_6.1.7600.16385_none_ec98071c85cf09eb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..ptdebugui.resources_31bf3856ad364e35_8.0.7600.16385_es-es_0c45b38172c1b295\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ole-automation-legacy_31bf3856ad364e35_6.1.7601.17514_none_3c1b247e5ff65f89\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\diagnostics\scheduled\Maintenance\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-help-parent.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1eb985f1aea1081f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kod.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Zh8yO5IGMxXepAi.exe,0" C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\shell C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Zh8yO5IGMxXepAi.exe" C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "TDDXKVAOMIPZWWP" C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\DefaultIcon C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\shell\open\command C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\shell\open C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd C:\Users\Admin\AppData\Local\Temp\kod.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\kod.exe

"C:\Users\Admin\AppData\Local\Temp\kod.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe" >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 ftp.stimfal.hol.es udp

Files

memory/2336-0-0x0000000000400000-0x000000000045F000-memory.dmp

\Users\Admin\AppData\Local\Temp\kod.exe

MD5 dbe9a0e8a0f3581128d9cc4002fcd8f1
SHA1 ff196b5453f485ae4b35e6c46ab1aa38c627fc20
SHA256 f66404a3041ed40e2906ef1228bf5b7532b8ac44e8f8644780e0d310abf9a07e
SHA512 384ebd9bbc2491e01c63ab129ca0e4f27f8f5332e669e2efb4eb32bd838ad71f4b8a0f9beb042fdd66010a9703e2628728fe84e9a2b5f4a77074ae69854d9975

memory/2336-4-0x0000000002580000-0x000000000258C000-memory.dmp

memory/1084-15-0x0000000000400000-0x000000000040C000-memory.dmp

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

MD5 6bbb4d89dc1da9cbe4bc61701d73e7d6
SHA1 440ad1de39414d5574201b5fd03ed1dff496f2c6
SHA256 ce643805a86233be7ccf3b4340370a9f25a3697a1351ac8adb2042928f747615
SHA512 a30fd332113dea60b02be64f3cd7df9c0ea081ddc1dc526ddf153eeebfe8a79a8640baaa5848236bc09cd1f604619eb6753995fc1130b42df42d59d6fb14617b

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

MD5 12d094d717e57b9ee0f16bb73ace63c4
SHA1 57d5dc04a605b3a7e880de81aacc210568353ba7
SHA256 8dac2295be785d584a47e89f79f46ec346f7f74e5001b15b24ba7aea0349e8b1
SHA512 09ffcc20ee10ef1558bbe5cab7c8e51aa8b9588de2a719393b92309001100147a1b52d4d7d2ade0094deb67b84294f8eb568894275a116ddd3eb164e68ba9a40

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 8335731730bea2fda9032b7f1a1252bb
SHA1 6ff4e29b2083b3df1ca451985e1ef899d64275b2
SHA256 66ba2a9c6fb98a210196daa8d251eea18aaad9c1d5621163926e3d4710e2c0a9
SHA512 293f36f36b11279821c23b9422f7fbf6ddf69151ebdaf3aa051c0e9a16caf58e775fd9af61be944d5e05f9475b27a4fab12e42c4e3d328babfcc7bcb4a538772

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 d80fc07e909b90ce513ddb76353ff8c2
SHA1 35e6672056b4b3b956c218b411840d10d5597694
SHA256 1641155d56dbb8b7ea86839aa10eedde879091e55b68ff81da2c3d52b6a4dc91
SHA512 310a26fe55aba473b900c4f60f4fb59c20fec8439e81e6c445ed145ea8cb7a4a3059a1e605385da95b3fcd8ef5c9f7ff07faa9c2637915405e428fe63889edcb

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 285902fd7a1132e2d1813c6814794dde
SHA1 e8c154208a61829b9d5bec6bd76d0b1a1c587575
SHA256 da02d275e551c14e93ab4b71e1c1862a629fc2fc7ffc61936e2a038b5d8958e9
SHA512 07104899ce2ce53e4003a36a9d36f012a23b6b3b699667bd56b359d47cbac60f0b6d4f000776631ac84c834c3700c7828bfb0db6a74c6a9151e7ec506e2b730d

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 c2fedd24d6c0b480b13b5f0f34eb3605
SHA1 f7ebcbe6bed702573376528e8e23e030c48f4f61
SHA256 8d574db89163bc1234a52ea0ca9cdf414a8b7ca5b6c70e463cd4d867bf0ac249
SHA512 066977975307233a010bc4817eb415d8013cb3600af798067fc25f455f4b246c551a0fd9359d3a73d1c95e38bbdd06b923ddea1971754bb34b7f888ec5e0aa4d

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

MD5 69177b9419369b9b819d60e988cc72c6
SHA1 15eb37f07bd51f788fe2ce539be5e482fa2f0ece
SHA256 5069ac209684982dd28b93720d2dbd727861669aaeed0ee145afadb8baa784f4
SHA512 fd2229a8b6c2399df4284200ed47b5269d1929e23acaacf8dec4594b1b74b102da97242f9308f693999bac50cc51fc52944b0999e99bd417e554ceb9daf39b7e

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

MD5 f2307d35c0ef4ef47ceaafbdd80e46bb
SHA1 3ff22ac7040a6c9e9c3adc4e425c0c0b77747151
SHA256 161ed16620283ebfa9ddd9529bdc8799bdc499129b3eb8cdffd182e9efd86e6d
SHA512 89590b77e7522cecd08b325d0fcd6450e2d58476358e9f11db67c14aab3f54e12af24498e20d93d553eb8037b3a035cff699c9db04513d2ce66cdf205b46fc8b

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

MD5 a2ba6089bf780e3a663c4b053fae4568
SHA1 59a5d39f43ed416ac54c80904ae254b939df150f
SHA256 da31066d0674dd120eae05c17f73197c9c650c4c2ad371a3339ccf928879f85c
SHA512 ca8b6913e4674abc593e10a655a8b5ba1cdc33fad80ac861fa9660d8979ade87d54f511a47fe70abf7fee8363be894b2e12b93a5a57d7f6c5ef2a512f2e8b043

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

MD5 b89ac519162957260c3f89338ba060cf
SHA1 b7e5dbbf12b616fb8f0ebb37b1795c90e7d67f5d
SHA256 1884dff2d55783c159a8698c563278db423b6a59368fcdc5d1c3c6a480a35994
SHA512 ad8249e35b63a8efcd5ec456ba294681a6a0badc60f224033d178bb385ca168f2142f14ac2de97d552c60e76ab3f119767c53519509c5ff095bc861e35c571ea

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

MD5 71129724aa7d53b8c045308dfdc190e1
SHA1 ea9ae9023a61cade23f1bb0586cfc2e017ef27c0
SHA256 c7f5ba610be8e450fc3d6a066a771f3337da72221dda13582ced5812fa43b484
SHA512 f3a44e7ece939152767376c0b25a7ab94845f402633a3c1e0120e55f088f1c680a6a97ba17c974245351c15a3d2b61a18a512dfa6932826b329902f02c64c0a7

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

MD5 10c5ee95fd0d01185cb86e9213820391
SHA1 2fc318ac50faa07a8d0d5a8974cdf9fd05b9b1e5
SHA256 a34a9b0493d8a24c27e1d9dc62493f6efd652c092276c93781099ce256646a46
SHA512 a077787d7afc98ca5953ec889b53ff8ae21c0f34c43920bed64c6b3745f79e1b2fc6421b0890648d7b9528f4cca65c645e3358f1b60c0a87314319fccdc08561

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

MD5 baff9447cfdfa3a90b4d96cda7128d90
SHA1 dfe9d87bb26e777008bef1389551621a9d8bb8e6
SHA256 a51a0efd534254bb81f2efaf41bd0af4006929f415185be1d38021749c41b9aa
SHA512 b9eef5028dec991ee115ef437a5a93cdc5501e1d932a781476d7dac9ec4a3f2974875a482e455d28cd5a698c92ffe0f390d09c3707f64a498201b4e0bf0ecdc4

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

MD5 56db9cb48015f9c8f8b86bdb263d8a44
SHA1 d628dc3614f82f8bbd4d731d34773643ed7fc6eb
SHA256 9439056c3c19f8a18e4188027b6f7c50d4be8a32e9f44c104f7434611907d6b2
SHA512 47a9b92a138dc6bed73eacf236bb57f60043ac7920bdd47ac2112e9a6b985668a3e99646381f40cea0fd7b3a2e9a90019075c836ecc5762bd333b5e068a19d20

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

MD5 3411182851190023acf69c3f2b8f997c
SHA1 53b6dca031c6875883664112efbe236b045295d3
SHA256 1c88eefce1250061b0ba2bcaa582c9dc5fb7354988fdbcf93ad19b8f3d945234
SHA512 e1b1927753445be9844045ba3764827c405c01ccc56c3470988fa519b16e635e4e841b8d653a961607822aed081e13c17bfba834ac92e3181d9ebec7d42b1784

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

MD5 0c74eb3a43853bed8b3b622d6a0b0cb6
SHA1 857ff31d0465621908a3c7ec696f2b0e9b247df6
SHA256 2f330a41b6e4cbad4ad594033a9b1c26144a0ac35df6779dda0f1e4a1f38100d
SHA512 a6414a3d42d3be02130ca7f257d4532a5bc72675515cc0249533a928b0f15de42741d49b46cde46d9893832c474333cc75db74b869b5f8e240eb026ad735054e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

MD5 060a37cec9ad4961a89a9f3729cbf799
SHA1 34fb586992507c4cbfcc295666dbd77bec444a67
SHA256 36e514ffcb0ba5cfe9e4bc8e73c25577a6024281b78f2bf0e00d9e979e5bbd4f
SHA512 bdcfd222a807377bc3644b9f59b0d0e4258ac8e02d538965e7d4cd9569dcd0857f94ba82b4dc7e600793f4c0884f138b951aa47c5aada25227c82e40bbe0b7a0

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

MD5 10be115440f9f88fdee3e2f13438f468
SHA1 993f8da59427bbe0bf8e017d482c37b8ad41760c
SHA256 c4460881550131dad73ff3dd9b507f2dfa7fa05acf796cb9a16a4f1541512752
SHA512 bd258c59f4a008abe332e300340c1313f5e6a57dc13dffae6d17b2fb9f938d11c72489c2d058a6b9a2f04f360f44f8242f39425ba62c30f291502bc8532f3193

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

MD5 8a329a0fa7f3d24336f4a6cbfdfdb8e5
SHA1 7697772d66eaf37913b8097f15a5d833206f9861
SHA256 15a7827dc6df2e6e101a4165b78e0e1a316d2fa58086520f113111b3c2731490
SHA512 3a9d1f3fdfd83aae9039d2d41e81dc4da246ba9dc079afd61d65bbe5f76b7a0846d26104e5f2fe720b29fafcff19fee9304112dd8c1544b2318f6e768ff8328a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

MD5 e7cfbf0cec0c820cb44e407e8f47dcd2
SHA1 3cf227ff74ff66b942d1a9d2496e62895995c452
SHA256 b4cfa1e302d19e38ae15630d0f2d8dd5c2da618f50191340315dd7b038759584
SHA512 e025fd9916ce772712137a88f53a08b31709cf5c518d735a3319b36727f02429747406b91c4e45d4f27f453a04a37b8696788082c88125aa5e6ee23646699eb6

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

MD5 537a3db31fb6c68505d1d4ccd6ddff1b
SHA1 9b6e8dbd9c467e68eb27266f59eb4f8dcc49aa09
SHA256 7d9ec9b764e50cd9f39d1495e9ed0631d8071aeb94d6c3b639d3366c6be0dbeb
SHA512 f861e489cd61ed9f10f4bdc62350bfe430694ed555dcc2d522e3a3dfedb5eecca6ea08947f5a821d3f3623958e77c413202d46b9890a54cad37c7647674c400f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

MD5 b6758d54e93e1ba542411d6bbec65dd6
SHA1 609222ae5d378b010e6054c679138c7cd619e0d3
SHA256 d297c2e76f032d8a31c69dfd3d4a8a3e0b09deda2a90a84cc2b7f2372bf832a7
SHA512 b8f53d641cd24d0c34b9ef0ed7f8bd03dd319349c93ef9aa04c64a66c4a657c3aa30baf263a0ec29316e79b68ca6d6431e76cbc61766ccd406966aa7c4ab8f78

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

MD5 1870e71755715c29a147359770b7fe60
SHA1 aa391d52d9ec43f3580aef43c101dffa2aa19f91
SHA256 eb606ec86d3c6817081b11664253e11ba48a660309eb86c788b991539514e2eb
SHA512 9506e3b51b10d933f64e9eee9a9aaaf6bcaf759dc4b709099bac42188f770c8e384334938250f03d6ac0c1ff3cc63310c03ea3af26ce3e4caf1e8eb9ecd30c1b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

MD5 e20c1c6d73c0e5758bc10c133f294de6
SHA1 9489fe9c7e554a0d47f55e8f7f88da31b7321601
SHA256 c12b3bd84e7333d163dd9029ace266e0a56dd6456c040f9b7061b45fbd1d3eac
SHA512 e1c828baa147c31a7c9c9b8fec7419626d4ec64b5747f0b8c5668d8fa0d43ef95e46f992b2c14a5c1f275d0181b57292c5a5fbaf2b9d19471c64fb716120e7f5

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

MD5 4bbebfa2341dc1f0c4437381e400b2a4
SHA1 b730051398ee4e66ec0962798e6cd39741d58f92
SHA256 cb9bcc3ab5da2e234a3f929d0ce9323d98473aac5cd3a3ed0856deeda8b22b79
SHA512 3fbc369f5733462f1439ce8a9da6056de8f845a13445d6e0876c6ddd8c1f5dcc423668852beb58070530a0acb465ecbedfd63b827bd73470d1ea68f7bdfa85ec

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

MD5 221a9e2a63de8c0a10d38e1373719e35
SHA1 31777859faa8ea3b90f985b66e1093efe6cf9786
SHA256 bd6392f3bccc80ed0d158a6cc141b517c50eefdec00bb81f51de9759005f01a1
SHA512 886ccfb67e21e26f5909676e51407e4a2b8e6514413319d9c38af80b7a696d4b358a2b65c4d77d8b601709a9fb0b6455566d25f92ca66bfe2918a3237ec237ef

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

MD5 ca2109c285654a79bcc12a388a35abef
SHA1 a6145de4fae3619036c5ba38e647618a665d50ac
SHA256 a1f9f46a418e890c409b15d1d6b1479f6523486f8d08778fb8102f26f27a0653
SHA512 8c2aabc5b41ee759b36b33dc83ffe2aa7c4048bc07d8bccf57f6b7e764f77d31de32a3eb3e3ff9c1d4cd2f71c339ec11fbd5692b3ec9f9f089a81fc0e55aa426

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

MD5 ccf793eb9f83d0f77b4095749439f239
SHA1 8a2d9cd25cd204cc787d737273045bb10da63f60
SHA256 cdae9f5b49b4f53541e8af43c544a86c252e5fca10046034a4b756f6ce7cfd78
SHA512 8ccb1a91a0046248561c4ce01ed8a90b0994d5d69d862cb8483a63f5e970a4eda671f557f206e2cc2bf93224e4817091726481ed8acaaeaf06589bc714556d8d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

MD5 885be553a926e162244d130fb020dbea
SHA1 f15c43f774c0ecd354fbf5c097adaa8a0a0dc51f
SHA256 f8003797861815f9a7dc675e40b25e85987a1a54989558a2f8d50276ae8bfa55
SHA512 df7557b8b182da11a79dab492e4df245ade8c3e1b0d13b8c1dbf5bf9db84035fa09c91284b590f782b366b7867f5d4fc6f86b6288c6978427143af18975ccb1e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

MD5 31ab75c4ae48d67c7c9ee585bc9304bd
SHA1 c0fa9b115fbd50e9f766accb7e970779db9eeec8
SHA256 abe5780e0b0cecf7bd702c1f3ac3fd96a7af361c6d1ac1c90a605835a7acd4fa
SHA512 becb139ccbdbcbd7b9e6c917cbf03f73d8f1fbe750a1682031eb2b0176617a8786254557f57de01611d2548de33f770ebbc691bc5e770798491459b792c5f284

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif.EnCiPhErEd

MD5 a383fadc18515b50e06ece4b372b6766
SHA1 d7a9578681ff0b02b625b5ee70b3ae353e935a59
SHA256 37f55b234b45e26515370a13be6a5fcbff090cc45bafeb23041836be1930a1c9
SHA512 02efbf308cb3c6d4232ba8916e2504f88241eca9e412c4f5c85d2a1ccc50cf79c0e68ba3156d0a8db3acae991041ce5279d2ca0a6830f37fceaac3c1ab8ce8fa

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF.EnCiPhErEd

MD5 8c34665a6da4936b9bf38482b77989a8
SHA1 e34af6e9ba1e7b354d1d7819d72e0b6ee5b65dc1
SHA256 f5e92e15fe9912ede8a7dae4855615301a6b698db97e108c202c6dd60a22d7f6
SHA512 325027b28bc42a908b4316dcd03f1d038871abff5a7132261dffc76f3b2b18ddd40969403da8062c8632bd996d1b24b2cac2e92da1fc0358605629587c2daa49

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

MD5 89974a981243b3b02adc7bad83434be5
SHA1 6fe88f498e3f9e56a7e5af529680cc39a934dfac
SHA256 d41dc7da63f38d51879f7a5999f456995a11e4a9dc934e59e97c68b425ed6c24
SHA512 b465a00fca3c6e79e8e0a676c0ad8f2d87b513b89ca3d676829fe891e39d28a335f7be840a0e15cef4a9a40818ab4d307ca26c8f3750def272dec6b841aa19b3

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

MD5 671103eb271d0f7de1e60ebee4bf942d
SHA1 2ce397e91f12630dbed7da98ce76e3d90181128f
SHA256 adb25ab21aa334d25288ac84469f784f9a1f19fa7461b3b4fb41600216955c73
SHA512 5e78d460954a80b796ad110634a0021525d9b70295f0d4d0ae98e1439d842e43a51a7ddb03e9afa65655c8246c42ab5ea6a3f6e26866b0ab6e6c12cc3d4ee082

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

MD5 b271448cbbb45c158b25e38069ac815c
SHA1 12ff5e295f8adb5dfb3517b55c3d2c889799727a
SHA256 c2999d92a68906008618f361f69d007c86610bfaa13537650c4064c92b583f5a
SHA512 60414de7de29f3f4721cab5b78fba767b360e97b60e9df645f8a6a3cbb2185be538284cf151113a8198fd97484b0ae5d502ea9965e27175d8443e1da3eda49c7

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

MD5 6ccd89973360c8f00096b65f9a58bf15
SHA1 c303fe3d5e868df6eae9af88810447b8e664a3a1
SHA256 3c425658be19ffec2b6b6ba572edbedb9bf971c90119c12f913e7cf44ec68f75
SHA512 abd0ec340256166951f27eb4ac359b70aabf943e5ee9ab71f167913174457faaa4624958e1d1d57256f707e6f02ac62b3e384db45ab687eba87374be210e4f68

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

MD5 ce1f842877ccc94c00761464bd38dd6e
SHA1 445adcf7aa62e851528a7dea4d2df198c5e8ebeb
SHA256 0fa5ddaa2f427910f9930bcc43a3ae35b0c2f900357b02cd255604668844f7b3
SHA512 d5b5a020fc08793866721e378ef3efd26239c4e475f0846e0da18ded79c522efe8eaf8df70d6b0cb0b825c0897a225008f8b6b49aea7657f9fdf372d3cd326f9

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

MD5 2951ba5b64af28fc6e9f3d107d40435a
SHA1 be2c3d36e10d2323b6aca321db279f0b46b83ced
SHA256 38d01318f1d5d942ce63c9962f69dc366cc5a0aef76ae74b93b6b3225893a1de
SHA512 8e4abdde392a68b63a5495ab4311a86921c5aea85c28aaf71f387be58554a2b1be6049b4971a618e92c1accad94a7ed99c7be0aacd1c98d8ad859024711a509d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

MD5 89f982dfc94f592798d3bfad1f933afa
SHA1 85ddb054d6c61ac3231356d8fdd7f1748ec4ba4a
SHA256 37bb3246f158144213ab7bb44a0bf11a695ee6cdae245a5db43952b8310661a5
SHA512 0b2b3f8d27c1380515fc9da51257c2956fd8a4a0cf6e8d6e7ddc9c2133d9670680390c45ef331a51ed2f544a8968d3af21406f082222148fd33596ec2629e4b9

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

MD5 4002be8dbe3b64f27c833fb036eb9adb
SHA1 b21f1a4ca74f843a408207fd2a79d5c365c2d09b
SHA256 78fbdeeba16b1e29e2919ac6e953ffb8717f35b5924fc471ed2ab59e2c9876a4
SHA512 4046b77ccc9f659fa009eeba6affd3e449bad5bdd88d76ab170bcbb5bdeae4b671fd67636a2b21507f4724a4c2f725d3d65ed72d408496152ff357a6b97f74ce

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF.EnCiPhErEd

MD5 4bb3eaa032536e1fc269e83e94d33954
SHA1 c146d62ff4c2ee997e60ca00637395ed2a45850d
SHA256 758f65ceb96f2c66920b18dd7d0c5d61db5c64dac72df455ee0ed89216cfc495
SHA512 e22025888dc343d52da015c7056ac2b0e6b4e40d459c3fe99de45c89dfa7ee0c1551deea2f25ffbc8db537cbef563b4a7a0eb708246f32c62233f56afc96237e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

MD5 458db2c19f2dd251afcc5476182cc2d1
SHA1 5a06c0aee57b7667698bc14a00a0a194c2362bbb
SHA256 5f15eedb3a9f0bbf34e3d7c7b1880b01c4f31929dfde031552063fbf82a18870
SHA512 cc2b272ee11767f944ef6fea4cc3a4c666ddd1b615aced35b49b2fc3e6d058e0db9bcd3e8f40dc1078e718e4fc4186ca013c80e48bde5bf9879428bca7cbe5d1

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

MD5 8ca4d7e3cbcd9d87dcc7f10cc2af3d19
SHA1 b49415d6fd770b995f4f0c730168139ef41ce364
SHA256 8f9779aa19c3aa0a0800e1406c3421f2b795793ea234c2d07eb6f31d08206bf5
SHA512 9d74a84c7a9ce452b277382af6bfd8ba8e0c23a17b59aa24f9c5695529ae75c7ed3c9dd085f676b3c29d10b8d79950953712a088a2d9921b1f2cb3a5e6f9cff3

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

MD5 ddf1832750425139787578266fc0015e
SHA1 f65b46c96d634402d7b194c98419691f16a90e83
SHA256 6ae49928888750ed34803acef16b8cdcff9e4b930b48a6afaf9fcd5474f24d2a
SHA512 60291baaf9b3f36c47f8707f60aa97407412a5979055b734d92896e1e635bf6918af47015f1d3843bae2122be180da88c320e4dc06f756287b4fa4a9b8eedec5

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

MD5 2302169a086cc8a48a2ec06f5ff7635d
SHA1 9f5c63eb79c77a2059b69caf3388f2fb41e62bb5
SHA256 8aafdfae2ff521079e0167f0080748c500be9c7264b32fe50f648872e0d81e08
SHA512 83d3709408627852c0b055c0994cdfc3b3c22bffb3f022ff070b119b83bf7bd980b4592d39af9cb0db95d055d44b444438edf2c3a77e7453dc2088d309e311ca

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

MD5 99c08c8841d08529cf81c7482bccb43c
SHA1 7e52cac23230aca579eb197a869c2ea77363418f
SHA256 59d9619101cd57c840b590fd8e6f8229a60da607a2999850d99dfd6380ddede8
SHA512 87101f8d33f547a30a124266be41376b208fbc9b309f6e182510f5e0f5c8d0e186df883b29fbf1851244c27b345bdd2266d9897664b56e4bbb6c8410ed58a67c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

MD5 0a62ee1664ad3ca9cbd40ea42255559f
SHA1 5c212bfb415f22eca421c534ec69c9f8725b278b
SHA256 c0420f7d3ceb4483571f3dfd69a0ba6be2fd11089201a827f60497b9cce1002f
SHA512 55768c049ce2dc8a76b2e9821b2adb7588eed9130f402f3afda69522c98105dca4e295d393bd65cec3a9175511da08f37e2286930eb585613400b7de4b3c2689

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

MD5 614f1a8c7b390fc4540a01bc93eb70bf
SHA1 58118e88f2be3909a5d5e290a6e243c86ced0bf7
SHA256 a563917fbeca51ef531ad89f343002f5e7933c875932539942a7cd4728ab9ddf
SHA512 906ee202d701949ab037f7eb203cadba6dfde5af02a29579ec75617e012c69cc97bb803d6ce3ab0a42a89fbb278a419efc72b61d804ae57bae42f7a2ca59c145

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

MD5 98e3771c2afc2839e09862f3d070d5c7
SHA1 10c25fdbd482fdab85b19683e854a1a1171f2e49
SHA256 2eb06b55aaacef7ad5017657f94a15f574235d508995e6ccae9bb44889a54621
SHA512 ecc3c4a62cdae1c552bf53ed041699a6e030396944993d8fdae31408813eccf704a73b12c38dc30d16ec63b11bc242e83d328180a5ef463c63f1f5a892081263

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

MD5 66975ba3d0ed822533806e96b6746b3d
SHA1 e2093114df917325063315ee219c35cbac12207b
SHA256 0fd866d6d67fac7106302b12bbfa79141099072895719aee0c0b230302417038
SHA512 367680a0c5298c7c0daa29f4d9996d5b66e7e3c5d05e81d1ff4516127fef28bc3917ab8b81e9c3bd06bb7023c1bb74a7b4149077d204134d0ab3a6212acaaaeb

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

MD5 8d5fa302a405aba1f5202ff58514ac3b
SHA1 6d1c813480abfd3d3b2c7f7509f323e25cf7e75d
SHA256 c0036609c1fac2471d038fe9ad594bad906fd41d6608a08e35c0113dd464949c
SHA512 2b443eeef05fe584c7abe6b07e211e4552f1708eecc6402042fa8ef8ca2c65623f3930fad7f98c750672dfcafe33a39f7d4d000392678cc36bb8bb85c3535938

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

MD5 2b8180434737f1bc41ea360ccb3ad6d1
SHA1 13e5e197d046978a336e103e531c9cc0ef77fbd8
SHA256 6b4d97801a715e0a984456564d1f633b0cfe56b157f278003c9030365a485ac2
SHA512 791272c25bbc7b4c4af33e27f83114ae9275c974b84097765fa4ada27520730a0f0bf3412541edc3d8f262f05fd94cd7908f9a9a67840d3da7730a39e228f38a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

MD5 24c3151bf10cd4be2129bcdd599ce333
SHA1 e9d702d8135485a8d4c7316de9f335972387e7aa
SHA256 7eaafda3a8b4b54d084164fd732feaf60f3db3f27ae6b52c4efc70bb776bbf5c
SHA512 529a77b655021933e54ff1028b1115f814bd3a167b5c3ac7de5b8cabe3efc9e370241d3ba27e099e3aaada252672a69eef093294b54b0dc886780de876e2301d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

MD5 9b725c799ec505f2f9cd363e0f462769
SHA1 8f41fc05b23dc8c6fb34ead424c533450a406dfc
SHA256 061043b12a00c2b50cfedbd6b66f126785c3494e307a6121a3d73db49929d62a
SHA512 1c0f8afb7fb65b9782a5c4e87774043d2424afa5ea78b6767212bf2c8b868a3e83cf7c4a801230f5f56232eeb97790a7d363da6d34304d2198fd652f11b1b1dc

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

MD5 17373bb4e448eaf556bdd8284dbe75c9
SHA1 0977d96b907f44485c65ea424be37815d3b2e3e6
SHA256 ca0fe2d6dbe7b3e67f27f47e8a7649375844e095a1826119542371227c831b44
SHA512 7afdbb7f365e1e2169c5afe46af16d4f3d2221c9adf4e49e87b3775645cc72617bea42d1c6a71c3dec23252d9000894e59e2923fadf4e47ba9e1315708a3d5af

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

MD5 ef1d0ceda8c381a3be8d53563a0670f3
SHA1 346b1b5b624d1303d09c5a509545dbc96498fa27
SHA256 1cb7e74e827d7d918e7d4a5fbeffb95df4a5bf77642c78b9922f38a6804fd1f5
SHA512 2c6bdec0a6c16bae358c87569d76e9beb5aa4929bfc7a4c5862bb05c30a9697e52335c0409b77729df9d9c4c51bce50be62c97cb07f581220e973fa8bce79aab

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

MD5 af10005dbe5f3c62e5eb602a11924523
SHA1 2d4a89eb859b39763b258b2dc859318dc3c0f4d5
SHA256 1c5c36952e15f1153be7ccb814bee7dfd33bc6fea88b576bb7c3ce867acee3e2
SHA512 25d92ef2dcdbee4d4d0fb643992097e2f696da8577898a1f929c6c2505c6642171347a7cb4a429bf37f902e3b6158ee112aa010ab190144721e61b3757cf0227

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

MD5 a2d998c9be85a42f98ae95cb92337e34
SHA1 1ab9f6bb683549c8bd808574b5c83b8cc7a8c8ec
SHA256 960f28bfcbc4e9e7bb8b480359d09572550aa6de59b8e5c085c16aaa0d1cfa54
SHA512 634fd7dc7a2ca3f305f756a6d0cd0a8d68852b2813fb854285814ecff298482ea7c6a55e114f2321841e587792b387e044570a6f95d08982a5ecff5e40abe4e8

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

MD5 be891564c73c299963126f1297bf87e3
SHA1 3ba4444ce139d831f29e46c06c1f91a0596778b8
SHA256 b88b994da8bdbf7dae90d351a5dd7dee53c7355870ba1e0d4cb7debbb79bc02f
SHA512 883a32bdbbaced1b3d835b3cfa58518e8fee780feecc63b6b00b23f24d87d79a96bcbb4027b44766ab1c4fa3be3f6d90fee36eafae907a3b4f7796d0bee30f8c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

MD5 699be4bf0cf6068347ecc5e4a69b2bdf
SHA1 892a51656c619025315bca95d72454c0fa02342a
SHA256 6c2295ecdba8115a92c777954c1d13e0cc17cafe68af0762064eb9f1c397fffd
SHA512 d759f42e23814b6941e53992be5489fe030fa84490f0a7b2e7682d452c712390f0654ca29a8e79740d03632a40cd2a87312d09ea865272c1fc2f9bd943a653e9

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

MD5 f2e0a405ed76f0b1a60df71bc5b68929
SHA1 afa0a53263ffc89a813fca8f34cbd0fe1d7136c4
SHA256 6e6f0ceb85922d7faee8fb639a5e6c30a65f2c185f585afc7f051c7cefc6ecb4
SHA512 c3130baa528afb26f33574b46aae2539901694dd0a01550195abe64497f862493dd90f5daedd77bec61b736322e96c1da29e12229ed2111ce25f2981f481c5a9

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

MD5 ef3fc557504495a0a25dce72a8ccfb83
SHA1 cdffb573cb300b30aae366c7198387e36e5b0659
SHA256 985329ad650c506a1b27e55cae8e224f82ae314b8419515014d964d78ea5af32
SHA512 004436d5f696a529c57b9a42bda3b5f2fc3f6f94e4f7bd30f8aaccf3a3766aa134eceb6e2a62fc7a5755a4b0ff98410351d848866a784b9bb0d68e1c5eadd6fa

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

MD5 316d8dd90b7ab0f2950d6ceb392e376f
SHA1 865b991ffee59f3ef11d95a539819a5e4544e387
SHA256 95bb2f719af9304fc09b26b12466c5e73802dca49d54939660e79c919da930be
SHA512 4684d06326aa4d0493d8164a71ff15d27a7f8558d0d1808bed8a016eddf93ea5c45562b8a2068ff25019811090ad582d6f5e759c11bdb839742ef66eb33f7cef

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

MD5 4bada3ee22d5a1b0becc1c519b1d3cd0
SHA1 56d66a20add9952967f801b84975a70bf3a1dd0c
SHA256 ec0539a39fd805b1be18611fdd51d9cdd3e14aee86913a93fb4aa25b04f0da48
SHA512 59c3b3537b228f4147d002c3a91d88f00ad6e7ccd9b41e4e5e33dbf39fc540ff259708f55387d1f01e8cc60aca8dcda42108856ff037487ab05d6c403fc1e834

memory/2336-5778-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

MD5 4a057dc3261d3690e9ff90c7d714c607
SHA1 98c284282f78387d10bcc89b27ae264953c06ee9
SHA256 fa858390edd88f93fb172efa39c033c96e2fe3a444ea7a71703ff0154a438d06
SHA512 aa00cfbe0f8ca76265e9b85b7fe98cfa6e37bedfaf0453f0049a36a7336dca315b58942e89b26071bbf568297bc1b9e8ae295aa9c55d01b383c2c7532482badc

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

MD5 ae0e012745efc4cbfa0206cb22b68746
SHA1 1c94558899976959f43512bf3ab84fe110e0bbf9
SHA256 42221bc39107181cbd858cd2b8754a93b52c925a6bf2bdf220b9261d628ecb7b
SHA512 409fb6afcc023d5a163ef0045ddb496cee59c84c8877b97727b27f3f896d91cdb5bc621f9ca68a4337c84ceff136f5b5e64ebc46b97aac999fa296351f34ac26

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

MD5 1d550eef416d4e2ccc0c62d77195eccb
SHA1 a3e579ea7af45c8c9fe0dc3809133f38d1692aea
SHA256 3963c9551108e254ce24f279841252b646ab303b9c72a1fe346025542d2316a4
SHA512 de02e2b58719f71032cf36f1fe319adbf23e56e6a5bff66eed6cceae517a06658812d8dee102dd139df4f51d540d5a314e22ac7e2a13c82422b3b52f87bab2ae

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

MD5 3e3c7c94974d18a9c224a8c1dbcd88bb
SHA1 f33a6aa5f59f6e38c6a80fcf107364f2eb53a133
SHA256 e867f90e50837943993fc09be6a630bafb1a5bf95327886934ce98e3156f02c5
SHA512 7413d38ceb0060d997d5994a1e63835213d7d682ed8ac383199554aa3ac4f8751723c59f4203b9a3556060edda92c8c492991cecdb336e33d4d82477ffdcdbe5

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

MD5 9b1cad74a64c630a6592c798c380eaf7
SHA1 6f2a9b73e83b12fe891013343ac4b757eab7b6f2
SHA256 03ebb076adcdb0c062743045d9ff83414dc68e78c0fca3eb7b5235e8d8653051
SHA512 53e05eeab3df374def129cdc97b6249ac37a6115323a8b53e6fed6a1dd89e46b7b24198f6da73b72029279c53a12811000bec020fc32bf55a166953fa2f876bf

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

MD5 0204342a86d21c37bf24653cfe330980
SHA1 923fc65d09d5d63ec5be906390fd1a1088f97720
SHA256 3cc4e1c687396f716ae961c8ad64595548a76aac1617b9fa1ad576924a53d844
SHA512 79e9c77621b5cf7759d67b6866a712fd0e16f870a73956e507e233e5d528fd93d88bd948d6081d1d53867e00ff0a0880c87b344101ecc2f48b3ef7ec948e9da5

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

MD5 49699ecffad26438a52e687f5f0a4189
SHA1 79dc42d0982ef042656c618378a2e8676dc88962
SHA256 bdd0c6b5093730c4df29f2bbf5f9b007e97b4dfd7f221ad8347cd27477bdff0f
SHA512 bb9d4b4d544c68d6bbd5529119025d3be89816c1b45f7afcbaf16b89c55e0d368d5f51b2c2d89463f7c4fd113be3fe456d6016f4ab4fd9c39850b0814a19d0dc

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

MD5 18f58805f3e99546c67a9e3e76871d69
SHA1 abb5cad137f91cd887c4859146683d8e24cf9394
SHA256 0ec51e097c5facfa0cde6cb97f2bc26fe67d389d8c0262762dfe2aa813200933
SHA512 ca58022db48c993b7e6ce7ca58c0a512242abd65a1d8f4720050fa2f2f54444674373f1cf153a9b5d0cc3e88e17909fb4f0eed6ef6cd27401703cbb6c58073de

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

MD5 b751717165da6e2f687622dbe20e5791
SHA1 c641b642cbeccd287a04522d3290ee8d6d2f6969
SHA256 61c27a9d473cabc210445b6919ec0dfb931b256390e930c963ff5ae980745ee4
SHA512 6c1a4267bd58c27ae3fa2c0493dd23a9654c73d3b351cd61f72a12b04330e31e9f5103573241727d975275774c799f3ec652f3b3fa844e6f66edccf3146476df

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

MD5 fd0e5ce8fa77f25d1ec08d459c452cb5
SHA1 3ecd2051e7909522863b666c74188e8b5e8defaa
SHA256 63f290481de7a92626a314a18e6de78fd3e25a64add26a372fd89c5331318970
SHA512 5f3893b6e9346e109c879633f5645c5a372081369d54c49f97429fe4fed3a7a0dbb1a073a7187b7369a1d1add7b9a926eac3b11c4494258d442f1126e8e1c9a9

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

MD5 b47519529e24511ead82f4aceb27f649
SHA1 6433c14f4243f25e765ca57a316e7ee6c7f506af
SHA256 27d6a7a39fdb3a11940de3b3a16cac0cfc86788889f0d5393812ed7a1b41ad65
SHA512 1d84e093518b4de27109b3cf874130e386968253edcf5824329dfdd43ba814972e8dc3fc7c25ab75d4f69fce5a22b2d253fcaeb4909246781fa3c3549f4418eb

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

MD5 db0248a00994754df9072639d7ff92e6
SHA1 dfa8cf4b694ebb7fd6b8c2e39d26377346d65a53
SHA256 4c213287cee23e70122282a42c399c626e6147983df77d8fbd9eb2d2f63784c5
SHA512 d2dbfb08958b1223100795a4a1721b721507fb0c7415ba21e52d5e097138a5c4a4bb58c6876c9ccf45c62abf2f55eaec5197f3df0eb1ff3128f13dbd0d428480

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

MD5 3501830cd803c99515c67fe23ef843f7
SHA1 7fcd940b57a1fe309971011fd217e06a7562e5d6
SHA256 0a498433e21e3e445395fd62e63c2fe8ce53e6acc581687ca7996ef43008ed4f
SHA512 ee3def38ca3e2573c816be0eb456ed018007593dacf7e288ae42a9063ea0ec520de289cd7544d3d5f5237e308c76e8d7112ae0dcbf3917df641d6e5cfc5e0699

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

MD5 ab9447db67233f45749e3159d6643d25
SHA1 7a7233a58c5faa44c37c8ebaa21a92443a583dcf
SHA256 8b5c0e32f99a361acfe5b1782f547259da31192c1734c0f81915f7912fdc452d
SHA512 2bb480e325ff56c08e32fcfd9bbfa32583ca46ec726dd0cbe5359901df0406e581e5d0b119b71dc3882a3308b84ec19715531854ffe777b6c7a3e0473f56f4c8

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

MD5 bb2fb37e20c5170c769c90b81c58d35c
SHA1 eec56868920024d27ecb4d47ba0a86d4b7c95750
SHA256 429a85bbd9bfbb5032e01a0ec0d7a1376231025e7f60c64651700af778a119e5
SHA512 9e5c50547b3109e03bf6bc6dcbc64025f2451c16c239787f71fa7601f1e3cc17c8fbd8b58f8eb4878226407b10973804317b9eb194e294f174cd4683f282a2a8

memory/1084-8793-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1084-8796-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1084-9064-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1084-9065-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1084-9066-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-11 04:05

Reported

2024-10-11 04:08

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe"

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xorist Ransomware

ransomware xorist

Renames multiple (2187) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kod.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Zh8yO5IGMxXepAi.exe" C:\Users\Admin\AppData\Local\Temp\kod.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\wstorvsc.inf_amd64_50cb8ebb1c9584af\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\uk-UA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\chargearbitration.inf_amd64_a0097842bcc7e487\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ipmidrv.inf_amd64_ddb154dfd1a1c33d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msdv.inf_amd64_5c153f7ff7d0d00a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netwew00.inf_amd64_325c0bd6349ed81c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\termmou.inf_amd64_c4c8f901e3534194\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\fr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ksfilter.inf_amd64_d5c8b2a031c7d5c5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmgl003.inf_amd64_6b639ff361f628eb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmmot64.inf_amd64_2afbe7d3ad20f42a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0c0c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_avc.inf_amd64_8ee511eb19322856\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_2176cc45624119a9\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wvmic_shutdown.inf_amd64_bce6891915e70bbf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\000e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\DefaultAccountTile.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\miradisp.inf_amd64_14cd3615d012fdf0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0011\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmgl004.inf_amd64_189d0189716edeb1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\Speech\Common\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\acpidev.inf_amd64_0f7f041f33bd01cc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netmscli.inf_amd64_b39ea5f4658998de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SysWOW64\@AppHelpToast.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netvwwanmp.inf_amd64_f9e30429669d7fff\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\en\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\bcmdhd64.inf_amd64_e0bae6831f60ea5f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_mediumchanger.inf_amd64_69ea0d8614286224\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_be4ba6237d385e2e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAll\uk-UA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\ProcessSet\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\bthmtpenum.inf_amd64_3abc48e730d08fde\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ialpss2i_i2c_cnl.inf_amd64_f668309b543472eb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAll\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmlucnt.inf_amd64_f4769cb994ece833\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\Speech\Engines\SR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\spp\tokens\pkeyconfig\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_smartcardfilter.inf_amd64_3573afe136371e51\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net8187bv64.inf_amd64_bc859d32f3e2f0d5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_hdc.inf_amd64_6e00e835fbceac58\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmusrg.inf_amd64_bb7c44c7bb3664d0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hidbatt.inf_amd64_a6fa9bcee39a694f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmlasat.inf_amd64_36a71a022d8bb0bb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmusrf.inf_amd64_ddaa09c6103bc6ce\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_hfp_hf.inf_amd64_0c00f8f3a465c9a4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmeiger.inf_amd64_05ca2a1836c16cab\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\sensorsservicedriver.inf_amd64_4761deffedf4e12e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_media.inf_amd64_2dec3adbda5f7bb6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxMetadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-250.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sk-sk\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\uk-ua\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\Mozilla Firefox\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-400.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_contrast-white.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\bg-BG\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\BadgeLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Close2x.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cs.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-48.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-180.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-16.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-96_contrast-white.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\1.jpg C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-72.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_altform-unplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\fonts\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\avatar310x150.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-72.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\CompleteCheckmark.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Retail\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\7739_32x32x32.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Spotlight_NFL.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-72.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tg.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\12.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\wow64_microsoft-windows-rpc-ns.resources_31bf3856ad364e35_10.0.19041.1_de-de_8b43bec67de68e5d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..xe-common.resources_31bf3856ad364e35_10.0.19041.1_it-it_9e5e5a424c96bd05\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\msil_microsoft.web.manag..nt.aspnet.resources_31bf3856ad364e35_10.0.19041.1_de-de_e369a1c89198809d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-e..t-onecore.resources_31bf3856ad364e35_10.0.19041.1_it-it_210485a599d75252\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_11.0.19041.1266_none_002191d26b2a1e55\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..ss-cemapi.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_edb3724308de7aa2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..workcollectionagent_31bf3856ad364e35_11.0.19041.746_none_97a7d79a62bf3cc4\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..pc-tabbtn.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a3ebc1994b1c70bf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoftwindows-un..keddevkit.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_c9d08284ca03f3d7\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..s-utildll.resources_31bf3856ad364e35_10.0.19041.1_en-us_f6d3d801594c601f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-windowscodecraw_31bf3856ad364e35_10.0.19041.1165_none_09c62bea6ce5a482\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-o..euapcommonproxystub_31bf3856ad364e35_10.0.19041.1266_none_11d8442069dbdc04\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-rasdlg_31bf3856ad364e35_10.0.19041.867_none_554c9384e2e042d1\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-bookend-cortanain-outro.gif C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-com-complus-setup_31bf3856ad364e35_10.0.19041.746_none_c7a124154e1d7314\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\msil_microsoft.powershel..ion.odata.resources_31bf3856ad364e35_10.0.19041.1_de-de_b0a2b9f38ae5b958\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\msil_multipoint-wms.skuresources.resources_31bf3856ad364e35_10.0.19041.1_en-us_fc4901fade485b61\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_10.0.19041.1_none_866e293cdb38481a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-t..s-sessionenvservice_31bf3856ad364e35_10.0.19041.964_none_c714ae0c7ae90eff\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ore-files.resources_31bf3856ad364e35_10.0.19041.207_en-us_a77e6aa2de8d00b9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_en-us_25d6f2766f7cf9c2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\InputApp\Assets\SquareLogo44x44.scale-400.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.ApplicationId.RuleWizard\v4.0_10.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-bootres.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3a3948f5e8f8046b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_10.0.19041.264_none_f328f75868736919\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_805682e34c6552d0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_7e2e7925487a8e96\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-onedrive-setup_31bf3856ad364e35_10.0.19041.1_none_e585f901f9ce93e6\OneDrive.lnk C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mssign32-dll.resources_31bf3856ad364e35_10.0.19041.1_de-de_caf77e29a46080a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-raschap.resources_31bf3856ad364e35_10.0.19041.1_it-it_715560277f8af039\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-v..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_it-it_d2df3e3d4fc57eb3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\msil_microsoft.windows.diagnosis.sdcommon_31bf3856ad364e35_10.0.19041.1_none_15902374653bb7d3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-devices-wifidirect_31bf3856ad364e35_10.0.19041.746_none_7f74465c5404002e\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\DisableAboutFlag.htm C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m...appxmain.resources_31bf3856ad364e35_10.0.19041.1_sv-se_e60a0679099e5948\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ativehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_e7cd874ea1e56b62\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.19041.1266_none_8f272afdd624490f\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus.systemcopy_31bf3856ad364e35_10.0.19041.264_none_c4bc376754eedc34\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_transfercable.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_03dd0ed7851afe9a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-i..se_standard_101_key_31bf3856ad364e35_10.0.19041.662_none_f1a2995bab4ccb3e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..airingdll.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_18517f20037fc203\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ast-black.searchapp_31bf3856ad364e35_10.0.19041.1_none_e479c512c8bfeb66\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-composabl..ropcommon-component_31bf3856ad364e35_10.0.19041.746_none_ff8ce67e324d12be\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft.powershell.dsc.resources_31bf3856ad364e35_10.0.19041.1_en-us_7a02fb2582dbb39a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..on-client.resources_31bf3856ad364e35_10.0.19041.1_de-de_dee5dc5f3cff6710\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-netio-infrastructure_31bf3856ad364e35_10.0.19041.1_none_0c8c7a5954ab0dda\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..formers-shell-extra_31bf3856ad364e35_10.0.19041.1220_none_5ed127b3325de1da\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..terysaver.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_81b671d57052eff4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-twinui-pcshell_31bf3856ad364e35_10.0.19041.1266_none_670f6f14d5c78d75\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-mskeyprotect-dll_31bf3856ad364e35_10.0.19041.1202_none_51695309b91402dd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\Globalization\ELS\SpellDictionaries\Fluency\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_fusionv2.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_fea138b121d1e308\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorUWPSplashScreen.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..ouppolicy.resources_31bf3856ad364e35_10.0.19041.1_it-it_81697890754a6aee\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-workstationservice_31bf3856ad364e35_10.0.19041.1202_none_40fa44d78c08190f\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_nulhprs8.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_d07d1617712b771d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_vmconnect6.3.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_110ba8acc55d6594\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-cleanmgr_31bf3856ad364e35_10.0.19041.1266_none_ec5eb439471de957\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-36_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c...appxmain.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_5376b94c84988935\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-t..andinkinputservices_31bf3856ad364e35_10.0.19041.746_none_04fb1ff2ac42c9e2\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.746_none_0b4ed891dd9ccbc8\Splashscreen.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorUWPSquare44x44Logo.targetsize-64.png C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..documenttargetprint_31bf3856ad364e35_10.0.19041.1_none_4a503e10081a561b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\kod.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "TDDXKVAOMIPZWWP" C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\DefaultIcon C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\shell\open C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Zh8yO5IGMxXepAi.exe,0" C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\shell\open\command C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\shell C:\Users\Admin\AppData\Local\Temp\kod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Zh8yO5IGMxXepAi.exe" C:\Users\Admin\AppData\Local\Temp\kod.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\kod.exe

"C:\Users\Admin\AppData\Local\Temp\kod.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe" >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 ftp.stimfal.hol.es udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

memory/524-0-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kod.exe

MD5 dbe9a0e8a0f3581128d9cc4002fcd8f1
SHA1 ff196b5453f485ae4b35e6c46ab1aa38c627fc20
SHA256 f66404a3041ed40e2906ef1228bf5b7532b8ac44e8f8644780e0d310abf9a07e
SHA512 384ebd9bbc2491e01c63ab129ca0e4f27f8f5332e669e2efb4eb32bd838ad71f4b8a0f9beb042fdd66010a9703e2628728fe84e9a2b5f4a77074ae69854d9975

memory/1788-9-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Program Files\7-Zip\Lang\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

MD5 6bbb4d89dc1da9cbe4bc61701d73e7d6
SHA1 440ad1de39414d5574201b5fd03ed1dff496f2c6
SHA256 ce643805a86233be7ccf3b4340370a9f25a3697a1351ac8adb2042928f747615
SHA512 a30fd332113dea60b02be64f3cd7df9c0ea081ddc1dc526ddf153eeebfe8a79a8640baaa5848236bc09cd1f604619eb6753995fc1130b42df42d59d6fb14617b

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

MD5 12d094d717e57b9ee0f16bb73ace63c4
SHA1 57d5dc04a605b3a7e880de81aacc210568353ba7
SHA256 8dac2295be785d584a47e89f79f46ec346f7f74e5001b15b24ba7aea0349e8b1
SHA512 09ffcc20ee10ef1558bbe5cab7c8e51aa8b9588de2a719393b92309001100147a1b52d4d7d2ade0094deb67b84294f8eb568894275a116ddd3eb164e68ba9a40

C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md

MD5 10b4d24e1f36478c0b62f789baf4634f
SHA1 2a2a5c6baeec78bd6084145add27f9a5baf3a964
SHA256 c9351f253dd6a8acbf3813896b5ea50d649aab9234ec0351b1dc9099e98e905b
SHA512 650f127ac3274da233523df80aa905a7064fa75df45f3aaa92cc3d26278a5fa46081c41ee1f69f36c5b34b1e14fb12883c98b86dc36681ef8cea3a90fdd368ab

C:\Program Files\Java\jre-1.8\legal\javafx\glib.md

MD5 13912f707702db8d31b131d3625c5692
SHA1 9a239843e1dbca3c105b46e654febf2c2a66303a
SHA256 bb4d5c3ee41cbf9ae6e6a999d9337e8a38c4e5b7057d510b245fdb4f31f27371
SHA512 efc27d48371de0b2a7bd052e0cdc0328e0c8a23aa3fdd826173717b6afa059f17cff6a011170de06d312ee931d56b2d0442b92b3975012e2608d10224f28f1db

C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md

MD5 bfa4dc834c3c7a62455ca4119038145c
SHA1 f2ec986f2fe2c8a9693f7e82a584d8b1694a0b31
SHA256 0de3c08799e308576c5086467b995f3452523735178c83cdcbe5c3fbd3dec3a6
SHA512 ba1e036c4f1a85f0bf6446735a863c81c160441ecd855667f4ff51a1c91805fe6f862e4029d2c7f49308465813682a786c232e4bbea0570cd1bc31c14f68b1ac

C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md

MD5 3a115a0dffbdc4491e8989a3728c10fd
SHA1 91fd114bd56b1fbb5b0605c943c5f258008804bb
SHA256 79de8591ac1a82eaec0558d1d6eccc8f25d1207f75613235a48b813c54e47acc
SHA512 9b415d990353827a0c02fa8358e77e581cf5cc21766fe2e3223201e33c9a6fceb4e4df06fc27876865fbdf536df556a7a51f5b9139ecc72e8b7fa73dfa3e2fc6

C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md

MD5 d9c176daf017683df6a5e104460a607c
SHA1 ae61d9de457b3616b8a6711a5072d0d1b73548db
SHA256 0539e2d1c85c41c24bc2ad84234b2ad47359ab01f206d3c917a3da3d48681bf0
SHA512 cbbccf8fbc25c54280204343a56e67acfc1e27e5fc4f4cfba4ccbf842562a9b6db22c3b6ca801371727a3706df721883804be6635a24f350b8ac9a6f46b2d8e1

C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md

MD5 0899cfbe14ea6ae038d0e27b27db51ed
SHA1 c14ae006805aa9898c809bdc3746258439efe862
SHA256 be200985a4d00119fde01843bcabb67f6c912bcba99e9e827f50e7453db975d0
SHA512 34cd3934ae7a7d953847f9a9de2d785176ef36d8d03ee061901966f1e3cb47db8928e185303a63eda79ac183c3a2b64d3c654c778f5fc82b3d980e8187864600

C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md

MD5 e0c3b5acb4caa233669737d9f11c9b01
SHA1 e230536d318afc1c49139d7d606a529587394b16
SHA256 515595989957202248a58f210be9370871b8771cd24ef6ea51379469ab0e6717
SHA512 09d1404832687bcdafda86ad105f1df107d76c779ef517b4a38431f41f8145773fc48d8239c410b083f0b9e2d315312d23f6d8fe058d2d9239d2bc6b788504ce

C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

MD5 9f26cb71bb1c150fca77ddcec1cef98c
SHA1 229eb0d707ad1f7626d965e72f2c594a83b57c22
SHA256 1ed5ab97f5ccb53a0ba8ce10374e4cf12deedc45d65395613a400e7f378eb645
SHA512 4926ebe5927fe2d50563ab791231e88a51c4c7f770aa11a4d9cd0519d175053a74bbb3b20b486cda5e9e2d41f541252b6d99664808d587bcc29536ec210bb540

C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md

MD5 200d9128ddf72257925bb62be4ab3026
SHA1 3d6db8ceb2d18d20d62031696fd022a8d8b202b3
SHA256 a4904bd963f8c4254a5528a549fd7e86454b26b8623b264439e9dea69ef8697c
SHA512 33ddec573d9006ff210d57104d1d5df5445ec5ca93e7639c369f5d7ec4af7d6e2db8a05a948d734014333bd908b1c898aa4ddd29c6f74df519bc64e1bcf92aa9

C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md

MD5 20fb3ecae52c18ad3726f648d2fc6851
SHA1 c5b8f526db6dfb1b7ba0acacb9fa68391c4b4b32
SHA256 6f68046dacf01769a83c351ca5aca5f5cb7479b198c707ef594b377f952463e6
SHA512 98a8b1e6cdf8f4b764cac35191bd9a41db7706c0a3a84a3a7b5814415a6ff24e69318940127ff3d9cfe79e81affc6f67b2799c6de4469421ea073ab537e4dacb

C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

MD5 daead765955f118b8a60120f353c64a5
SHA1 3edf4d6b1058727f71c6b3e5d761c6e27aa3d235
SHA256 994822fa113c9c1904d2a1c9c30674357c3a681e69862395f1baf26200dc9c5e
SHA512 3a643e0058e2492ccddb8d9475e27b3029d1b9200bc22c0d8f5312a02953408716bea8421931ef225f6604a3df3a87cc4794d27e92c55b7db7ff9a96484b9419

C:\Program Files\Java\jre-1.8\legal\jdk\asm.md

MD5 a0163b2abb3b3e90b6a8e3eb0ef1e55b
SHA1 b6411ed11b898451ff7269116629f57d877eb0e6
SHA256 a221aa8f286580cec9ac2cd5a588c317c093b7d40f9530d985e05b7217344723
SHA512 04a0591d340c17da9bb8b7586cbae99c229d84d2a18f8edfe08af9dd5c345e5975073b06836c44b44a0b703fd300a0b1973840aa200f53ed72613b4addce0a8b

C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

MD5 a9e7a9310cce95c6c0e5df33031eaf37
SHA1 3cc074b67643a9d7eb9bac0131134d86ee887c2b
SHA256 dc67334587701407e461ecf9d0532f6931199958ea202dc1fe41d28cf3905a8a
SHA512 f0e4fd83cc851faf2e824375c4a44cc3cf416fc9a443b0f985f31fe6dd4a2b47e1db364172958049c30438fbaceeeb5515bb172aac593557fe51b88029a58f40

C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

MD5 610d3032fc6910049bcadf5f6f530c7f
SHA1 97b679d5c0e6321e4fb029ec89e0aca9d5705f2d
SHA256 abda6dd6a642baa43446675e3619fe80810c491d7411775dcc10f99827db5ff1
SHA512 95bf9f4b967b39c6ffabcba71d1650171f44283cce06541638582f8f1e82178b3e55397f6b7456a5fda967d6c4eff13b0c545c5a6f48c3a1effc2fccc35ff044

C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

MD5 19e3e5572e2cc81db05e2cbd690447bd
SHA1 aeb53ce535c306048c870c7627ac4f244f1cdb8c
SHA256 daedf55f8b2878ee3bb707458838627422d1836368260440e03d030e683bd6b3
SHA512 47871af4872843b322ed00a8b5235892f429b61137ab79e75d4756b586b35cfd9667aaa461516c747e69aa74e187968f624a06ed742992a101e20292af39015e

C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

MD5 160e3884cf7c57905b1022a97b5cd8dc
SHA1 02a44f32f5189409c313a7cae02c298d662f927b
SHA256 1cbd618e2a08df7e5ccb466e61cbd87d5455c7371eaa0ff7c285b8433c48f0f4
SHA512 2297d70097eecb2320df6ff19a80fe680e588a72dee3502853836fb0cbeb34736b1df24e150478034f8331223dfa16e4d05af14a10e7cd35988174bc6afd85ae

C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

MD5 ac09266c8ed1a8d1a640af3679b09ef1
SHA1 1b2896a4b44331bdf517d2ad4ba1cf96291c64b0
SHA256 99cff614c7e91aa40debd45e92c5d623846ba84827d41c49b1ff3eed2d85ae30
SHA512 95bcbaabe70d0e4054a6d041d814800334102124301ca7fc0b05ccd5c1f4e804fd96c0a6842e27cc34db09043eecd109c03aebc562d632d358e5ebab783c817a

C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

MD5 596a8b307fa6eed0211059a8a8002257
SHA1 439975da02caf8512e5c420cc38d78dfc0dd468d
SHA256 a2942b3835612e62b64b1302f70d36a9fa37ceb7308db563eece0d1907b9ab23
SHA512 206a0b3e03882760188238a05b16b39d7d051f9095f2d3f3bfd7f44642ef26c19386074d8de7099a37479056d4e344bff9e35b4a626e35955d4d0edebe4c6b96

C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md

MD5 bc45f45910fd3321b1be6bc5ef982f7b
SHA1 19a4c74754bd353e9637a8d9c3219349125794e3
SHA256 c8a7a43d40761abd1c9fee06f7e5a2ceff5a157149e7f3889968b46aad5d9d5a
SHA512 cd1332e653666129c4dc7c96bcfc6e4ca94ba5dcac46644962c8e2a9e50ff999764c022fbcee96c15e69e2d0390876bbe08077f636e89d0796b6b318685e3df7

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

MD5 6570d207a77c80355c6bd265ee4ba1aa
SHA1 085710484534d4f2d28f6e8ecd962ea458ccac83
SHA256 83a5111c71d58b5f4629165e318cfdd713e1b47393c89c574a56a363ca3e6875
SHA512 83cdef8400bd82b1fdc45c2f335d42ae63fcac0c9da475ac48f84252a05d5c066f22c5215d01e8c57a924e9c9e8d21a51738c75e838e2610c288eb851087a74e

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

MD5 1432b76fae28c4f86e85240e7663609f
SHA1 dd88e63ce22d34bf28543ab9cf08f78a66c9320b
SHA256 46b44d5c80942f828cba7af0ba93d4529bccbf31ab27818feed50141d0be8a34
SHA512 a4b76137b27e2c6d79165494b627b21aedcd60dd1d3d52f3552d503e3f59b5b798537fdde66d60073a06d13de30935c6fb32177d278d9efb340174ef377afce8

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

MD5 5c523995707ee2bb4d8566eac37f4d45
SHA1 4657f1b05e03eb7f6d9346e7a1636cac54d52d51
SHA256 8cf242d90414a7a2557faebb8612a1ac3c03762d837a7aedb069851ec4692353
SHA512 7fc68b77979b6b5b6518573f209746a0e9bc95b9856648eaab0c13d4d384e1c44e20c3860967f822a4244d1414f6b07e257b965c671c97926fd0efcbee65dd75

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

MD5 000debc8dbb9c2d6897790ac4d71d1b7
SHA1 7a9b143424eb2b6c14e96fd7442f1f8d9692caf1
SHA256 6d9013ffcf04531acec1fe354dd93f9e2f26ea1a8e49a56ca19f75e515eb1c92
SHA512 14f3d83ba41300e77446773ae33e00d06b5f32c3a236921d706eb2658e8cab04552cf20035395158533cf8e001752ee6f4497675db9a54728f3da57a443289ad

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

MD5 65a0224f8fb5f67c732b950032f418ff
SHA1 197cddfa8b684f8c5d65492808943c857177ccda
SHA256 b57e220ac9f219bdfac607116c7440ca59ef400c47905ad96cdbfa891e6a48e6
SHA512 70b64aa76599aa8d0e430b0257da9df93e59a64489f181fbb9dafb3d5f4199e8b3c298b1c60ae6af12454b77c8c02910312bdd67ac3ca40ab7fdde1f2681dd1e

C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md

MD5 7cf57b91c7062c567a573cff5699037c
SHA1 e47f92dda9444a7b7e07fed430b32412e398d7f3
SHA256 a603c1e5b179e7cb74a1e7069ed4694c6d60eadc8be5ffe43ccf6c8fd03a0686
SHA512 1b3600dfc7d2f4fe8d4197839d3e6453f698c7c548b4169b261700ffc11a5523c67f238ad85ea7a811a0b80c85da98bd1b884b64d2bb57e4f5eefd5b9e7c1a7c

C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

MD5 817b6646fb356017297b3d8f99283382
SHA1 2577552253c93a929d4a79f2cfc872a1a7da6870
SHA256 953d9ce3cc40835c09fb1a9f638e8f3f8d16f7b7b6a171d03d7fcdb92deda070
SHA512 9cccbc7eee30b2134da7908e9de33a429accaf88c0e84fee2c101ecc9d7489dc35f9ab2798f145835d70cf7b6b69eacce47df5ba091e04dcf622fafa6cae7e6d

C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

MD5 a2fd6e5eb5234b99c929db8c93377bd3
SHA1 1c4795a1c1b4d536418025c78a5ac3347d43bcd1
SHA256 ee92d91d2155f0f3d2483528ed33103a98103bd5577e4ec97a595ef96c95b665
SHA512 2d7c773b1a8eb0b4af94feee9da9faa865829d91c9d4d2b1d8ceea7424a32b66690c5d6eb13151c02d18e74a27381beb6ce58415b771e8aa0e91db46020b25ed

C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

MD5 c761ad2825eafecf52267cbb1ff777bb
SHA1 f2a7e44bfbfa18948c7fe408f6d65ee8f60ef9ec
SHA256 83fd638d0a4037efd1860a4913ca28b0ed0617d13d3bf8b1919148f38dde1066
SHA512 d19553d6057eee492ce547a81e02f56532889d0852235cdbe466db6ba58168ec4001e7e30f5260ce0bb13f72c2d50aba85cd0b3d7e3b7a6a24785c301f3bc6bc

C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

MD5 4dcd0451c44092d7af7834f79df1019a
SHA1 f24b01392aec4b71ec28678b3828a501ccd86f7f
SHA256 5759c752f79425df555c2a4d82f5289134aab3e41f06ccd4916e21ec0b575662
SHA512 675d286ed58e45dcc8624de01f4af104a45992e6d41bada8bee415a4d21b48876b45e4a62336c96c850c25f666d3fc59babdab87fb26a595306e706c429be3ba

C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md

MD5 4196281131b7a5ebb2f7ef3a27923f8c
SHA1 71261745ce5078fc8c6d6e9113d6d397dcb205fd
SHA256 0b848cfffb3f5243948df423d9f3290217cb299cd5abe8ba374d76cf0f4b4ba1
SHA512 e8d78b57adbd543b224550f5f185eb060d3c4b4e19da92431dc6dec4ab7ed45318c877a06ffb672e7c2b538c05d754fd1802c98b58883f1cc4bc3a0b1e804784

C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

MD5 dc40bdd70417812ccadea7e25987a42f
SHA1 9b40205fae51c88566d0a4f76abc1e0c77d9ba10
SHA256 f18cbdb53207175c887697698f36bbe53bb7661264c27aa77fd81b4cac9ca2a7
SHA512 df213f89edfb748ad7d96a54b912464094f56d7eab6932f91a7c65b26f5a572e7231c24561b5548aefa8b566dcce98b7f487124190ba9bef61053cd33b3a31c4

C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

MD5 48acd90f03a6e7d9ca53111ee6fb38b4
SHA1 916fb9dad49cb780d7467a7882fe8b5ae6255354
SHA256 718d742aea15898567a0811ac71f98ece5e4d7e393e3928eee3bcdcfb6d1e35f
SHA512 f6600147165c5208ed919c1c0282a8bc7b9ff4f1fa1b3f8dab2650200f252b9347f372ea52dbb9d3f37b1e70c444329c8e28bf7eeb4f80dd15b947b5bc96a5b6

C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md

MD5 49cfcb159a5fa8d41a154d37967c46a7
SHA1 129fc0d95db37c1726808ce066d92ae79c3bbe35
SHA256 457a7842888d2746c665f2ea46426913a17aab3181ad76435b85d1b08d6aabae
SHA512 42c15d7d87ebea8379cb25e91f57c7ce292b7571d5d382354d5406d3211e9852cdb106eef2dd57a3201452d3351758b16a234cd98b3fe3362e3154c0248185ce

C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

MD5 313ec3dbc6a796fa1d5373e3c2b473b6
SHA1 f10e258611d59d32ff7c215738709df4e498f18c
SHA256 39dd47628e1dd7920a46669d73a55213031d17b6cc7ece385fe88e76194c35e4
SHA512 048a15dbd88f19f19c070946a3bdd21e2fb18d66f9208f5acb4ce25a927dd2c890772c6713b9d04de44702cbc00d6ed391676802a484b4501ae77f441d49cd39

C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

MD5 77a323957f5ac0cb5fa6d75bbae69198
SHA1 88d261d761b53d816fdf325b7a804f2d456aba51
SHA256 36d56d9759fa3324975602cfc2c389348904e993c6e5839eac72cee477d116ab
SHA512 87908d7f571b4467a59e39854054a3512a13bbb4df3e0241277d4ab41de380e568a5598fd4c2c3185c8367dcd75d5268d063ea0d5bd36e351252cbf7e0dc9373

C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md

MD5 99e3ce576ee391bdfa3411f19ca11b51
SHA1 d7aff617d3fe3e0e5191935b55ffc22c68d9f324
SHA256 86bcbff243f6e10ab78355708e5752b7a808e0e64ce1a2b798c9347fccc1bbd0
SHA512 bb873349a1f976ec644dfd314a911b4baae60dfe10fb220ac7292a95ba907e8c1d91443e2b67dd53993dc1104c3a2cfb64ec65a7dadcada13ca98da0a6c395a7

C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md

MD5 2c8965472813395503b1eda9208c08af
SHA1 3bc2b3db92d2afa5839cc89e1062a3b2cd6d8c77
SHA256 7d8a4cb3d78532ed92e1ef4b34764af9f6a597840796b3b1fc5e0c1f44f00708
SHA512 20687dd3db139da2c70367d548218ee6911ac06709825a8b9e5a0c84a911ab676b48a76e3856010554e33b08891925bdf0192b45c67814a5a77c988736eff489

C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md

MD5 1682b2c1e732533f2122dc59553016a8
SHA1 22ab4fa23829a88497f79ad66fbb04e1163601e9
SHA256 6d62615c134898333fc63370a341b4f1e2e312b5ec34dc73e219914e54c93f13
SHA512 b830a4e86e6a893224ebc3b884ef87f070e0eb913d23fd0cca25124a78d9766d108839fcf04f1ddf85c0ef966883d3ab5356550547d8f4e00a481f8b5e488cbb

C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md

MD5 a38de526b19c8c3c23faaadbf46257c7
SHA1 ed362c7d9513f2fbf764194f568a44575397df66
SHA256 10d2e249c1f6ca70c84886b22c8feb85292aa86d2c71ccbec48490e13092b56a
SHA512 4e6109a8b34b662ce64ae6f458120176fc58177bcfe20a226b3a5c4020248fd95f04a017d4b94730edbd5d350c29d3e5eb32c157d902b24babd26d46e28e3c15

C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

MD5 83252cccc53d29eae00137672c00491d
SHA1 dbd26743c5fd001c9da74f95d731fdb3eb0de8f8
SHA256 f14dc10d0d06c5d8e1c2c04ff3ace99a5eaafcab2f3da235268a36a0b5077c5f
SHA512 da7a686ffc13119a17dd909afaa1733cf600c38e0b62510a5e00348ac8293fbd462658be7c9b164712c025b11b94ac32681767ea2c06f7e5f041867810f10a7d

C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

MD5 bbd75d373584f54029f48d979ae51165
SHA1 3da1d48024f30a913c4f91a3e05726c2ee7709b5
SHA256 b98faf25977f6b217d9297189bac24177f57c92c871ffe3cd34289eb3516115a
SHA512 36e83b00b748c41d5caa9de4974ee905d7a63852fbc106c94bab8e28adb2791b5e133a6203d8e38e92ba79678566d5ed32341289a12ae4ef85f539a21f3453a1

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 055e65176c7c5fa4dd99ae296ee73ee0
SHA1 6738f6ad6079e08f13909d7a847c82be91831af2
SHA256 4d5d263a059350a7c2330301bd5e2742140e13aef46fd0ed9946a7f283cb1cae
SHA512 27664a0a1ce61fa105969e891077ecd774e1e6edfaf5dd868d54094f45fddbaf312d80393093d963e37228c13454e186dea16f66b8750990aa85ba84a37b94bc

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

MD5 c97c932d225d86cd9083299ff251f680
SHA1 463a6c68929d6c6cc0bf87c246760bc57d78dce0
SHA256 d54acefe640f0ec7d9406d9b6dc0097b63ccfa53141831c97fb2616045bc162d
SHA512 71fd48be833bdea7d1dd481ce409aa262d2cbc67cbdf8d931b5e9e8166253c743026e7132495cfc1e2ec9b6a8d497f2be1362cb6c9986b16fcdc223bd85f0832

memory/524-1952-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

MD5 4ab4fd5e4c990b4deaaed9b646ff11b1
SHA1 7e7f21c08d6681bb22a38c127730babee084931c
SHA256 2270387b49d519befbfa12703d78c7f663679a36395ec019c8794c043ee69fd1
SHA512 9da9dad959f0ad0fbe9f45f4a150ccaccff99f564a50c4de5acd6fc38b0691c601e11a63ddb539b1bb077f3635c645a3ef585a90e5fc14cfd985363bdaa68f87

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png

MD5 db5582750d3dd71dbf33767c03a60acd
SHA1 9ac901ea51b5659bd8cde5b25bb6f5733f8c06bb
SHA256 4a74a2dc57474fbd2eb8444ced9ca9cb6eec42bed41e762c9d2445179451f8cc
SHA512 3a76a42103748bbce02cf45fde0ae839f2a516daabe2c6528789c177993acc08d67637da84c86427a6a022cd2727206e5f1c6320b98bd3a3d0e8a1f2be51e9c6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png

MD5 d1f4305ad81ea1a9de2200968aa8303b
SHA1 886d44947d9c8627937fe4a7b202f8a8375c5fa1
SHA256 8795d3391def92c694b3678620bbf45ccb0cb803f624b0e7a096e76f33725608
SHA512 67bd41715a557247c79204abcc7422aa06a9d97e570e424e6b0c363b655b2cc2cbc28afaaf14ca775231214f7ea6c7ff69788ade6260b49dc2b9836f1819db9e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

MD5 029122e2ef2bf797b405ab29ec1b8f8e
SHA1 299b443df2e5817060f1faaa8b2c689f6913fb26
SHA256 4c12aa33bb4f89cab374ec3e212a14110b0cdef48bb914916faff4d4b1a9cd80
SHA512 78a99b8e84b15432ef91f5f09f337147e236e3c8c8dd188bf614da4ac413a8f0be6108d2ef02c71b8bb9855f0d54c7669687b86d983ca53a9a32f57b9fcc7401

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png

MD5 0288d101482c860bc3848554417d3090
SHA1 4b995aa8248d30ed49074c5695627869db7057ce
SHA256 d45523415e76bb2c9bb496dd4a31f5c6023d06210c34285522c2e39a284d91c9
SHA512 3f3835c38da14aae03c24856c7658da086f66936ae59cd37856a023c0a085ae0a53da0c1656d437f2ffe673dc7f52c2ba352da0d11f7d61d04a354bc60e62170

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png

MD5 437ebe5460396ac7c62b3f9ec7add2e3
SHA1 f7bb1d9069a36fb386faca8de30495c99da99431
SHA256 b9248dea45e972354802e8a61f5d25bf63ec43a61e5da599629be5ecb8ee13e7
SHA512 aa01679e893d298751fb4fe600a0805bb974956fcfaacbf6425311bd1fe37df092466e994837325e2c754cdbf65b4a899795c34943bda99a6bcb98421b9cbca5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png

MD5 682f9e7f22fece0d9e01af1c649d0318
SHA1 5f4e3744d8252e355912572b2cae9f4e7f94b4fa
SHA256 0488010b443bcd31428a7a44b76639931aa1e6dd5338fa9503b1c6e11b0e2504
SHA512 128f9c8116b8397b4d95efbe40860687dafe276b2b9d6d9226d42a84d4be2e3cd834bef75a0b6e5845fb5cca3cb29ee2517547bbaa464c9a3e30cbdc7bb37034

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png

MD5 f548c3a27c413c0151c795d3b06b7ce7
SHA1 2d582ab83483fc8f781bf0657f6a0fdf0b55b956
SHA256 ac0500b0bec7cfea324fbd0a96bc2e9fccc2e0cf9adada83adde9ebcc071c561
SHA512 9ccde8dc53fb22c2ac3dcc29d6dadbcc327918386b6dd07a342e05bc5f28531c08029e65ac6c81b08c0843c296b28a303cd1bca5deee2725c652963a8403fb87

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png

MD5 f55c54c06c8b91ff41e46fad893a3873
SHA1 22c6db4a1eca104b6f4e593c82c03483a2ffbaf7
SHA256 6c4b3da54290eb7507192d0403e12630522fde2875d50164aed2e4aa12721860
SHA512 bf7379ff57d1b8f2bb5d73edc6b457eec6ff269dabe2bd08828e218e42297bc63b60a60d52f8362e0f4d8825cc671ff60583aa8a5589d34adfbb328b4ffb30c5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png

MD5 d3d8b197af439af326fdf7c32894a777
SHA1 7e699d7163719ba2f416385f5efd573a63be7f14
SHA256 d9f1221a7fb23882de114567219656116bac4b4f861951ae21f5ff239bb9adba
SHA512 c8cd9a446d7a8dc96d00575ebc29e7d592660aea6e8f60c1901d2a8ddbe762518856c7d457922536b574bfd271a167a3ab5a8febb446a3d97a64a956188ddd42

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png

MD5 4d66243ae7e9e51c9d25c0ffb80f7ac5
SHA1 6a05fa73f42587f6a8b59fb2ccaa5a7326aad760
SHA256 e43ac83a70a70b71434ccdce663077aa651a1d0e6e51b1a0ce72f16706a814dc
SHA512 c3fba96d17864e23e37eed947923b92d66b5c42f8df716074b65b0248c236deb5dce82f75ebb3cf984d96c221cad15b8e329d2fb1cb24c44ad0835a165db8cc4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png

MD5 6725912ce1b2743b1ab23681757d1dff
SHA1 387db71c16fda6e6872e771acd3f2ca1934f6b00
SHA256 0755af5e244cf564b2b582f6da787b9a11f2859a77f3800ac96947829c3222d2
SHA512 886b457ac693abaf5a1214ea186fda18c61cadd08ff73cebe13843ef35672362b44259246d7e0cd2e354d2246a03eeb50a74a9af5e6b55c32c2f547dfac3618d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png

MD5 2dd40b5c130fdbfe18030e112df7a727
SHA1 b155a47ba7686a733391e28faa4b681cbcc2c31f
SHA256 1a643f5b91dd4f3047021c91181b3e344d5ecb6ac11b0120ce3acebcdf89be3e
SHA512 92e876cbadb129ba93f4a4ba0741c07e71eba2a9d6813dacb7dd6670f727d1a832fe68d222964a6756f818a5f8db40241f17e1475701106a88d5439495a34760

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons.png

MD5 785e441466c6640c89f4d6f2c61cc80c
SHA1 6704d60616059475d196194bfd6758c5a1eac895
SHA256 8064efc712b139d71c5882e15cbc25722a09a4fe56dd7154f9b4fbaca43ce357
SHA512 340e1a3f09d21022c077e8907069dd7002263660231e6dd069b0826539f2e0828a2e1b09399891b43da81ff86e566b734c93d3629a693cd589a5efe9a9672001

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif

MD5 b26eb8b9831f9a46c9d9e090a443e786
SHA1 b356f32d732e6d1ac30f86455bd86ca43c237e46
SHA256 6fdb573b0097144b180bffd5a00a7ee866a4c00c0d79199e5db8a80dee56e1cb
SHA512 3bc65868a52a53ca37c6bf6642dd258a9f45d54b4ab8fdd35a447a503cd52d98dbea94e26a869e7c6b4856cb785aefcc273799059602df8096d8ab0fb469aa4d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png

MD5 a97ccf2a2a3e2411855b2433748e0bc8
SHA1 7cfd99f2d57497f328ab1e2a646acdcc039caaea
SHA256 e67b8b319aa019d36d4f635021db850b28e15a7d640fd31cdc404aeca1e57d70
SHA512 4f4ce8dc7ad397e09db1f3e1ce377b8e7320b3a9c1a5bc454c9ea0e8c651a371697ecb21d75de1ddb3f1e5f303330a3c962922a08cf7e10be74f95f0522662e2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png

MD5 4e71a8d43b2336bc6508070e705c03b6
SHA1 dcfd2e3fda270615c04d7a50c5cb63a4b24c5075
SHA256 bf623ecdb83f0c59b8610da53c0ad32fed5dbac5031304d7e09be89899d2f192
SHA512 1ff22da10dc030e9fd6cb3f36534759edfbd2881a24a98e135388725ab4e0b3c4d68be0d9876bc6728f31743078b7aae917aeddbe491e1c4abdca703859d2fa4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons_retina.png

MD5 64dde20f4ac3ec43f4f6e7a96135dc2b
SHA1 055ce658789c98221df9fc4b861165c8d664213a
SHA256 f1c651025d539c7ffebe87a40275c0782e7403c950d69f4152491b54fdfb93fb
SHA512 d2364d3bfa352938117e16b763f7271cbbbc3467d45143025169b7153a5dc3a6c4c0389955e1d91e7218e843788a2e341b446bcf854caf94a752fe38c83fc39f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_patterns_header.png

MD5 d4b2729714231e03e13e904275458c64
SHA1 66b38bad5f5d30d840b364394c2a93a6d8880875
SHA256 6a0dccffce489584198e96429211e6fcb67d061f8a864f98aa53e3a5aaaf4656
SHA512 60cae6bbd33f67f49dda40b11984f33409e27c0de0a35399ae9dd1bf8c18e90a8cf3698b565fd311b6d828893a95a1c3df20843fd855d17173f38496a1da8081

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_pattern_RHP.png

MD5 0a323660e96b2bf85dd8f05f1322ab32
SHA1 58ad332a087ab716a136eef4f1c4266bed6a48a0
SHA256 b424840da7517239d24cabcc234503b4003de4b88bd59f26cc60c0c28b73c73a
SHA512 e3ce4dd7cddd1ff202825bfcdd2696ae7a2a997ff4f059375c7f80a19c6e20109d06973f1f0c95a03a5b358806076af4f86a923dca8eb084dd521567408376a1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations.png

MD5 c84936b94384b0a7e21dcac393dc4eb1
SHA1 ecd88a15df4f7be52b8747a37a5a7b8da19cc90a
SHA256 95e615137cd767f96d8d896d6149b0144ab08ceb6d9f47863d0ef8bc949608ec
SHA512 ae9902c90d8070c90b788ca168d5fd540d491cce1bd934970ba5036b23c781ea4d2fe57599f6a33609368bda1ac9efff9a2ef0551debfd62384075edc52340f8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations_retina.png

MD5 e9c0f920be16b40b0f40217d72b6d432
SHA1 2c239e9b898a5fe94697fea2fe206625fb4021dc
SHA256 42d2f4dac7b507a00d6e79b3ae43f24e1bab1ed3fc4ed0bfa506c1dcbb2d85de
SHA512 10ba0ea49cbc9633303217c2c8497035491ca0061dc690ddd3268156961ce8dedbe53531fbffaeaca7f50353caaad934ff10fea96d1fc5d7e82933fce98c1dc8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\faf_icons.png

MD5 57de3c3c6345fa9dacbe2c3366a16e5e
SHA1 1aad9a29913b96e7bc6824a57ae2d2d0407be953
SHA256 5569f2dd20f1ffd083e3e0063e40591adf5261f7567f9f732bdca93714673c03
SHA512 eae67f1b0ba25dad2fccb44d3c9f9706a79eae95212f422167c9bc3bcb3919c49d328387877ca61fc7fe341f815cae2171b8408e7662d57bd908dd015d8438ea

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png

MD5 6abf088bbee43e487c49e3a301a696bc
SHA1 9a1a54a7ae7132032db6d7c6a51e6794c6bff42b
SHA256 1fc0f968159eb3aa6d134718d19663829378f941b21c244b99aa91924d91e610
SHA512 c1dbf57767fb4555cc05cf519cf2f16664ce2e0074df64207fda3e5c097ea629ae439e5270af5815e70ea4cdbc2ad560635019b29b1c4ed1a858a91db15738a7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview.png

MD5 cb8f2bbce77ae5dd7d1b5fdb22acd5b0
SHA1 cef06b4c46b484c7fa6de21c648b71bd5866856d
SHA256 12ae51cf134e3954d2fdcb9ca147068f2817bcc15f1c5cd7d32f880e795473e7
SHA512 47fb3e536067e2b30e575f6a5543e5686d7ed1eada0fb4b179b0b61db1a8aae65258df0de91ad402f995866948c2bfb22ba9da03eef250012cef977524e6b7ab

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png

MD5 8f0614b7e980320dba98c3c9db7cf3e5
SHA1 14127889fd50b2ff3c6ec8aa68b4ac5d0c960ff7
SHA256 73f9bb893c174a2663b1424a1d057d3386e052a3c9bdf63c264bbd57e8ecb9cb
SHA512 247c3d473bfedf02af3f1e75cef6b013ee8306de9e2bb72d889824748b6d4bf7a9e2cc0f7ad1fcff9304afc0734fa9d26c67318bdbe00f455fa6656fa85e5dbc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small.png

MD5 3859aa0a370112cb31da044e3a3a4953
SHA1 88a131f436602c026922861b346b47a4f0f2e68d
SHA256 9b10b9fa0ffd5077f7a623ff5278925ee5db8f2ac255fe38d702e83c349695b7
SHA512 a69288be510c24ebf19b628d2cdce534f0da7ef651074530d3397ace1dab9ce08ab93907ed0d175e771fa95228a802c63dabd85275c40fd128e47d819a897cf1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small2x.png

MD5 e47af440d08f39feed4d74dd1171d2c3
SHA1 7d20b67d0960d4f4ae7e24789e1a0f00af692898
SHA256 113ff4561871d04633c418664cb9e8c0d3db5024c867358db1a3a2cb989bf032
SHA512 9ecc84b850ef2f450005dd8755853961f8f8fbb020075956dcd80f41e72ff62a2c4f763c7b348ebafa7efb8b467e7c9e1bfb0beef5fe9294a64a3ad699227bbc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\illustrations.png

MD5 f71b3920e65bb2c8f5a4fe1352e8e916
SHA1 4b721a76d608c67ba667d4d1157721e4f9e742dc
SHA256 ec720947a3551e246eb0eb429d6f106b54782d3059348697548f1861090af186
SHA512 e77d135a5fc8b0a1d604b036b6844101103699a9204e6d5b9bab1e3b6f16e23392d723560817966859108925109efb7c10b31b432095aff395f9c254ce1a73b9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\nub.png

MD5 00e68ff633e5dffd57552b3fcc8d5ff7
SHA1 7e490938db446b67d6c3ffd78251d5208122e35c
SHA256 900612e930a1da6262e8c2f1b77b1431e77c1026cae83bcf1dd3c31fb8e42d38
SHA512 d6d7f16736c64bf38ef01a6c41062deb3515f9ad6c583a4cb94f3eb91eb7ebfe74e8041c498f517bb6e7a3f1f759ad05d14fb46751f49a1eaf2294226609c8d7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png

MD5 60bab584e3fd5584ac0072632eeb81ac
SHA1 e99829c9c4c980f3f557d8b7c3920d1776d7921e
SHA256 d1551383634c571cbc5a6952d8731effefb1cc2e3e544355dc7ba2f282654628
SHA512 4de19e9e6f847026860b227754c02cfc1740525a97dd531b64597026a17eb48d3267340e0761a1d6a98459d033bbf48e013de76320db8806df3983a9407062e1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.png

MD5 ddad23fdd6f071c98fbf87a87cf3ef70
SHA1 61f9b4f212d675818a3a586f5bb1cf9239549b27
SHA256 133ad0a0d1ee1f4e572d63c762068e490f92addda971a9b154aa83da229e7e65
SHA512 3b547e1741c825e1ebe790c9ccdacd626afc86435e4ba785829930b9929f7b6420c9a12ffe75fc3bc2818e049787d45c7fea4e542525c1426a5e7c049500f986

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adc_logo.png

MD5 1381c7751787f0d956bf1905f00a0264
SHA1 5ac61a6cb7489715b11a7cc8671617de455419c7
SHA256 acffd35d04750268ff568e0cb8cf56c322e399cbee9936b2c00e54b2ceef3b3b
SHA512 16b64293b4a2bc6f090b83f9c5939ef64587576ac1b232b7a4a82f811d284070b858b26ab1794b26e00b9b996e3a43ddce54e47435253a0e202d499e0ef03a88

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adobe_spinner.gif

MD5 39304d4a85ef766b6239538205072644
SHA1 10b30b98e4b3f6cf424223fb313044e8d629308e
SHA256 8f74fc2437e97b7968c84df6c459d2e80f8ec116c6a4c33213a6d8da8b762280
SHA512 1360dbe312a002ae2017660f910a5e9e9f728d9fab64ec1a0ffd280defcf7b38f3a8becbab0faf764360a881f87f250c183958a782a4595f6db53af50318cf7e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\logo_retina.png

MD5 a9e532d89f2678645dfe36a5b721d9c4
SHA1 13077b7c66fd0a5b3b9cc7f08678019fa03d03b3
SHA256 a7b5e7835fb44ea59c6e4bb4f044d5acca850c19675a1bc5b67389f0928f9066
SHA512 190c3b2fbf2417d6d2940070858347c2adcf573fc39b021598530910e9fecd3a36898dffea8e0f837ef1b142e837d717294afa36236ab16809c3c69053adbec9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo.png

MD5 59fd4190c5f32a9bd127bf58bc8ac363
SHA1 9b761a2677b18f19e490057826215db58f2114c9
SHA256 5249126f1f1491ffbba05120df8b568c929b82ee26b4f786886d4bbd19c388d4
SHA512 b64c15143c4afded393816bca6e6d4dd6664af31779430cdfd0015324699da74e1962d66a80bf64750ec45c61b4be2f210c20fef82b0c21bed27e6289cf1cb42

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png

MD5 2b012dcf490c4150166fd7e849e0a475
SHA1 282002662029c848b996231a1cb877c6c8b4906d
SHA256 1cf9a4ebd0567a26ac4abc414742235af722fafd19ac8d291abb77a79c86d52a
SHA512 1fb52db41e66486964c475c2ffdfa796ae02ece5d16c9f44b9c33e377e99c277f85b9a512014a9baa4736b98ed1095df37aee87c5bfc93f99b7c9b5bca0a27d0

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

MD5 b7962adf599d1885da561940bbbcc243
SHA1 d313d96f3307b2751d7146b5312d9fabf08c5a0a
SHA256 43325668c04b5b434003237483b9d35fa38af5fce1afc9b42fcd2889ad0a930e
SHA512 905f6f059c7ed096b0fc11b2346badf04272a083009714140c79a52df242eded330be7a216106473db0ab8a3b99c8947f87102feda5ea26f31aa680ea84d589a

memory/1788-5504-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1788-5503-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727661992394667.txt

MD5 ea1f4ec79c748b1ca6c0e2f46146a0f7
SHA1 7edd19fcf4a874a16d64c4590e375fe7d38d9a39
SHA256 a422d6d6b7ec6d34f600d922dea9e40a448aabf6369b9fcb869ab8fe36bb8675
SHA512 49bf5ddd1e5e59a4afd4bb7aad914bf8bcfb03d54402dc1e661ac84afd139cef6faf2f74bf7cd539838a227f5ec4970b8cef97da277f7551b848905814583ceb

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662487357744.txt

MD5 0748d825c770b2cc348d49706326ae2f
SHA1 057d3590c2d852231c819a12e63f08a9643c84bd
SHA256 b48724c3a406ff2a992ee28046aa392751430ab5739430a6200ca509f4f5f3df
SHA512 fd2534d61fdfeaf1023d61c35dbfe89b06add2e323548c68c6bffd2d8a1ef3313565cd3740afb8ff993cc74088415223d83ae236a0ae1d0a61e1f9f6e9c67274

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727667722373689.txt

MD5 2862e579f078cd82bf90264a0007390c
SHA1 da8c9222909a1033e8e936c20186ef006e58435d
SHA256 246b3a6336abd8d09e0ed12f099e4fed450983aa79c200e23f7f1415e60af61e
SHA512 aa9c5ed2273e8ed31913efe83e539fdb43e1e3dda538b7059ee324df80e05b31763b8bc682036ea72d6be752f2c9590bd769c45da73044ffb6d16aba3aca9cc0

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727670771168387.txt

MD5 43e322cbc1275b732c489c0acb97b12c
SHA1 eced4db02093ece548c80da58f10d50b4a8f4e62
SHA256 9475e7a1d90581da982959cf0a1db743a9a7d96c1774b3f66e1ff08996516fc3
SHA512 35b60eb9aaf3578680802971dbb15415a5c2c03fdeb2ef63aa928c19824c560cd68b4a23cb80571a5f2cbf135a65eb011473d68c19282ef19bb87302f2699c26

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk

MD5 bc0543feef825989e9272341de01d292
SHA1 bf45748630518a1761e005d71c4ff51fd5b93ed3
SHA256 457be74ef0df12dfd63e662c3ff921a2e6c0e455fa23827e4f16ff7ec30396c4
SHA512 239d334ecb624b73091e7d688404901f11dff82e8d91b5a9d69a5fe86f8dbd234334830b77e9ebc827163bf65ada4eda623e600aea6e03436c06a580696ede34

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_lrg.gif

MD5 ae0e012745efc4cbfa0206cb22b68746
SHA1 1c94558899976959f43512bf3ab84fe110e0bbf9
SHA256 42221bc39107181cbd858cd2b8754a93b52c925a6bf2bdf220b9261d628ecb7b
SHA512 409fb6afcc023d5a163ef0045ddb496cee59c84c8877b97727b27f3f896d91cdb5bc621f9ca68a4337c84ceff136f5b5e64ebc46b97aac999fa296351f34ac26

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

MD5 1d550eef416d4e2ccc0c62d77195eccb
SHA1 a3e579ea7af45c8c9fe0dc3809133f38d1692aea
SHA256 3963c9551108e254ce24f279841252b646ab303b9c72a1fe346025542d2316a4
SHA512 de02e2b58719f71032cf36f1fe319adbf23e56e6a5bff66eed6cceae517a06658812d8dee102dd139df4f51d540d5a314e22ac7e2a13c82422b3b52f87bab2ae

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\aspx_file.gif

MD5 3e3c7c94974d18a9c224a8c1dbcd88bb
SHA1 f33a6aa5f59f6e38c6a80fcf107364f2eb53a133
SHA256 e867f90e50837943993fc09be6a630bafb1a5bf95327886934ce98e3156f02c5
SHA512 7413d38ceb0060d997d5994a1e63835213d7d682ed8ac383199554aa3ac4f8751723c59f4203b9a3556060edda92c8c492991cecdb336e33d4d82477ffdcdbe5

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\branding_Full2.gif

MD5 9b1cad74a64c630a6592c798c380eaf7
SHA1 6f2a9b73e83b12fe891013343ac4b757eab7b6f2
SHA256 03ebb076adcdb0c062743045d9ff83414dc68e78c0fca3eb7b5235e8d8653051
SHA512 53e05eeab3df374def129cdc97b6249ac37a6115323a8b53e6fed6a1dd89e46b7b24198f6da73b72029279c53a12811000bec020fc32bf55a166953fa2f876bf

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

MD5 0204342a86d21c37bf24653cfe330980
SHA1 923fc65d09d5d63ec5be906390fd1a1088f97720
SHA256 3cc4e1c687396f716ae961c8ad64595548a76aac1617b9fa1ad576924a53d844
SHA512 79e9c77621b5cf7759d67b6866a712fd0e16f870a73956e507e233e5d528fd93d88bd948d6081d1d53867e00ff0a0880c87b344101ecc2f48b3ef7ec948e9da5

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\folder.gif

MD5 49699ecffad26438a52e687f5f0a4189
SHA1 79dc42d0982ef042656c618378a2e8676dc88962
SHA256 bdd0c6b5093730c4df29f2bbf5f9b007e97b4dfd7f221ad8347cd27477bdff0f
SHA512 bb9d4b4d544c68d6bbd5529119025d3be89816c1b45f7afcbaf16b89c55e0d368d5f51b2c2d89463f7c4fd113be3fe456d6016f4ab4fd9c39850b0814a19d0dc

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

MD5 b751717165da6e2f687622dbe20e5791
SHA1 c641b642cbeccd287a04522d3290ee8d6d2f6969
SHA256 61c27a9d473cabc210445b6919ec0dfb931b256390e930c963ff5ae980745ee4
SHA512 6c1a4267bd58c27ae3fa2c0493dd23a9654c73d3b351cd61f72a12b04330e31e9f5103573241727d975275774c799f3ec652f3b3fa844e6f66edccf3146476df

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\help.jpg

MD5 18f58805f3e99546c67a9e3e76871d69
SHA1 abb5cad137f91cd887c4859146683d8e24cf9394
SHA256 0ec51e097c5facfa0cde6cb97f2bc26fe67d389d8c0262762dfe2aa813200933
SHA512 ca58022db48c993b7e6ce7ca58c0a512242abd65a1d8f4720050fa2f2f54444674373f1cf153a9b5d0cc3e88e17909fb4f0eed6ef6cd27401703cbb6c58073de

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

MD5 b47519529e24511ead82f4aceb27f649
SHA1 6433c14f4243f25e765ca57a316e7ee6c7f506af
SHA256 27d6a7a39fdb3a11940de3b3a16cac0cfc86788889f0d5393812ed7a1b41ad65
SHA512 1d84e093518b4de27109b3cf874130e386968253edcf5824329dfdd43ba814972e8dc3fc7c25ab75d4f69fce5a22b2d253fcaeb4909246781fa3c3549f4418eb

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image1.gif

MD5 fd0e5ce8fa77f25d1ec08d459c452cb5
SHA1 3ecd2051e7909522863b666c74188e8b5e8defaa
SHA256 63f290481de7a92626a314a18e6de78fd3e25a64add26a372fd89c5331318970
SHA512 5f3893b6e9346e109c879633f5645c5a372081369d54c49f97429fe4fed3a7a0dbb1a073a7187b7369a1d1add7b9a926eac3b11c4494258d442f1126e8e1c9a9

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image2.gif

MD5 3501830cd803c99515c67fe23ef843f7
SHA1 7fcd940b57a1fe309971011fd217e06a7562e5d6
SHA256 0a498433e21e3e445395fd62e63c2fe8ce53e6acc581687ca7996ef43008ed4f
SHA512 ee3def38ca3e2573c816be0eb456ed018007593dacf7e288ae42a9063ea0ec520de289cd7544d3d5f5237e308c76e8d7112ae0dcbf3917df641d6e5cfc5e0699

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\requiredBang.gif

MD5 db0248a00994754df9072639d7ff92e6
SHA1 dfa8cf4b694ebb7fd6b8c2e39d26377346d65a53
SHA256 4c213287cee23e70122282a42c399c626e6147983df77d8fbd9eb2d2f63784c5
SHA512 d2dbfb08958b1223100795a4a1721b721507fb0c7415ba21e52d5e097138a5c4a4bb58c6876c9ccf45c62abf2f55eaec5197f3df0eb1ff3128f13dbd0d428480

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

MD5 bb2fb37e20c5170c769c90b81c58d35c
SHA1 eec56868920024d27ecb4d47ba0a86d4b7c95750
SHA256 429a85bbd9bfbb5032e01a0ec0d7a1376231025e7f60c64651700af778a119e5
SHA512 9e5c50547b3109e03bf6bc6dcbc64025f2451c16c239787f71fa7601f1e3cc17c8fbd8b58f8eb4878226407b10973804317b9eb194e294f174cd4683f282a2a8

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

MD5 ab9447db67233f45749e3159d6643d25
SHA1 7a7233a58c5faa44c37c8ebaa21a92443a583dcf
SHA256 8b5c0e32f99a361acfe5b1782f547259da31192c1734c0f81915f7912fdc452d
SHA512 2bb480e325ff56c08e32fcfd9bbfa32583ca46ec726dd0cbe5359901df0406e581e5d0b119b71dc3882a3308b84ec19715531854ffe777b6c7a3e0473f56f4c8

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk

MD5 1c7a30224b77775d26e3dba317ed56f2
SHA1 97b0ccc66c056b28392bd756b3ccb6d03bb56066
SHA256 eeca18f820b09e5a10a40c0b57fead88e6b89525e4dbb07b3763b1ff8e2b5a8c
SHA512 78e16c8bccf23744ab9bc6219abb3899d3745869a5e12cb2c034dc1308d0f4a07a47a01686524686062f64bfceeb3d8d68429a8fc7f4610c6761c36d068b2e70

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Command Prompt.lnk

MD5 6178d96df19ee979c0f841a41b3d047c
SHA1 ca02c88cdbb0b4361a9fa37a8e708f12b5fc9176
SHA256 ae7ec5ed1f760b0f9b12758cd0fb8fa0a9ea2f95eded4041cfa56cf1a907c074
SHA512 c3b477ea155a5229d740b35351e7ea6f791ea22a9bca1bdbccf2d1c81fb112025ab150573bb5b4eac6832ac1a7c3a682c5f8fe94e757324e5b0a02a311c240db

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk

MD5 da178ea31ab43a9841d4e0889943d5d7
SHA1 c0f786028ba2acfda696565e2d945a3e7e99b58b
SHA256 640d95742db1cbecf5ad3af44c3ad34b82b43958f5884ceef509fc3d6268daea
SHA512 13009c3bfb0489d230fd9c8ee5444c7eff4ac4d18713b56f8d52ad81f767e3bdea463ff62b1ff113c1133ca90c6c0e0844cdea16fce57c70deebf3e348ff909b

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk

MD5 e9c66de2dd7f49ca8e40ceb0ee298f1a
SHA1 f2d12170fb93e5dc7b7b0d740873bcf7fb8f74ad
SHA256 1e573fd04628033a85a7579f7bbeea48dab5da826e8b4d2a765f7b0ff0ca4dd2
SHA512 469732ff2284acc917c59d137b5be972821cb03927671c33ac4a09edfba530c9ee615d6b7a0a9dc2b9d723692e3359326685238e7c96612cc76b29c37c26a192

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk

MD5 b4202fdc83746aa1f6bc3d1e4e047409
SHA1 8d6aae0d92976428c6cf38ef40e25e650ff8983e
SHA256 c19b7531976ecb9bd7610d5966813b2880827a6d087664647712194e1e2bab52
SHA512 469a0238e9692055a2d6605413333f53014737fdd5f46b665e5a3d4c5af31d2200814c68179b2c5f6bb5d1a687999e55b1870a01012d19c520188ce7590d1706

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk

MD5 ee221ef20cacd976b7ff4b7c6f07e922
SHA1 6cded95feba5b656a927dab27d6dc8f563079f9b
SHA256 8f652534e1e6ae3b5ae6418131d3c9a4c716752e0b219f257d346ea4d69ee8c8
SHA512 357c0a6e93f56df82ce74788d4e075044fec39c5dfcb953d179a79a5d3be5f4791d6e69df443d8c913b8d7ae98e6db82a718e7f95e3aeedd5ae2418562b4d3bd

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk

MD5 857ce9fce4d2ceaa83ab7e0ee85e4bca
SHA1 f1706cebc185560659e41aa48454fa9ef43cfca2
SHA256 bf99fc663c360d804e3ef49da5ea6161ca0871f160708827eea0b891452b0b73
SHA512 4bd637ed3bf7395f1df8250d4c5ab2b9d23315444cfcdc88b77fcd7fe3f68786d692a2c9a6b4ecb3b0a00b0e8327ab1ab8a6b2d543e5732a6a2eb3f237ce55a4

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk

MD5 9e38be37e7d0b2d4e7a889ce7d8a05cf
SHA1 c887d92b4c894ebca5d12e9eddb9bd1c8921ec5d
SHA256 a20912eb25676ff6d16fdd6d2ddd7508215dec8403678dc25e8bc02fbccf2995
SHA512 47d16695cffb2e5630885e9051d665cdb9bd77e15ffa86f6054c8814f9ed360a68879efe4832dac9286753ea16fce662351ead72bfcfd6e06f8ce2c1df577e24

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk

MD5 c16ec737bd948953a7163450e500cc07
SHA1 f3f073e012df1ef8bd02d03a573d9316eac05cb8
SHA256 2971aa567653d64d876eba4bb8228f753b453b13958c2cfdac41673156e28433
SHA512 f6c21f1abf3871decd93ea5c23749ecb85b0d205514d4dd3bb665afdc6efb884b5535c57b09f8383e9bae46394c6700aaa2cf0c5f8b811d4617dba779e759aac

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk

MD5 7a07c9561836a252c88946d28f6e0479
SHA1 2e1a5b483afa3085dd53a21e614a8df26bf9cf8c
SHA256 a58770c005a35721fd9c5e9ed3e9c72a994ababc328af3008523b7f603e83399
SHA512 a4db87d2c416d49302e22f8d7d35e3de4d014733e1b2aa424046045dac890b33f6cf9c41a4479bbbd782a0375ab9e6cd7267467e56266e7cd574de7d1957a498

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk

MD5 60dd511b8dd6312dc50026d1047de0b3
SHA1 0e59da7f453e7da0b9f0bb6905068802a248b225
SHA256 e707bc26615d7867ffea60667403750a10e3f987b50f6e8c9fea78081f04852a
SHA512 468f48a6f40cbf13daace4e9202f43b172ccd11f95e776d65ff4b1a17662b10a654563dcd4ed9b51a7dbe1c2fcb2a691a3fa7d92c2685687c70e66c7d118f31b

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk

MD5 2a750cb87ab92317f39388a86fcc17fb
SHA1 be8c80098b0610ba2973a93067eaa8079d291525
SHA256 0ad12504709b5608ad13867b281bb0c5a3a3b0a151c8f4b949caee24f3bdde58
SHA512 fe34e4ba37cf218d61c6d9f8b208ed672293eaf2b9944cafc2a1c9924305cc1ce90c1bd2e86c5698f370d3c462c58ef3cfeb295329b351da38b5c23daab4bb08

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - NetworkStatus.lnk

MD5 484f828cf872617b14682ca823f13abf
SHA1 e244462464c71120dfd7ee2507d81db75e55f2d6
SHA256 7df8809ad0a18ecda4806ba1dcf9eab6c8deae722fffc0ef4dbc4751343e6c53
SHA512 0c1e9e71caad98eb009a9bd95cc3bcc6af1a7597591ab300b16a65f5d522e04fb43f39d86c26a09feb1eb0fdc16ee20f2cabbc0049ee01510cb3d37ca43d6a70

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\05 - Device Manager.lnk

MD5 e7f9dc88aa919f68ef3e985f87ec0615
SHA1 79985e6222d05695af97d86c0565e6df2b02b4b6
SHA256 575c52cfbe5135c018fe0b9ebc5970713004aab9fceb4716bb358888906a8161
SHA512 370c8e47adb976914e5d16600722481fe62add47002cffad6b005a6d20ca8ec28d26aa4bd901d2be07e9ec23b11a1db2d0e49c2a8919837d8c687f4df1c26c55

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\06 - SystemAbout.lnk

MD5 38a1c2bf8ac22274b657744ccb221f4b
SHA1 b40260fad63f732520c8d86663002e7ce11893ca
SHA256 d131b2165a47c32d6a44864ccf957c68954d706724b51078ae0d04ea5fd24da6
SHA512 1396ecbe34ada2b4688200114e0d0dbad86dd97060ffc6145318c81dd5cf1d238b72cd475509f0db09816ffe21fc2477f705e6965efaee3bbfb6e0cc6d2df939

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk

MD5 add2b89a97e5baac673d23ff1c5da76f
SHA1 197c7b35bd59bfbd6db1df795285ad1067d737c8
SHA256 511c47680515bf8a6f7dd52a4fdfef79cb1739dccd0cedddc20c3b4e8bdecd4c
SHA512 34c4d9fc035f7baa4705957e034ee5b22e210b664eba2d46d8bdace48078f1f5a9fb719f3554e40ff55b5b75c375776e83f39f3b07c30739e879856584e93eaa

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\08 - PowerAndSleep.lnk

MD5 7d5b3c69e66f3c91d5851cda1fb73f7c
SHA1 0e934bd62b6f36ffe90853a90b843a4c72f06d2a
SHA256 0d77776be3d4a0232cc5e6061de4163f7980234f5e24a65bc4cb5653a32cf2dd
SHA512 6bb07753ff23a73a9d0211b0a5fc4d3360c6644f1aceb2ee46883e3b0b255096e3e8d7cb0762aaea2c2e97c1c42467b8aa1efe31a0e5994cd41080d14b5a2de9

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk

MD5 18a1159b9b2f742ce2a9517127a22fe3
SHA1 408ecfcf8d95bf724c7f7fa79a451872bfa6c19f
SHA256 fd886a171b524c7185a42632be77efb0b7fdde152170e647d44817f2504e7c5c
SHA512 015ff5c35b866884f116615f33923a258826467069b22a9383b7716efce13998f1409e7c4606e7dca9d02bd23d2721848f0b2fd4c403494496f83f8a20bce9b0

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk

MD5 4e9ad3e84ee68736d4fb6b21634c566f
SHA1 079287d952cfebe9187419060bffc6c6a9aec938
SHA256 e1729965fcc842f6db6a6f2cfd58ceb25871c1ba58727d4b69409ed5ac62cddc
SHA512 1329816d4e14efa99b915e0d6ea78f5bf014f51553c1b0a50e6107e8228c35492d0a343abe75f62fba4d2b6982d7f07136ca33d7299ca1d6febbff559cfa64e0

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk

MD5 b1bfb9f8e53fa6805fbb0329923b0fd4
SHA1 793ad3dba02866e1e8145d96e507caf9ed129513
SHA256 ea3a0c5a7f84fd11cd3f6c3ae9c8faa918fc10818dcedb4f35d4eaef55797578
SHA512 f7fb8f6320ccf9cf2d79ef96e2214ede517a4287929030b98f533c6a8e478479291387ee453650aae76fc1a6a6f5fbe772f56ef6ab366b43f920729c237b030d

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk

MD5 9a8011776f3ba8e6a2e4b32a4810df43
SHA1 c2b9371f01476ede6b4712e9a2822dc87a6ce498
SHA256 7764d5d6bae944defddfa1a1b41a77978ce6b90060ff91065f40b3a72d3f4815
SHA512 d7363fac025935b0f0283af65c55e933cd299de2847e6b46b0f99ea073b29c5d4aa95c1efb3059a9e4adf0fc10a3d74bba654f59bda5835fe5718e4a7b405bf5

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk

MD5 e95e6cad84527d3991ea0ee4181cc9a8
SHA1 fada076b5818baa28ff01536795a038bc9b70fcd
SHA256 d242e267036f5f2c6c3778ee70f3b488e5eff6954fc8dbe634cae4c0cbeb4f73
SHA512 0bb069c454c92b224f24d26a86b56aa09063dcff881cb16c7335129bcb01ddd6f3a057a5ad6eb172eaefe9552fca3f244ba7bd4b146704285481e582f5311208

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk

MD5 1129f09f6f39c43d5250269f4ae20801
SHA1 a098377c74ae4d01e2f1adbd1ddd15dad02edc23
SHA256 d7d2c442f5c352c10f005000b261b701eacf2a8b3c0b7b814d7b387b076dbe12
SHA512 a771ea33f2930547c24c1d23ef06dd4cf896c0447ec5dbbbad48851ccdbaa1ce661e492cc7e9a3f8d335f14c9233e16ba60832e66f4f8b74042f29fc7bc9d685

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk

MD5 8f08910ac2537d73dfc4fd2c7bcd2b97
SHA1 6106c4f77639c72fb5da90c36285d5b2e3468e22
SHA256 8b6d5f80340b0ffd9b8204a8e556c42690826791b2b5f497738088236715db6e
SHA512 597a0d5edff8973e576f94d3dba1137d6242323b4d27d42d57f4c76f9f9175d8b4e25e4787a2fd7c27619354d971cd554ed06cc0dcdd0aeb8b98b7bb2f3542a8

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Administrative Tools.lnk

MD5 2bf8787e1e79ac7849b81be3aceb5e5e
SHA1 87ffbfdcb3288ee4251c73fe0c067b543a04a381
SHA256 d9b100f483c1767cdfbf4e034cef35662e5dd1bce32fdbcd3b583dcedc0d9056
SHA512 66b6969e0b47f57cc23fabd2bc3fa8320f328e5c803d1af5e46b461101ef8ab635c6abbb4108898d95b5aebca6fffe55974018bd7538666677cd8dccbf8ebf40

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk

MD5 fea4219b65005292d5b7a63f1bd91e00
SHA1 52ed051084720997271c12188f3daddf4ee210f2
SHA256 8e40f74e041d1d05957514c8b111b6cb55b8976b631d81527f3ba6d62c2816c7
SHA512 06c7da824e5dfab25123e8e81957dc206c6ba959debe8fc7b0cb9994783bd29bec28fce0f8e41d39d249cd5308b29a6ad531d5b6b912546ef208e834db2e2a79

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk

MD5 500e2d6b6b43100cc14b2dd2813358c7
SHA1 17a984850224c35bbbdfdbfa5a4465da282510a2
SHA256 7ac19341530902700587a414dbcc12cd6c20d9422772a8647bc27a255d2f260d
SHA512 7b399b9b65151e7795544215f8c07b228ada7ecc63768d9f1954903dc211a9a7eb2ec1c1c6e5313905ffb9690326b8d884606807e14e5b0ec505c794b9cabb97

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk

MD5 1a42c2109c79390382a052f09825d0be
SHA1 1414e870f0cf3185b1954d25ccbb7307704d5266
SHA256 f60b80467dabfa68977341f46f019fa16de079a085b6fd33bc36ce6f2d32b6d9
SHA512 8ee854f90cdd27478b53c884e2d1e222a5f1cb77937ad84f085b9b0193c8081439c7939581babf54256023ab22cab93df4d5c365c6889cf59df26174db94f5dd

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk

MD5 70d2f36425b958820a672afb6ba57cfe
SHA1 f7e0dee3dda8760f30cba5b88c22af7df2f3c6b1
SHA256 23d034d64448111a48ee53b56f1d9154d3bb56b4b733f11660ee2d0b44b3d932
SHA512 710c867a2e9d010f9d797820b0f46336b7d7dbd9339b81c1203d71653b8bf66127f7c4bf91ccaeb032498bd043f6639a2d77bac604e65659a9232b0a12914edd

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk

MD5 119983a796ab23ba97882851e3a4bc73
SHA1 ad9b48235713da34100f2279a55c6f2840c15885
SHA256 4262a8b406aef0a76c8eba258df8b61d19a2da0f753e292beccaa9613edf6139
SHA512 9c9ff429ee079400ac288594c923e26eecb699bec0961695bec4b2fb05d18b9c868c6acf4734992ffdad4455e6c6af68ea468312660b0058e1556a9b97d0dbee

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk

MD5 18ee2d72ddd1e19ae0e65ecef421cbe5
SHA1 2fb769beaec6db51e66049e0233309dc64a798f1
SHA256 32627f65f77f547027d4a16b8fc54a3006f22f8b327e21785abb3881a6884cad
SHA512 9d26e02b436ff5bbe09f6033af47b66790b3f8edec73f210b1afd5e8c8275e60a36d40ccfb216fabf511a15e0cea4f9034fe8ac4c4ef4999966987a6c6bdb691

memory/1788-10274-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1788-10871-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.153_none_90dc0b923cd83016\Square44x44Logo.targetsize-44_altform-unplated_contrast-black.png

MD5 a00e203bee7e91f85ff54f405b0753c0
SHA1 f65cfcf343cacfec42f4d9a693b0c9b3a84c1007
SHA256 e10d7b9cc44c6c4ad6689eb2436a851a78cc369b808638da176f824965d9aa0b
SHA512 82ac0e7a51609a229d1b2f4ee7f75c83d7f03205f5cc2a513f8a34e06464f96e67a8cb357164f0474b8687753e5da2b1b35591d2f4e4c974e678a56aeea0451d

C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.153_none_90dc0b923cd83016\Square44x44Logo.targetsize-44_contrast-white.png

MD5 a02a98f5bdf54ce7269efa8297e35de6
SHA1 2ed69c0a918614ee7ab816893f722a267c919ab0
SHA256 864a5e762fc3afa17cd655a92ed7155532d6993c67f09150453d9c595f5ef4d4
SHA512 8854b4d87fe07f6cecd9fa4a97f77445d67570f20f5a572d2598ad2a609c3d26f4a3747dd1b7be8b1803bb6e299a69e91eb5561b6952a352f26b04b48a9937b7

C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\Square44x44Logo.targetsize-44_altform-unplated_contrast-black.png

MD5 77638f8d17c59f60a6e68d94601e3934
SHA1 e8a12145101b2781ff4a79ee5c8a9664307bbb58
SHA256 2c7ef7dd04489cbf22be865558ea354df3c9767161bdeb8dbdb84dba9d92d6a1
SHA512 0715be17b7ff90a6270b44d878565d7a7d3c6f719445316a694ffa8f02b4af0d44a66b3e195513cd5630cf588daccae6c5a1b80f79a521c6670ed66431931b79

C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\Square44x44Logo.targetsize-44_contrast-white.png

MD5 ee04df807f402cf86b8c8d622e02bf9d
SHA1 b4192e9dfb65e30a0a39172e2f1da230d5b5de4f
SHA256 fd8f25a03bcb169589ce18956b4ea0704f4a544fd223d45d5fe8a4a3f2ceb38b
SHA512 277015e9b3af8f5b1b6a11a4bbf77e6c3f713e74f7fa90f1498d161489f1e45f985fc8b60d144fc6e7664e70fc06eb3a859db327cf717ab272c44abfb4010cf0

memory/1788-11198-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\WinSxS\wow64_microsoft-windows-onedrive-setup_31bf3856ad364e35_10.0.19041.1_none_e585f901f9ce93e6\OneDrive.lnk

MD5 88e4b8ecd6a0fbb93f29c1023cb54db2
SHA1 46fb27c783106e33015f51fb7d3f3aeae7f396a1
SHA256 04651f67cccc272e095ce099f35678c564fb685eeb2beb3e73eda8f62c53a98d
SHA512 1602d86912953c62a37485c2d442fff01a5c1766d9d5915626a7c7915684b262543d87bda21093a550921853f04140106e739bcbdbce55a338a9865a6a737b7f

memory/1788-11203-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1788-11204-0x0000000000400000-0x000000000040C000-memory.dmp