Malware Analysis Report

2025-01-18 20:41

Sample ID 241124-tnw6raxnav
Target 95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118
SHA256 5103d7f1f440612cc2d47a6eb0623ba6e3ef972e0ed11b4414d447b39aeb9259
Tags
xorist discovery persistence ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5103d7f1f440612cc2d47a6eb0623ba6e3ef972e0ed11b4414d447b39aeb9259

Threat Level: Known bad

The file 95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xorist discovery persistence ransomware spyware stealer upx

Xorist family

Xorist Ransomware

Detected Xorist Ransomware

Renames multiple (2192) files with added filename extension

Renames multiple (2188) files with added filename extension

Drops file in Drivers directory

Drops startup file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

UPX packed file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-24 16:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-24 16:12

Reported

2024-11-24 16:15

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118.exe"

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xorist Ransomware

ransomware xorist

Xorist family

xorist

Renames multiple (2192) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mog.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dms4sut3ZNms53q.exe" C:\Users\Admin\AppData\Local\Temp\mog.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\ialpssi_i2c.inf_amd64_8e00e1aed7fbdf70\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\xboxgipsynthetic.inf_amd64_9aa94bcf077169a1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetConnection\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmcomp.inf_amd64_bf289615d063c627\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\nulhpopr.inf_amd64_9839c838c72c0594\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\uk-UA\Licenses\Volume\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_bluetooth.inf_amd64_7e49a68f06c14d10\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netavpna.inf_amd64_f6f0831ba09dd9f5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wdma_usb.inf_amd64_e879d41db6fd1ab8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ufxsynopsys.inf_amd64_978099f98cc73ddf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wvmic_kvpexchange.inf_amd64_b3c17aa69dce1e0c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\slmgr\0C0A\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_dot4print.inf_amd64_33c48c563d7541f7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_fsinfrastructure.inf_amd64_1ef682cfd6fc7d1c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\oposdrv.inf_amd64_9090a824ce0d0e68\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\intelpmax.inf_amd64_2ddee95f7a5d85db\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\stornvme.inf_amd64_1218fad01506b7af\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\IME\IMETC\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\001d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\adp80xx.inf_amd64_efb36fdc260e8bc8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_fsantivirus.inf_amd64_632d2ac0d68cf3ed\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_sslaccel.inf_amd64_ed6849ad81a24c48\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Provisioning\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\acpidev.inf_amd64_0f7f041f33bd01cc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmaiwat.inf_amd64_3bb2e5702f25a518\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmosi.inf_amd64_fce30a36dbc4596c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\Configuration\Registration\MSFT_FileDirectoryConfiguration\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\uk-UA\Licenses\_Default\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\uk-UA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\image.inf_amd64_d2006c0517ddc60c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ucmucsiacpiclient.inf_amd64_a233292790c69f03\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\Keywords\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_volsnap.inf_amd64_47e3741bbf4d6b06\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\tsusbhubfilter.inf_amd64_283a44fe508f0682\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\040c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wnetvsc_vfpp.inf_amd64_9ce6f68c11eede58\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wvmbushid.inf_amd64_fd2fe159a9daf508\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\IME\IMEJP\APPLETS\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\nb-NO\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_keyboard.inf_amd64_56ea9763e933f7c5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hidbthle.inf_amd64_bfb3ee8e5a97c3be\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ksfilter.inf_amd64_d5c8b2a031c7d5c5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\uk-UA\Licenses\OEM\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmelsa.inf_amd64_f187fca538857daa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\I386\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\IME\IMEKR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0009\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-20.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-200.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-36_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_~_8wekyb3d8bbwe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-200.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\MedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40_contrast-white.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\images\Square44x44Logo.scale-125.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_contrast-black.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlMiddleCircle.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-20.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarLogoExtensions.scale-32.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextDark.scale-125.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-ae\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-64.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-125.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\vscroll-thumb.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-256_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_contrast-black.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ja-jp\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Retail\NinjaCatOnDragon.scale-125.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-20_contrast-black.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\PaintSplashScreen.scale-150.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_contrast-black.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-64.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-150.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\GAC_MSIL\System.Data.Services.Resources\3.5.0.0_it_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..plication.resources_31bf3856ad364e35_11.0.19041.1_es-es_3f0b51fa19eb26d4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare44x44.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-shmig.resources_31bf3856ad364e35_10.0.19041.1_it-it_c27859167109b5e5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_c_modem.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_613fe2bafe37ec6a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..inalservices-drprov_31bf3856ad364e35_10.0.19041.546_none_abd20e7b78123e85\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_system.globalization_b03f5f7f11d50a3a_4.0.15805.0_none_8e2f2577cc3a1891\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\wow64_windows-defender-service.resources_31bf3856ad364e35_10.0.19041.1_it-it_bcadcf5fa4e23538\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-d..ne-dsmgmt.resources_31bf3856ad364e35_10.0.19041.1_es-es_48fbcfb55151a532\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1_none_d0af17ec366548f3\TileSmall.contrast-black_scale-150.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-telephony-phoneom_31bf3856ad364e35_10.0.19041.746_none_c751b51b9cfc017c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_mrvlpcie8897.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e2a54d13b666f460\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_mstape.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_894361c4dc078861\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-w..itomi-dll.resources_31bf3856ad364e35_10.0.19041.1_en-us_1c0898dc4e7391dc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b#\7710ed46e965bbb56a0558fbff9916f3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\pdferrorneedcontentlocally.html C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsimulationinput_31bf3856ad364e35_10.0.19041.1_none_21244f0b33e2b22d\OpenHand.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..on-onlineid-runtime_31bf3856ad364e35_10.0.19041.264_none_266a91ec1b33c211\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\wow64_windows-internal-ga..forcefeedback-winrt_31bf3856ad364e35_10.0.19041.264_none_dce7e1ee9d4882f1\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_dual_netvchannel.inf_31bf3856ad364e35_10.0.19041.1_none_6c72c88422f4cb41\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..esslockapp.appxmain_31bf3856ad364e35_10.0.19041.844_none_15e5bfcd83a1911a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-n..lientcore.resources_31bf3856ad364e35_10.0.19041.1_it-it_f0429d66a2f21575\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-storagemanagementwmi_31bf3856ad364e35_10.0.19041.964_none_2ecdb1dda972d026\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-internal-bluetooth_31bf3856ad364e35_10.0.19041.844_none_5df474a23a96d9af\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..vdsupport.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_2b75906a53c9a6be\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-dataclen.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a20913de79aca0d0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-lsa_31bf3856ad364e35_10.0.19041.84_none_9deda7fa8ae8a1e8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-rasdlg.resources_31bf3856ad364e35_10.0.19041.1_de-de_c30e69a8f8824874\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_dual_mshdc.inf_31bf3856ad364e35_10.0.19041.1_none_d168bf476edd273a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..-kerberos.resources_31bf3856ad364e35_10.0.19041.1_it-it_c14e7df086b257d3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_windows-media-speech-winrt.resources_31bf3856ad364e35_10.0.19041.789_nl-nl_faef52167c9830af\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.JScript.Resources\8.0.0.0_ja_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\Speech\Common\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-vpci-rootporterr.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_302ed39f71afea9f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-creddialogbroker_31bf3856ad364e35_10.0.19041.746_none_8c265084d938197e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_winusb.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_b535c9e2151e771d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ment-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_c7e2c0ee60996ba0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.1151_none_025296d718a7b3a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\InputApp\InputApp\Assets\StoreLogo.scale-400.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_system.directoryservices.resources_b03f5f7f11d50a3a_4.0.15805.0_it-it_4a05f2663682408f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecoreuap-deviceaccess_31bf3856ad364e35_10.0.19041.746_none_cc11061ec49aaab1\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..mdeserver.resources_31bf3856ad364e35_10.0.19041.1_es-es_8d808f505df22edc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..omponents.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_bc253b18ceae7e3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.84_none_ee550b91ec0a7e82\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-b..nfrastructurebghost_31bf3856ad364e35_10.0.19041.546_none_5940d1a4fc4ad8f3\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ngc-ctnrgidshandler_31bf3856ad364e35_10.0.19041.84_none_5b11e4395d8d1b02\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-web-app-host.resources_31bf3856ad364e35_10.0.19041.1_de-de_a54dc07617a490f0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-a..one-updater-service_31bf3856ad364e35_10.0.19041.1_none_81f7d91a39c3e766\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-msidle_31bf3856ad364e35_10.0.19041.1_none_8bc794b076652ec0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\x86_netfx-sys_enterpriseservices_tlb_b03f5f7f11d50a3a_10.0.19041.1_none_dcb28944f31168d1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\assembly\GAC_MSIL\System.IdentityModel.Resources\3.0.0.0_it_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.1_none_0d51a8a399d5452c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\NewWindowIcon.scale-400.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\wow64_msbuild_b03f5f7f11d50a3a_4.0.15805.0_none_0606cd4b5dabfc56\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-vmcrashdump.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_020afc977c5c8fa4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..lperclass.resources_31bf3856ad364e35_10.0.19041.1_en-us_a931b4a7342696f8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-r..comserver.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_32676778b2a04dc4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_prnms002.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_576d2185d21576b2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-s..stedsignal-credprov_31bf3856ad364e35_10.0.19041.1_none_8ea8ef13ae7bad36\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_netrtwlans.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_424d19777fa7cf0f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-n..iagnosticsframework_31bf3856ad364e35_10.0.19041.746_none_ba540d173f997bc1\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..i-printui.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_49431a473b0d3b6a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..topeerdrt.resources_31bf3856ad364e35_10.0.19041.1_it-it_688b7849ab2b50c2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mog.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "CFLABCYXEHTPLCP" C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dms4sut3ZNms53q.exe,0" C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\shell\open\command C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\DefaultIcon C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\shell C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\shell\open C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dms4sut3ZNms53q.exe" C:\Users\Admin\AppData\Local\Temp\mog.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\mog.exe

"C:\Users\Admin\AppData\Local\Temp\mog.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 ftp.gtarus.p.ht udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3684-0-0x0000000000400000-0x000000000045E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mog.exe

MD5 7ca237df45877c5c2885b323bc311eb8
SHA1 2c09e1d0e5d7cb2eefc193bde8030ef4f978ec41
SHA256 1832ec5aa127ca1549892560088ff1177a872f83a253d4f9b508e6e40ff87c09
SHA512 59fcc6de1828cbe5f4869dca176a1a1edebe2390f9e47178e0f158eb13a7b340392457619d4552869c5c83a08283059dadf721e9144575f5615835fb549ca3c3

memory/4820-8-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Program Files\7-Zip\Lang\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

MD5 520c33eb1996d5f944bf2c0c20d22990
SHA1 d0957414458c49b914801432034da925012f0b07
SHA256 414ac5be57488b7cb56b3e9ad509ee2eb73a510bdb3892973a9d42bfdae427e6
SHA512 c689a9b2fa329ac6c02f939ea011187322adc2fc20a9117f872a27ede4e366f8bab23b55145436bf49cc9b4161f49ce442affa31777e694d540dbd3106ba27d6

memory/3684-106-0x0000000000400000-0x000000000045E000-memory.dmp

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

MD5 7213bc191203b23264f0f6496fc14ae7
SHA1 9ea532bbfc2cc7cd1e483a7d93663c8925d0e700
SHA256 9d4b6aaf7a70d54a847878c06a7c33aa147b2a277fcdd5c619192624f86856c0
SHA512 46cac91ec2c9d59d0dd54165ac6f769e1b1569f28413bf20ea0f4495b54d04e65d01ace2efb9d8e745fcbb3e328abb33ab87f58ccd59b08a3027adbc2488a7ce

C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md

MD5 08f93739780ee02942ccef7ff51e6beb
SHA1 612086becba5a8a00727318b4681ac3984d09e74
SHA256 7c5fec5d1c139489cc4e200a12362956fa1fe3d433a4714f1a6cd7359d339143
SHA512 2c3e368018e2dbd65823b4f4c84ba65f84f5a546890b1c90aa7d5a487cd0a6e96f8c263edaf6f06979a21b344b49a9053493dd8b235f46f54b3d6df10e189ab2

C:\Program Files\Java\jre-1.8\legal\javafx\glib.md

MD5 27fc5a45f224a923991411c76a2f3a32
SHA1 0e6cf3160f52c3a9510b67627937c8abeab29672
SHA256 f666b72abb80c7b3ecaaf92aaac8d1b82127009cd1668e12b8d72eb23ad7126e
SHA512 0330eee9cdb982e6ca60408375d03ad32c4bf5152d6ec4eada693c6abd838b661e28c71acef4adc7400df85b1408fbbb47f0565357a4d7bd596ad3d3fede6fe5

C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md

MD5 d6fa69de1729369213a2438f2d925c59
SHA1 2495d64456eb4c01f113de6676cfe231970ae50f
SHA256 6745f8fc9f2fb608fe0898be4c20a3dbf8fe4aa1fb8f97a93940fbd75c1afc30
SHA512 21b6bc2bf98f2540bdd39f5b8733abad7057412bdda3c45121ff5c2e230adfdd9d795dd25fb91b92ce1e8fbfe090cc51bd90bd3a55a0eabe2c92b1897fadbe47

C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md

MD5 b24e453e1ba36922a800ab7f1badad63
SHA1 6a0f800ca9e72015a7176d798ee56202750cbf54
SHA256 8b0ec5f4caccf8d2cb80f679595541e386836f987ddfdbb6ed04b6c11544383c
SHA512 1a22497994f48ba2c69a98a054fc68bab2590d8719c89110e24d0162cd66a216192955e4e791972b88bfcdaec6e71c3d56a1ce20a90885b8017c9da2b779a8cb

C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md

MD5 9c5cdfd5b3353b4d2d30b1b29ecdf1dd
SHA1 76a8f31f67a40a726aa791bb6c1b63bc5f1b304b
SHA256 e52e13db1123cb4982549206920000d0795cec55fd85b049a31335a4ccc3c004
SHA512 b27655f4b5b25a2b8dff184ee36d07b05e0a0d514823340250db7f1e8ad5423b9c0cbad288ceeb26556c6d827292e1544352d0bd1aec0b741d263099764a0eb2

C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md

MD5 bfa35831183fca2ba33e098fadc5b3b5
SHA1 5568d19757fbf0e1916d35c5bd04a9406fcf9461
SHA256 a0b57893873c7898d79e244f232f80edfa479bb60999eeea9b8afcd7e54200aa
SHA512 37b90fedae61bf69cce45698f1193b590c3c9741b5c79529672a316ccf395f1bdd8801be18d410adc3a86467d55ee9b17cfec6d02ed26f70a32b7b7a54585699

C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md

MD5 260f951235274edd0151b416872383af
SHA1 891f7db97818169600ab4b63b954b14c0ae46bd9
SHA256 1c6d6533ee20c6170727a08b23344c94b55c1fd9d8e3d7bef90fe7551e5ef742
SHA512 55dd55b00b4e0a5622c249ce7bcc5302f310e79601b39be8b29ebf9d1e7024ec56c4316d438f6105519d23bf9496b48c354b2a193ee660325b8bd63f4354545a

C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

MD5 523520d4cc91d6d328e404db358ceca7
SHA1 94b5b7470039d428b97826fdc360c5e7ff983cbc
SHA256 5932b0e1b87d0caa167107b5acc649c96897cb8b9b3aadf8cf892618209620c5
SHA512 e9f19411b89fc2ba71bc00ee3f4bb5c06329da716a8853d2ab3aba138f401fd79bdbd6a603f3dd3cb1bc850fa53e42fe6c1a2421b652693664c31818b5788b82

C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md

MD5 083df4014095f2c1f2a489088a303835
SHA1 1526a706b30738ce625e301bcc71f48fc478b27e
SHA256 6c9b72b2254c02c88f6f62c80d3bc168533fbfacfdc7bf74d19cce826a422772
SHA512 76857d055e3395c0af6f5697c4c52a5d58aab84c66611f4c23b25e112918441b741b7d0909962b99befcc1bbeb61e5fc18027292c915521bd83fe2ea780f1f7e

C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md

MD5 f294d86bfd7c0e98093bce652b6e529a
SHA1 c7a576cebd527f0d84a9d6521895b7e739d650f1
SHA256 5aa77e4fe168c4cc6c54cb8314d5194ce52d6fcb0709f3f19fa73c1798f8abf1
SHA512 9c08b2ad3541aa9b4109c95bbe09b345ec1aca39278214c8b2592a14578752eb7066c87a3f88aa67a6e7cce1dbc11797a1787d9269840cd61a1b8d23d7769426

C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

MD5 51591484836bcb2fafd67aef9dfa58cf
SHA1 1564a7c286dbcd008c42792073043db03767d2df
SHA256 ac0e49fccf92a264efe9b16792a4cf5815985b66e944eb86cc17b13000fb475a
SHA512 e106f4f7299b11ad1519f08cea5aa04d95bcb0b4c39f537d5b7e45183dca5a3ebf523a98dd7b3b0b005cbd1d2389a9d15f29f3b9fd2692cf5d345796a48ed729

C:\Program Files\Java\jre-1.8\legal\jdk\asm.md

MD5 79af6fc7d3368bf688acc533482a63d4
SHA1 f29aff23186f40140dfedefba11b74f72fd42918
SHA256 93a8baf7e2d293e4eaa060b9c159b040302755f1f7a8ab39a4ca52a777cff2ba
SHA512 94f325e220be144d4d8fc36567ec87212b8e7588ad13c1a005ebc42089d0101730e879a4b52ab180d089ef976b2059ae5a4ca3424aa8cbd184d5cbab915bfc76

C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

MD5 db30607d18fb2902717adf175d4a73ee
SHA1 619a9379510c8307b8caf623fb046542e3df81be
SHA256 0b4485e7ee52ccab9a08bb62e1f009b2caa826da3f1e44ed060a85fb95d595d8
SHA512 beee8522d03e85c2123b31098bdcfa1cb6e92529bf1982ab15e0922765e43492468f3f9750a8586d6c0657007eeb5da6a5be9d03e8784cec8ed10020ed1521d6

C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

MD5 c11b0e2617cf641e9399e83f0f49009f
SHA1 96485c654aa4ecd6a2744246909be827206e5b6e
SHA256 0b65ac24b415860427d0eff23335572dfbb0c61183579a1033b8e7dd0ad10276
SHA512 4753a804c9e07aa1973159ceb7d66c3a70ddc6b47a2efdfe87a89616623dd94a85fad928a07ac3618f1f022c8a4ddfe8fd392d03a0e3c9062eed1bb7721c0275

C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md

MD5 2872b6c54bdfe54c34a5bf83a830eea6
SHA1 c3ec329c7b0d1829b5be0146a3eb4a628e224386
SHA256 ff3d464ab8872a2fd7c6fa3304c01aec6c038d94a8883ad52ca0e284c153be8a
SHA512 26b07bb4a2d685b684171d24418043074c552b832411335b886be139d8dddbd8d21b017b13b44d8d2a31a37cec29e382f57d82d19e4e682b2c28b57526135c59

C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

MD5 3e3f7a05362e0355b48132e816477a8b
SHA1 9cd59a7ab5144c230bbc613b9e67014daea088b9
SHA256 76b3649e1d0c032f7ee2f9992daadf066e7616849ef4548a32752a828294bd78
SHA512 d1ff26bdb9fe407139cd45a1d2f01f283a320e5a7d9b92fbbc83e973df0e03d256b21937d487358624c21545ddc79d07643d7f31e7349e2c5938d89dd6fbd9fa

C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

MD5 8755ea1fcdf67d748a0fdd3f55c25e4f
SHA1 7ec033fff8011b0361d2bb4d7e17e05744af0a07
SHA256 2415745cda5435719828cb5bb3c1bf894116ad56b7f41f9359ff84b7e86a64f0
SHA512 3d5a5984c872273ebc5b82590065b22f6574cd83fe4036d69e86113b0620b9c6f4960860e1342a1040c3810bf043bafc64acd94ac53aa5e00ebe145d85e1c217

C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

MD5 d687c24b556a9e27fff8c706a03e89db
SHA1 e226e4dc82eb841ec8685174dfb5df3989506e84
SHA256 40ea3a8cdd64be2864c644b73dca3b3a081b6d20b676261c9d930b6407837b5d
SHA512 62bcdb55bcfa6280d810a515543b29ac80e5c65fd3f8cdf2e45515f73153032d13c1068d7264411d5efa89c5cd01a7b36200a4f693695be1f5276bbd0b36a8ac

C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

MD5 2d962be1dbc601c7c3cb136ae7f63641
SHA1 0ec00c341d9546374437fb7d21165caa4e986cd1
SHA256 2333dca274fff71a54175b8df2ed9d645e04a0171317b187f1bd8deded9b2736
SHA512 8f2a2e19442d195871891bc427bc956049f18739fe8c62b85f919bcd463a39b885e4cb8562683b60b692ab96da7346ec2a1474c2535dc0a9ede847f776e6945c

C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

MD5 ec4e346e04d84c58fe6968885dce3523
SHA1 88eace6a413426e6231d7252749384c3c619db22
SHA256 c6828e4257d5310b08e8e6cbfb8e2d8bd804b6495443c91c5bad96d4d1d00b7b
SHA512 1ef9d1562ce5a2ef1295c2d08e4a32c153403df41f5307a891e10dc6592bdc1b925468ce1737c6bbeb5db9711fd56205a07d7ccad77154fc9a49a61e3f2ae9f8

C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md

MD5 152e5b6ae6a30f90b7f8ba83d8e1afe6
SHA1 614a8275f72692cff8b1aeebfbda7b33416254d1
SHA256 009c9c9245cfe865b4f2556fc6f81973bd29750a30781eddb997a00bfcc96302
SHA512 7304bcc652e947d0231a8dd1e7a2af512c2008ed4485cfaf06b7867f03db7841afbba3f2a94ecc1bb1845b72eb57a6b65033b95b9e108ebe9221ae436238d085

C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

MD5 714c920fc9051e4fc3cb985957cbf375
SHA1 df8e53876d4b882b682555e5de99f20ec27f2068
SHA256 9f0f1cd293a0c59e807fcec715ba80014c151d180e3519e45a92bfc3412554da
SHA512 a7ca8c897dfb63db01800e0248dddd23a0658f190e66054b6f3bd14c9dbd2ac86166863353d9e28ed96c0efa322f7fb50db2f69bf091a492c937db970a1aa792

C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

MD5 7ec04ca17757eb5ece6f43327da4c8cd
SHA1 577ac2b53b51fb2799e12257d5cd4a27235d0404
SHA256 1e655749955f7402723448aa3d55cb9f5b4b251a0c552c6a49c9906bcf8812c9
SHA512 fe97712812149a909da950142b45eef5fb8fe5caab6e417ff9e9caa111ee34e1c71ca6b6dcd33729ec82bd4b73c9bafbb75048667d43154c92cc4ad03066a41a

C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

MD5 e893bc7859cc30c9e5c5760df8e4498c
SHA1 8f82945dbefb1372a43d7f7b231268e4e2d67af1
SHA256 ec69873cb3478378f672aefd25b5e66102c604f221ed811247357f542b7aa887
SHA512 d7392904a02a00d27b9ef929959c09f769d8de3d112e7bd4a9a1cb42d5734163b30f1143d355f2c6ab53ec8e5a8516f497d7cdb88a91e198b911748784ea22fa

C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

MD5 dfe9d929bc1555e6de7147009856b32c
SHA1 16c826df093995cdfe35b49fb1f5c2e41e8d8fe7
SHA256 fb2548cdfd8c922473e000659911e3de5d60a3d4f5d70cb454b840a937fab180
SHA512 42e2d0829172dfaba635735a3b4ec2d950980f7d484f4502655f34f241637d74bd017fc3550d1b558050587cb5f9814fd9629312a6cfa25b4879e0f03e7da81e

C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

MD5 cc6007d97b589f60245dceeb8e8d51e3
SHA1 0b191ee714bb36a81b7b7cd7e5fb4da8c9657c81
SHA256 56431730abfac544bd26528642914410cdb3c10f7560d501d3ae1b7959580af4
SHA512 41e2d95d23395629c2cfa2f2f501a3492d1f2e85f5ccf0610a48c523e8642f281926e906a506b8f1ec3e4e68eb93082bf554e380b4ea35f094b474c7f57144ea

C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

MD5 fa11ee708320cfa6c6e8c3d519f857bd
SHA1 dcc54747c4285e8ab3013bd1aec1d80c40886663
SHA256 09ccdafe33fe270433363edea5db0b8f1030cde013ece217f1aec39e41804a50
SHA512 94c4dab143fec72d7f23d1c9b1eeda1a45b3be585b6816eb5efe8bf2f6ced5f31292857d4a4a038d564fa49dd1d4b7a596be13627fa74bfacf37b74a27bc48f2

C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md

MD5 a5023225ffff94665735a4322eb98213
SHA1 9dcfff34d12abd8f71926dc445d5a84ba506faa9
SHA256 50d19c7a3c385962c5ceddc32b2b4c6fbd8c75b85e3e74657945170069a131e4
SHA512 f657e65a7b527a31879fc6358c2c05032cb561d997047b6daef67657db6f59c6c19c7829b49e99cae3d35bba72dec79b3c46cd17baae9797d3f8ce6a8d0be85d

C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md

MD5 6f5dc349491a890659b796597d1abf92
SHA1 02d244b53bb3fb8b61940f237fd1c899f2f41457
SHA256 e9854eec66c04c7eb8cbf1f8bb38399e689f166bf70b6d29070f394401a3b57d
SHA512 d44d0f44ab7a844a5dc5d240b355e5dcd40e5d26001da968e3aec4926efc4f8dfac4971e03488d8836bbd9f3cefea68f3468c08f1bc5d888672d8090aabfeba4

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

MD5 0ea7411ea4b798b0bb819e06446e109f
SHA1 5edf80aa056c7a5b7f5a5b122af221b057738187
SHA256 e3e7b8760b30c3079a6bf1ac9b3fdafb468e95ae42c889962866b6cb22117ff7
SHA512 7692031872e17040cab433106a2e43bb105af0f2dbcfe12b76f0135e1db662eb9f81f643c5836f1bc71b62b8c3841c2835dc30bfb179faf670f3bf1a6abaa8fc

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

MD5 3a03017a469728149443108160ad8e70
SHA1 b75761ba4c72c4bb97c66f9d2fcb10c78236e839
SHA256 504b4e6ccfaf7e26640c06dc6ec09b9d891801ad9649c245ba7df20c89a2f463
SHA512 30f80d6b8216188edd9b84f474174ed09ee90064d3711b81696a96b5ea6a52c76a34fab7efadcc09898dbb039721f38a3a0dff1fedd81a466291e755bf432169

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

MD5 9bd65f0a96c6421cb473dc9d59dc1b23
SHA1 832a584b8014e4da9554fbf7cae1e12069c0de58
SHA256 ceccef88f380100be887406a8132ca70c1d6cc84b9fbdf437fb4c5f01639404d
SHA512 1df8e836407a2cb1b546b2d9717b2c6c5d8a0084105a35a1df686f275c31a1c8a8c5a3f50774212969bb21cccd6b31e8d7c02b79b8557fb058ff68993c2989fd

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

MD5 dcea549f7835140c236ec7f6e2edcced
SHA1 ce3fc0c79e543e43cbf243c0dc07445ccff4afbb
SHA256 926438d836263fe943132641c0987266316798a163a14cf4659680fe9628e3cb
SHA512 9bad6311f52f33006670f6ec9b33f45a2040489834c614e3ef4c96c47a2a51fb968b01d4d3fcc6155ba6e8aa6633e6d0317c8227e96b5ea118119172dbb46cf2

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

MD5 10ce65e42f36ff994e6ee7260e38d65c
SHA1 04fec175ce7d3b4e568a58414a1f2bc6f994ba65
SHA256 13289bd05cb444ca99bb8b1e0913a3338c92f95d8cdc3a69b080002bbf9dbc55
SHA512 44ffe99cf79b28310506c6c3a3fa50e882f274ae04b7d41b66f83bbb5e0598b63f4224419afbfb9477f701ced74f6ed91383226e92de11e9f897e3d9d048918a

C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

MD5 679ac16589b703ee1cc2bb02f56703db
SHA1 e183675ee2b9fb1126b677173527b0402eccc628
SHA256 a3eb3e91cc70284cd44abfdd631c44ce2a11bc6160d790cf47cdb8b04f52c523
SHA512 3f48dba6af229b8bbacaaab452a0a5789c9c334dba6b50533d496e305b96daf382af82dd945c1428131f4100c33bfda58782bf550a9a59d119b0619cc1e99dc5

C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md

MD5 1e0b7a3fdc19a924d90b2d2166bd486d
SHA1 f5082a5cd3e207bda1a408c3fa6cee23d1618745
SHA256 4ce94407c83c60e3d75be43cc569924f1b2c6352676dde461387bdaafc9e25c7
SHA512 a04a608af9c3be4e9d3cb3af0c2cff20ae21d40df80707be9443b81aebcc30abfdc82475b31dbc9b3135820e1cf8e3d457387041cf9f83bb62f4bebae2bbfeae

C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md

MD5 167f411f63c14925e88234a79b6b3258
SHA1 a228607925bad1f544533b1346e537cac512abb1
SHA256 161fa71bbf2f99e1f88cf0553bd699be039613d933a089d05f9551c19775ca6c
SHA512 89438e48732b8cf9fe3702e7082a90bb8b7216df6603aaa406baff67ca023541b20ece61efaa1f5eccb0bff8999dcb9e3a290fbf7ce9d2742dc9d969c2b2547a

C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md

MD5 e57f2a8a776d916cd1e5ad06a8631e5b
SHA1 3ae4927975bd7c92ddb94d97cb5f0e6ac44ec18f
SHA256 75a3452e6364d74b993e50924d402c56ba6bd69493dfd3a4badb6f976db94c67
SHA512 ec004d2f42737bf64497a1374485d8dfd155c65b6e108615fd3b4cd271349db9f71584f76792f9df6a4585799dbbc19c810a0fbf568bce25dd4f19b1d13a942f

C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md

MD5 12b64a8027ea5a1ce2fdb84c5f160561
SHA1 21c211e80d2aeabfae0defafa418a6e770001f24
SHA256 92548936067d032a1245cf199e1ab189ddca5f69efb476ffc5591b7e4bdea5f2
SHA512 5d6ac6ecec400d330d63ab2c651f0389a4c962d35574ec38b5b7025a223d14df159d682396e6e0e9cfdc23a60baf3213db0e830e09b015d59b403e6171d6ed99

C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

MD5 f1018b1cd7385ff6eb10c308759cbb0c
SHA1 c62aaa1b3ca3cf5f8c3728bbb53c9597ab2caea2
SHA256 d4b21006f3bc3bb9c27a15b4d2e244e57b26d964ae44b7f04642d103651b9082
SHA512 eee95e694cd65379f7dfd9e27b48e216aeafeb8e646b4b482eff01fb2f012faeec20b4b3c248390a3bcc0386efd2b179fc9cbf81bb486d5776ea11cc1c6056b9

C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

MD5 c962576146a9b5f2146cb21b9456197d
SHA1 b8db21b1b46e857de3322b2a57fe54b2185d0c2d
SHA256 e1d25801b453fe7c2423b449e7f6cd08e131d16159ded8bcc6444560ab94b55b
SHA512 5974b9cfc7f6ed79491c2d817c2bb7ffd39f848a850575dae4bf88aa993de80782b3ab265e614875022115f54ae6abcb614d9e432ca3f24c5a9d6aa4505d12a6

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 34167c79fadeecce61a055e61bcb102b
SHA1 3d2ea1b8372837523b7072a3011ad518dd6ffa55
SHA256 8b682ab96f1404c83e35eb0a3086e441cf129f2e7e88d101ae14608b3d592671
SHA512 07b46e4a63c90b67343b9af3f1e1559a81bdb3d8c3f1c48fa647d53e8d1f1815f17489449202829090c8b2ae881557e4534a536d810fbad1f00178dad61e252b

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

MD5 b66457b9fedab4095351275c8e25c3b2
SHA1 179509532634ef82da65d3c0ba8f0a3d4948e11f
SHA256 64352a4c552fcbe52b5aefd50d47cd1cabb6d6a0634207277a4219389d4bdd4f
SHA512 17f3978627c5a29d8b9a61e6d6d9aa792b8f11b223586491e1caa441747b68bc4cdf8fb5f6a9674659b73461650144f2957d5f3032bb571f10428a2105dcfedb

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

MD5 941d802914e1986f1919685b449556c0
SHA1 0f93eb419fe8345fea7939362e4ead0e49bb525d
SHA256 65d7457cc605e1441542701c0b63e6cef56d2e8a1427766a5c495f2b590875fb
SHA512 ceb0fddc648332a7203a298dab95b45197a08f312b34af9e68e7ffce6e2cb486ccb97ce6c9bb629695f9d1bcd443c4462e69721eb738167686721254977bce1b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png

MD5 6bed8c522ac0fde1599a98c5645a5856
SHA1 f2998ddbe753ad345c115088b5b2546e6d61f8cf
SHA256 6615129e3df12fa1a7c38570eb621c4b5788e05936a96f5953aaf8f3e6cc67a2
SHA512 e9e0c9a60cd23dc67aaef704f5eca8b8d6495733dc781268311a7c6bf29f4f8120d2f3c18168041cb09c650665a6cdc179e01f24022e90a42ad5a085dc13b7bf

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png

MD5 ee7b3be136c54af95e203be7870e526d
SHA1 548eee6324cb054543c3f573b8a0079b92ff964d
SHA256 c1558c45e7ba760faac2fdf7a74787e43905c0c11710112f720d845b8a619577
SHA512 71c5a777e858979d0de10035eafd84d95c6ccdef8c1149a734b5fa0687eccbbfeaa310bddc986bb79db67dd8dd7009ff1af4427372c6aa38e4da8afa1445dfcc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

MD5 ba2d3697c05567d66ee7bf70e3150a3f
SHA1 cad231aeed0f9176632ce3baa3578ad6ec845c13
SHA256 6490ad52a3fe1ee3ee43bb176ae9834550c6c4e669cf3f2c239eb26f2b8341aa
SHA512 5b2094edeb903de751bda2ab3711a851011c20dbdae0c50a2a04378544db24dc8a850894db153143f87c346dd9bf98cd08101127e10d85470136f8f9d7754582

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png

MD5 4554a75841b5f5778f002ee304d0ab9a
SHA1 422c7465a256b029f07787340b6f0ca77982d65c
SHA256 f428c7fad9725677ebf6265fc3176fa9cdb1526c0440716834926a884ac3c89f
SHA512 7ce5e4f628ce6e9130102c952b227e56e4d8c3ba845df28bdfacc5258dd9e50d20e00cdcc646e1d9e09e7babcb5863763a563367644b75c20cf2feeb2dcfaa59

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png

MD5 4c8a19b7784acf3782fd68c2ff60541e
SHA1 97459b85d8facac661867ac827f518bef38e0651
SHA256 5ab9b0f3d17842f6bbc65a834b80839cb535eb5fb9e7e5e187cccf68e6f21f20
SHA512 103a6ad3830bce327a79e6a9efd65f8103934d765ca926407df0d52f46e961d7225b154510f208efa62835ca344ac26ff0bb401895e1ecc1f2101606917d8a73

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png

MD5 280809558aeb0b45d26d9d7339c41957
SHA1 7f89d96b2e6debf737bf623791445f92efbaab73
SHA256 eb6311fc8c1e24b029ef287d01e03154fe14d53c7ef0bd474576a4f2f600b0c2
SHA512 63ef4290d8698659bcf2b5ae18495ad0757adf52597114d819edd678326421a249c3330877f4d313cf6b56e29bd9b95434c15a870ca365186a2cbc8b388acf27

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png

MD5 4fb333e344480938501a89f9dfe5a051
SHA1 ad8eba7045bb538ebc1dd41a285d198e8b35de41
SHA256 b2f68db5a31e412ac8e458c51e27cc7ee6c13145a9af8efde86cf883e29c82fb
SHA512 c36f2dff3f8758c25fa6ded02fbba176648e2c8dbc9d8a223cecfc78d15cdd1af42066aba0a3110702417d09104028aaafe1120ea5b40757b30d32895059628f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png

MD5 f8e3ae142158c800135186c59fee9898
SHA1 01103fd3d8f7249049703914cb1a54c093d3b3ad
SHA256 76923ec03edefa69b17a2ae0052da4ea58ffdffc8049fe8f4a51ef2796dfc11a
SHA512 74d873952f0e094229a5d61c405b74fc7adf1e245ed4f6f2ff01a291a45307856baa1e098fd4a9c80ea30e14225b4248a5a6f32fa18c7bdac5cac07891069293

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png

MD5 ac75eb246b12b2adaf5398e4ea01d58e
SHA1 8c3b1f1381816947dc9a75357c3fcb423e3108a0
SHA256 53f426e440d5c9b5d321c74a6c829aac2bf6a232c20ac6c51c167b87bdfae2b6
SHA512 ab79daa33ef975f58c7b36a7f2e637bb733316f7deb8a4dcc77d455738feb18339d48e5920e79d2e1f837c145efc94d648b8c411dc290d406a6d03ce07585855

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png

MD5 5de3cf2830c08e40713004d06c90be1c
SHA1 770078f4c660baf62d0e7d69e651d8d86d74e22f
SHA256 f5b3718fe59b398418d7f74f0b488e741452522b94184fc22878117e5c0fe9fc
SHA512 1ba5794cfac76009e542d67100954a0911643358ac2584d0c6465ac3c8683cf6262b937cde317a399671a1a14dd2303553a90fec7951e8144b37bf46a23d53a9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png

MD5 478e7d7d8f6ee16b2cfbc479210a11c9
SHA1 8bc4b927152e44824ff86cb354d452b01f2be2d6
SHA256 1df7cc0190d4d95af26e5620eaa7bf9ef460a79b35138395056860d79aceadb4
SHA512 04068ccadb703270a00f5982c2419e2197865881ebdc275612a2c5f57c841a9b30b64b0e64de176e22313c259c40925de90b0438255627e2a9cafbb7fa635c70

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png

MD5 ddf61a27e5b58879fa056a00c48b0688
SHA1 7e6fea780c339d3333a59cb8aaf52dde989e82ca
SHA256 25fca0cca49a5be76a476ea1c27c93236f8aeb1e23f2ca56b56f8bc32993bb4e
SHA512 167d154fdb6babc916c38deadaf60d01b8f6e38cbb334c66839e2acf56ac1ca77032e6a1346bc88a7214ecf65c6ba0a9015b9408f94464f3424fc4b4f1851297

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons.png

MD5 55e1b79ac0968bafeb7a2566797daf0c
SHA1 859c813d9f300e495fe71e8584b2ecad4bdc5a57
SHA256 03b863cb5b26d85464e231207764072aeae41fac6ab12d47e819f99a9a4bc0ef
SHA512 4c9793e979fc23c2489b1b2a2b7bf866c321a66578e8d2dea2393bd2a1087de5825017168f7410465fab9276e0c8ac0772deed80510e96c85f1efec1954a4e43

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif

MD5 2d0eec7f0bda1804985ada51c59dbd28
SHA1 c338cb665ebc9d99b569272cc192dc87546ca23c
SHA256 14d454778c0ecb937d4e285bef6e8d77e1790d37f4a9e3619a4e8210726fa85b
SHA512 1c53cc071a4f9d3f29b4eba3f9be23f468a8ca8821fb8eb355889673641bebc934dfd12402bde4d4d8a92c9776b858208ba5ff9f45ed9c025ae9152f5888a4d0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png

MD5 9b7e7a877c5ae937c11dbf47423e769f
SHA1 b846fb7e63347a47dae2d751df12fce762654958
SHA256 b6dc7491c57385ab4609d65c0730b3d147a7583a7b14c3b08b68d3b3ce887c53
SHA512 8fb965bbcd5664dc3162829e9c7f322154fe6ddd0ce91d7800ffaba07679e463c95498024611442c4c7e09eafd73fca0c3ddcc32585d71888ea45b4ac59581eb

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png

MD5 392b4fd34434ca8d5f2cf55da2a2f0c0
SHA1 ba44072df3069e6f5fe6588a4b7182794b8f50df
SHA256 474230c01efc6b1affe1bbc814a0c413d1a4d9fb5344adb4883c9d1baeba8f98
SHA512 552e6bb48765e4ded01efab77efd5a2b4878c8fbb37b96c9c1c097f74d57c98e0019bd001dbbb136b2b76e5e0619d9788596d6286c402d7c619ecdbc425d7ebb

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons_retina.png

MD5 18b2e6ad803c2a382850191bc65a1932
SHA1 435ab672271a6bb2e62e8237ecc0690c92c3b0a7
SHA256 1f5f8bc8410a329dba25a3c1ef6f9d30a982df4ab9adc369826db1b7682275da
SHA512 8180a9233e8b746ca72ebb3ecd2448b1ee3a126eeeeb0669f113e690e122359ed2d10ee77e40a2c0389b110d9ee521a787fe3132d5ccf4a3d80006cd9d7523c8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_patterns_header.png

MD5 3f2be98adf82943fb48c729229c487cc
SHA1 0214675e9baca99224ac604a4f41ea61d26bca16
SHA256 ff0b9b1828a792a5428e2add77b1376f89337ea616b566c7442036c8ce3e4bd1
SHA512 947f0e966ffce96d6225ad4743258e69465d754d8ddfd6253dc3edc13ab267b876101b1ec57470395400b9286dbf27e0c2cfbe529a078288a54728ba4e3d8bb6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_pattern_RHP.png

MD5 c983181f16e21caeb47a2277951f5d3c
SHA1 29a44aa5ece928ba5f36c110b0a281cc93f2882d
SHA256 c5659ec502ddc425fe00f64f6753bedae11ddd2c341b42a45eb2f5193ba32c8a
SHA512 cc7458257c46e17ca0074e5e3cef0b864f5c76f18d7104255e4421e8983da8de8184623d1949cdf67ee4d9a868deb73465b1f1e67314a04d9f54290775725e85

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations.png

MD5 bbda6775444420bdfa7604efa2fb84d6
SHA1 dc73dea8fcb64b8db875218c4b1a10c31a7c2714
SHA256 446eea2de249e30e733e849214c7f738ee978ee9a1e80f5b1a95a200ccec2542
SHA512 1d29dde53c3f4ef6e32d5d97bbb03b161d341f4368b9e80589e7e877c2ad034cf2246c1ed6f18afffb906decfbbd4dfc8a97ddf9369afdcdcf0490d7e4615f52

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations_retina.png

MD5 794d7e2c377834cff062d1eb674a6918
SHA1 4a9ab556789a92c58470be4fae0b6bded85450b1
SHA256 04d9271b33972ce369e692d72aeb2c831678de5871de81a474ecb0b110146dd5
SHA512 ccb12b30d62333fd3e4ec17e92c7bac8a75e53e9245d0040d34fe8806b9c26ef296caf33abb984897e857aa17b5a49f4aaa5b2f11fd221bb1eb4348f10a30758

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\faf_icons.png

MD5 52d5e7d431b185159f39381d9e1df4fa
SHA1 06a0c20fba17522ded769e56d95bce8e7d7c5554
SHA256 24648619ad558702e2911c15f68cdeaf9fd58bc786ff44fa8c7e53f76ba04506
SHA512 356ff64242313a29af11bf901b0280b4b09355d50aa28be6869d9026fec125ead2aa15f33a75759de8a25de393262b93ec9dab49d32e17025208f9a032417b6f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png

MD5 4321497dca626223c6b40b3a7b1936e3
SHA1 6cf7e350ca719f46f4f76229465949427bf62fe8
SHA256 d4a8de013f59f2a69546d3d35a27aafbc5401736cf4c0f46fd2fb37b2688e681
SHA512 3f8ae5dc28b06da689117ef0891930e790809503d8ff5e3b27fa641071400a673463a20f554d7e16e3dfaa6816b71264987fafdeecfb368b8bd10fc951cb47e1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview.png

MD5 6b027560718446bf6173aef66d2ef23d
SHA1 b452c116965b97518133aa090e65849464a16fff
SHA256 f8427fa1fce9a8736943789cf2615bb83cdcf07152155eaa9077bb07a5fd6fba
SHA512 eb40948299142fb05924307d8c1a65f3fce64301a6b7a472915b1ce4826b22ab56610147c0ee572d847315536cbde9d5b8e8d644eaeba822953ff4dcb4786027

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png

MD5 07be559b861fcbb8f5fafc883ab81438
SHA1 68353a300238888df2325bd4c9a13227a1dd2c0f
SHA256 64daaa50250684c9b400e8adf37a06eea23680161d14f1d98704da286f72a516
SHA512 8d3c3a4189ff3a93cf4b63e1101e51e2b5cf56dcc116325be22910ff48e9017d1eb0f04d731321f29e905e8ec54836043d094e35469efb39b7e4590dac45b277

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small.png

MD5 2a2b76a7c6733159c1d9a134c048ad03
SHA1 f55b1dde1051d50f5153ca31410eacfba259acd3
SHA256 c30660bfffc8ef1445e698ee668a7cebc651f3f9e5b6e16089315a48c39a5376
SHA512 4393264f865f7cd026479b233270bb934a8ffb41bdd0bc4a4d23e790131282194abc6cbf282a717aee84c24bb1a05da8ef1ff1e922ac820611f33afc7f7040cf

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small2x.png

MD5 0922f83f74e11297cb3f12add7d6bbde
SHA1 ce5fa6304768b99b88bd94cc01921ceedd26f1e6
SHA256 d3b29409bb480a80608ab0a89239a13710697f2dbcbd220b2a0c940083b08db7
SHA512 61c9a4dc99927769e5c7b70414f644a3ff90f04e4d50e5aa417f64b557287dfc136002293abaf6c2cb23fff02b9f1a39d97b23ddf9622d6c8e3013c5c58797d9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\illustrations.png

MD5 8841e8fa70f51505a4cca8d340f1e814
SHA1 ba129a602c98845ff247dedd86b4127fc2e2bd41
SHA256 8542cd2fd5934805db836f43a10eda18129de322fc25cad79e914f9d891e3337
SHA512 b08be5f37de726a11c84d37c6bfeb270a40d196cba98bf4f89ba3fbfd199f5ce622374ea67c2207f8e3109b4e8a3f09849c97ac3f1b971a52d2bd0de266c6b12

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\nub.png

MD5 b974d89b39a8cf8352b7c2423693686a
SHA1 66475521e5ef71565bfb069488dfe994066af109
SHA256 db008b93a05a614395964bd08e8b3e7adbc7903003c8a524aeb021a7a536b3cc
SHA512 27229f92ebfcf30bba6b9f59bf675ed523a22eee70be7461fd472c28453853ca2672d5bf3fd36d98b9a6a289121c227fa242beedd770058ba80cef09acc6d8bf

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png

MD5 7ccd4c61c451e5fd6024879434ee6123
SHA1 1f957dcb138400b20ff57dc500796720fc8e1537
SHA256 069c42d80b7ca8c19556808956f2c13479b83f7b9570c98ab0162e28ce6b34cd
SHA512 37bfa0f9be9bd4d79beb7cef536254bc5a421ef01993a1fb1e412b0d665793a9cbc4fb20c6f09dd71a6ada0c7d4b961819130ea1a9cf131c6cff739ad48551b8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.png

MD5 dcd5ed993d6f330eae8db28e053d15ad
SHA1 16377b009c88fe23e633e614e89b9931858aa63f
SHA256 0a4e90b9fceb22ccbaf52ee14d3574b59cf7438ec1b233fddc73f7471a20abc1
SHA512 62795f3122e5344c253b833b5be2a015a7c502e720a760e1a7f6756058e7d8edc30ba18ff2c6ac3e5c2a6e7717f093297b6567d04d68a1f6011958ebb1d82ec0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adc_logo.png

MD5 45ddd5bacff3a28a5538cdc884b1624a
SHA1 165cdc37399e44967543a5598952e694cd341c93
SHA256 a5d220b7ebd30acc2c73230c95e05c98608b68b8f26d08a247ea23471d7af57b
SHA512 14e193128482ad288133458624e8cd99d4e03592d32744b365529ebbf4327d0cbe61849967990e2d4d32b6d8caf97c36443a56dc336250b1a1502061626643ba

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adobe_spinner.gif

MD5 2f5be2ea24d83e74d2fc7fbd9b753e42
SHA1 b4108ff58b194d910a7baf12590bbd5cb0a73515
SHA256 cf87d5c83db8d0ab2e5625e336210c115e1e14351444b7b91ed111e767e755a3
SHA512 eda480cf9039f32b577e31b20affbfae3f738fcb1ac7b5ee7bee21371c29caef807e6baf1533003f1833fe4219bd99052daaa5137a8c6ecf2dc1f3067a2d1e38

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\logo_retina.png

MD5 00e6505b520b6e5c19db6720ec190137
SHA1 0ab8f840a80b42e4afc2c39072db6627d2f4cbb9
SHA256 e76417e46cceb7a1f772d75ad82da302d13f5641796b1f92f9a2f5df059e4aae
SHA512 ee8012fd7959e0f0a5096fdff7f25dca34f5d4eafdef7563e53f65d7e1163604ec0736cfedfd1ca10e4fa1bf2428887545821ef5c0ae329155a4f691e3273aa9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo.png

MD5 7c730050d5a8b1fe760783ac5e108472
SHA1 99592f2fc21cbb860fb7ee7e864375dcdf895809
SHA256 3027ac00788a61446f0174057813ad9c05873a0642ac3445abbe58c4a4e1dba8
SHA512 07c1fe8b213f5e3da4b3d6d5b7a919e0b0bcc10768e7eab6877e5634607ff931c8c7851cce9ea088843ad3a4d7c3a502645707b91214666a5ba9b5e395dce9c3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png

MD5 e1557a1ca64f8839a98b8fcef00051ce
SHA1 1491dc92d36a2a7713e102a6de98b0c1d8c0b364
SHA256 e8ef772e2b393cc7f9fc96e4146924a520bca1f4219ba16699e317f7a33cf433
SHA512 e5b3983ded87db3c0bd90249856be2dda7ec21a94d98eb3166817cd5cfc67bc76dcca69c55eec10e41a92dd87c63e681a81e2231d280be5097ad72572658d3ca

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

MD5 b4bb2e27f5497b4042f4362dc83af3bb
SHA1 1ca61fed8683f85162248a67553cd76c5678ca65
SHA256 803b743f9ca5501993b9478923820e498c4b14237dac626288fb49cc503085ec
SHA512 22046beac1396acd04ca4086ae433ddbdcfd722befa1dcc3a57d7197ca1d3bbbb56f211d3d3aa70bd8d46200ba0e626bd888a7be033020ab1de3af961c49ca08

memory/4820-4854-0x0000000000400000-0x000000000040C000-memory.dmp

memory/4820-4861-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727655840085328.txt

MD5 09ad1fe8947ab97023e4d5dbb9b9a767
SHA1 756905f5ec4bbfa56f0e0e27556ebedda0416a97
SHA256 4b9a3e4b57810b762c8966a7242af3b511d1aaeb692528e4bb7fed9e7bbaf4bc
SHA512 1375980d7a6b8c7f75d4da1773f7009c28108a47dc637d24bc4ac972ce56942ca2dc54314cdbcb34d0311b4203b32288c663095f2c67b6f80d14d80745cad0e2

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656363999749.txt

MD5 6c8cd25bff9431ea6affdb0719e4b784
SHA1 0344af6c3ea70a353262f001765e2a0cabea50b8
SHA256 8ae23367003253967df1d3255412c80faebb72e05181ed77207941de0a95d848
SHA512 06d3b9db644e4d70904271a2dff1346126168f20f072c8eb73d2489d7a9e521f95a2cc562732e00adc02bf899d3ea500a44e5952e1097b7a0703434350f77342

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662640605367.txt

MD5 6a63122f4bca44c8b8a9f0c87c139f0c
SHA1 084787c0c5f36f307e953f7292615e8274bf23a0
SHA256 8a420e3c5bd0f7ec18e5f0ee0906b28f44c8ccd13ba4581a9b320775f212aa9a
SHA512 c7ecf38fd1d342460262733dc0595db287c83877cf34a5edd83312ef0faf7f8882ad3a39273a8e55570e0daa97a6bde91b781a9d709b6822d46c9e5f6323e2d4

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665714398674.txt

MD5 07a0a0690be81ee7028311bfb6168828
SHA1 3f5eb223985bab24d7ff7b9e886deb3a43996a1f
SHA256 eeda584395910f11e0647ebf2d793dbdd462fc00f6e52e22f314208554a4edf2
SHA512 0c6f349e9855e9574c4844641c1d56981805aaf04c626118535a0c8f29e0595c599595050f8066bc43521febbfba5dec71630edb4948afca74cf663fffe32759

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk

MD5 81005e9409ff80ec9f7c3f1926d5d1ef
SHA1 f19c8b6af530a516906d0ed115a776ea447e35b4
SHA256 d889c518efacbc0c15de7227b3909382d74929b8961cfcbb9b12361b37297299
SHA512 bcb6e80161601ce92de2012085da15ac6468d0c5f9e4a586a1c675487cecd5dba880c2fa5fa8f3962797f7dd7d4c4e3c78c1a7fea39f9a5424c6c4a767206e61

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_lrg.gif

MD5 26132a20cdf2b406398a16c1e520afcf
SHA1 9670d94bce85810476a21a47aa800046a46505bd
SHA256 16c743b2c3de29cba451659b27632cfa3e2c1888b3eaff475eef65f24e44c4ff
SHA512 429684b4e3668ee03e4b45b12074b9ddc440591732cb6010c1164a83fed0c4fd22518488dc8e3154d6600fc4e3b67ed66a7be87d1d265894c860dd81641bd76b

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

MD5 4445c7cdca85d7d2dc3a0e23196bddbc
SHA1 986b80848f6c267eb0d1aded62d87a0a90ea068a
SHA256 3f948825553a62620840bddf9e2ef561fe27bc543d7869ba0057af9bead40e35
SHA512 134497802ee9b1174fcd709b1cc9f217d6f083d7180d3297eca45c7225e16802b0600a2d37aa71393126935621291fb0e773caaaa7fc74566e9541d1892b0760

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\aspx_file.gif

MD5 bc60d114ab69b8788b87dbbafc5f6ebf
SHA1 4b567a2ea842cc00af56e4b1f429b0fff35d2c07
SHA256 7bd64e2c1dff6019282bca56a03456ac11d508fe2d32b7fd8d624d40a90ee738
SHA512 2fd55da2a543702cdd05375b78f6585610bfa15af00e87a69348cd602128f8a095184d5224fdc64452348bc4ac03b483c69457176e0a1f6710496d46ae9e7fcc

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\branding_Full2.gif

MD5 3de1f7380e480193a82526260901967d
SHA1 78046c58d190f78e8f338a777e4afc4dfb3bd6d8
SHA256 9a28337a3f9cd2141e7655e1f27d83983703c418aa90ced9a9b58b0d8ecaa9cd
SHA512 2b69092ee448ae83580621fcbb591aadeb787892db1b10ac812ddeb2cf6e20bcff1b542ce045f6c1e7998be15e03f4dffa557d18d2f0c6ab59bd207984975a33

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

MD5 204e8db0d037a24abf4752942e95c06f
SHA1 30d2bc544c18b96217b00a32f016b29054b2e5a0
SHA256 453b1ff0aab5b82f096b8df5c770356da9f44d34f54bf96b6eba2b424261084e
SHA512 2805eea3b767bd7fab0ff47b920a37a49eac4535284c2a6c774374b72243c367bd6b52ef020d8aee306a17909cf7e5e1a66bbb9305fdf0314e0d84ad4a9c417c

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\folder.gif

MD5 7524a38c82121080b2c336ecc8019b7a
SHA1 83be0a561687c17003eb8f702d3009b82fd884f0
SHA256 b0e49e0bb9055ea1bd204ba3ed561b21fad5a5cc491ffd8f2e96c0534bb9000f
SHA512 23de3c3ff39bc49bb41168fe0660912e9d0f384091dacf1f6756806c06170de8256a54a41b47342689b4c19ae57ecae0ec13ac9442cd505f82afa01ad0e33564

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

MD5 74ce574cc58fcefa9fa0efa942b74b18
SHA1 5ff49d78cad41fd75278419ffaa33acea1dbc640
SHA256 b18ef565aad0f7b192c13b3e2ee5d655cc3a349c9008d7f5b80010966c6a4830
SHA512 e98eafe36bfc133a168e8bcb16e0149fe79cb3c02443689dcbd115e9e7272d5fd99f26afc681ea396dc6b3e0e7849a681664c93672c0a91f9b19791d25ecea3c

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\help.jpg

MD5 1b6345d286568c4654fc75698db2c9a2
SHA1 611bdd40ab072d1a363b8a92e98242c275525ded
SHA256 938a519cd0a27e6612c7ab88c542ca83fa593ab66e926f898a5fb93fb17e6b25
SHA512 8b3995aaf0eb34b86d19c714cfac4ac233ee7f38ea7a6967a3c4b192094abf7510101d0c93b594bde20231faa9d31ba8e01a3f9634f4e99f3f5503f668adf3d6

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

MD5 c67045249c7d18a71efa6f4ede270a20
SHA1 4a1bfe7e124a56cfd41f75d0e036581825780f85
SHA256 6bcb3516e9ceaca2fd5a46fefbe33119579181c2fd99ada67c7c5b1900f87f9b
SHA512 b56104c78743a0ec35db435ef95af658190f7824da28b9a65e0d6f8c39445309404c4b20586db237d697e9cf3a5c927968041012613490777647a0d97f974fc6

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image1.gif

MD5 f1d8929fedd24827e11e8851f798da5e
SHA1 c843d0b664cb9559d0b82abd4910e27db312c4e8
SHA256 0765ed2bdb01e143ce740406c889220ca570d2c7be92b6bec9ae55494418c163
SHA512 1e3480940ee1df0d7bd051ffbcf30c112809b1e876d708573cd3dfcb0e1183f4182c0116ce93cbdd080a89d5e3279a27adf72436582bd6b87bda69f625285366

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image2.gif

MD5 743693c83a38b55ee24df0f350dea790
SHA1 7e8df727559718e88dc030f98f5c6fa8adb402d8
SHA256 ba3ae0e9aa98a9ab57bb0f683c3f1a87e28a23f2d5b25adc53fb3e122c0aad7a
SHA512 5d86ea75993235860917291b4f6b28d0b4bb7274ce279f71918ea97819297df3bb3d862432d010a300e4be79218cfd6f8b7a54e6d50dedb1ab76b1d7b9264797

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\requiredBang.gif

MD5 d02b7220ce90d7c8e3ae38ae149598a4
SHA1 df318bf256425ce3bda38b10def747d53191efca
SHA256 6cb21335331e38eec2b27103ac334247dfec496ef6558453ba3e0369aafa8781
SHA512 7f6240b48497867909c118770621739c30ebc4f0d55b644c42e4d92816516ca0821abaa727adb5b183fda05bbc3ed71201f049970016ffb1763083f072a85e4c

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

MD5 d0f17bdc7b58ef56d185e8ec3469feb0
SHA1 490e119031c25e11426f146a405e17512cd74c28
SHA256 50ccfd9925ae9a6f5fbc90fe783762f98d3a757b8e2c3512f1e70f92730bee57
SHA512 f557b19d767af172d0ef043f89bcd8f560fb7545791fe5373c8acb42654023a7514ecf712ca3e0b45bdf07f6c41a64e0ff3069ea0e07a266fa79682aaa47701e

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

MD5 941b94a87f6302ed1726af7b54b008ca
SHA1 bcd232e57e73608929d7d7446d83d339de2b5ab3
SHA256 6174abc23a5d9476a60b596d9e97ec38cf7513e166190ac7393efa207eb7e092
SHA512 8389d2fb5ca57d5eae278be47ad71246c45b256179f51901a11ec03a57ddf3b6e42b9bcdc1dfcb7d0142f8395130e78d0b1ffdc180242fe094cd19de078efea6

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk

MD5 ead0bac0d45542c7829da37fe593c1b0
SHA1 04e076fd6bbc3b0f8273b6f85ec1b7ce18a8d3f2
SHA256 f698436db4c8d9350eabcf3b93ef9a89ac330d29e239d66739c806534d430581
SHA512 f53be0b3fa9406e22d10fc772bae688625b39540c95424a2c672b6f63d2b116523be213bac9408380f3cc0264ddf824cf3bf8b14bd81d6c9fcf296bf1c1914ba

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk

MD5 3c0b0ed13dd424b3e9d4d8152be34d10
SHA1 22a0a8cd977cb998c0bc907db9bbe233f444ef07
SHA256 658121e348335d426a53cc2c4dc0c69a31a391bd8d91d0c850b923723cacc68c
SHA512 e61ddd9ad295f2651801dca0a378ca75f0ed93fbf5d7e5e6aa75be15f2401108348fe3634ca7849fc69a3c30c48f50edf7af9da1454b65f32fb4260a06da5bf8

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk

MD5 8e2a4ab93223e4dd4788d911f8b5c9aa
SHA1 3f0a6798a8008b05655436e93eb62b9e4dbbfde9
SHA256 cabe75f15dd1ef79df1dac6729bd47795faa88f36eb851b90768d66203c78820
SHA512 b78ec763cd02fa1c32af45b54392cdb33a1c2c9ea063b66dc6e0e14352b71f4510ac42f3ec97a6f50bd5e2787ceae59b0924fb213c20448e64b3417216e6c325

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk

MD5 7c29ddb59588fd440b0d76ae6d0fdeb3
SHA1 af1a85356ca26ab7f55fe53e82f0a026afa21f42
SHA256 1fddbf6d293ef6f168852ee944c4925e78ddbac8b6179196e9f6c01c3ab620a7
SHA512 ef9cab0114ced7d0b3be126fd51449c1b31c3ce7334ec8961bb6f0f37c1c7953aaf8c65ce9bc51ff1cc620ca6fac0ac42cc1a1be73cfb71d1e615b92bc6bde9a

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk

MD5 de4ffe0dfd5526c02a586da2f58588d9
SHA1 5cb641411862e0f570467cc568d881668c103ae4
SHA256 ea7ae9d22e67cb915080c9e2b57ca3753cd7a4f91e95126ae5d53af0150b2c25
SHA512 5c66afa7976c4f0ae3d7a6d49ade48ed9e19ed4fc6c71eca6523bcc5614ba77a8b1b60b1f9697c777c69b7f34bcd6f1c2dd7bc48feb90fce4e1419178e354499

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk

MD5 1663c0a0a668cab43901917b42100a5a
SHA1 2c803d559757dfab2da05b1041eff2a3379e2ab2
SHA256 65803e74d4efe23ec9609db53d625d85a685a8b1a5e23ef3726123872ab3f810
SHA512 725eaf4015dfec06f313036079f6e11caf3890271e4294b77f582b2b23dd5e0284ede70ba57d00dd0a84204365493cc94b711d902a7c1868d2669a1fd420bd7f

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk

MD5 575420437e6dc19786ef5232973b14aa
SHA1 bc69b7ba26ba6966ee2ed945dd3c564dab0d6882
SHA256 d08a1a36fe14d4cda69e129e704fb13bc90368d7c5d493bb51d3f953ea9d8de2
SHA512 b3f780a9a47d2c9045b88c4f9cd18f47a0aad377fb57d46ea899397f7c51c9d413fcc80c3f2f9cf9ac31d792c217fc71a9c1223ac2413914708b8f38ace41bae

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk

MD5 081f69ca0437500980297ac6f3fcd344
SHA1 06a16657c5055d624c5f89d37899e5a66bab6657
SHA256 d1c5f5280da200502fd8161c22f3d656b95360b9db7ea053353dbf2590954e6a
SHA512 3b265715ff6eec41a721510254c77721d91f08f21009f4123578f2e3fa075de5c479d4486a102b0baffae7619c208abc0972c6c7c2489d0f82f35e35d5ba09a8

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Command Prompt.lnk

MD5 c2eb3802204151b3351c6e5485c5ecf5
SHA1 4171b9e9f6fdbb444d5dea17d2980a21bf5572ca
SHA256 3e85ac4439ee02f1c0b81792f413f421ffe9ca0239f34ca5d9540b68bc2e1d04
SHA512 f9cf40509ce2cb8a87d068675785dc12c7baf50baf008e5ca4789e3bb9b88fab6e2a74b8acc4a485da13afe6f58e13dc5173b6d73fa5437ce425ecbc6464fc23

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk

MD5 e3920410d9fd351bdf947ec6ebe806ae
SHA1 15c4b67c70a7b31496399f93682262bbe2d04595
SHA256 2d4ede9a273782274fd6df92d177d9ea2080be9eeac3c1a1f4273f666c622d72
SHA512 ceb9793f85f5b60b1c56686698c9d1d9d0b35d16d2b2bdbc18826f2d983a885369dd680160261b99afb61fdbb4d1f9a443e53e4a79e33806d7036d09e00a75f7

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk

MD5 e488dd369945036dcf52e0e8c210f372
SHA1 8df293778a893d403fe819ff393001be9869d3a5
SHA256 910ff12ffaf22acd5f88ca49c42267f57ac267c43749f25697ea75fcb6760090
SHA512 2a44bc6921953a493828117d9849adc6118af9b0c3e2cfa370f4a54eaf737f3a198abaedb26b2714f7c2d179212277b296d221c093a9c17a431bac9c2dafb11c

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk

MD5 170ad0b0116b7f17451a07a17bbcaa53
SHA1 a35cb41749b599fe463747fadfe69c9aab8f86bf
SHA256 ffa0e221927757d6a0108c97223ccacdc02b756777b615089cd76650d018c40c
SHA512 2fb20d156a4c648319ab0e00afa3f72aefa84bcafa5e48bc6bb1b4794b302bd6aef7925ad1969b619eff629e815dae45a04cd428adfbe3e7906d8a141198b627

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - NetworkStatus.lnk

MD5 46103ad9c47084f3f499ae4a3e606669
SHA1 1e704a1deeab00c413251b9a5041d7ef192b7d98
SHA256 2a270b231cf9434a3bd5c84f4c3dafb3e9409a9c905c107bd203a3aa111de8a5
SHA512 24ed8d0e817a1f32f3dc2bef2982022182b40b2ab4c6936dd474fef66e71ed5e091dfd7d9b45d69523be415f6fc3d18c3b491601cd87966eb90f5bf97a807420

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\05 - Device Manager.lnk

MD5 994337ecb478b2686e12705eda5d7200
SHA1 e27bfa467528696fd4e55084e9c2e39cf447983c
SHA256 2eab74cf22b0e51e136f2ee4d5eeae2e761bcc6d30bd4b2dd1b292a3017680ca
SHA512 90646655f9274faccb5cb0839c4b5537f3eac129a73f4a0f9c6236182645bcd3b9b291705377aa7154ce713ed86ba6dac74fc2751f6f1e8e3066ab435de5abb5

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\06 - SystemAbout.lnk

MD5 396b7d60a6410b2442d48129b5e6bb12
SHA1 8545d489d732d419bd3472227cd3a6e0d8fcbb37
SHA256 90c19d16ca8d22250746abe4c0bd793b3730b9d61ca5932cfb6688ad471f1bd5
SHA512 95d9f5868eff3bca103382aca7c6367462f178855409e27cd32c599653d4a79f701515c3cf83d5b44a73f9cf0c2d8e4974c372060db85c709e3e275e8172509b

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk

MD5 58fb806cd875960aee7d33097bbafdf5
SHA1 f8d613948a13d9cc7ab0f49698f0f98ac1b39694
SHA256 3e3b7e3216d34a8ebd2f93e05b8b52fed9470a1ce2a38d496e882745420253b3
SHA512 721acf26cbfc075dfa8ad09a7fe0504a6faf36522dc84aa75c89f8e65d6eca74d27971d2932b83fca7947fea4956a47a9695b769f0062ddc4a9bd4f3b5ea5365

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\08 - PowerAndSleep.lnk

MD5 eab1db9fd525c160021ffa0cc1c225a1
SHA1 244808ab6e4440629b5ac9382f7b6b89d3121476
SHA256 3bc4b754ccca2ea401d268aedfff6888b4b493b32e7c28c6a34e8f5d4b8ce58f
SHA512 fce6255ecf3a860135e079eb9c56db5788b90e3fe157b0641c1f5781659afb0231cf801e7c6d9ed806ede2fed51136c38e6c4bb15efa746b208773a8d2b52f23

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk

MD5 019e636106f9ce7e23ef6e7621fcabf6
SHA1 91ba54e327adac498536a556516bb6b0bdbd50cd
SHA256 4495399da77c3826169b7a766d5535f5775abb0c2de0a6aedb7bb98128b40e41
SHA512 3a76e1796e462c0b6e9ba058cf54e2f4b8a66a4411162ae0ed89b980e8b7cb4138425b75c0c800dde297d86dccda1f94e421931b750ef1c786247aa150375371

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk

MD5 8ae56c52544180eaac985c4979c15662
SHA1 fe3ab6794db1196c8df94900c676f18386b060d1
SHA256 cc26a37f98465bb0f1d7a1a02e53f307b22d2d19bff19c01052578b4f7e24968
SHA512 07acf94569e681f03652cefb42bcadc4f97d37e38fae3b1606c9524971659407eda02db16bac4736959fb08e2b818d920878d9c6a9dc9c48f6998ca9986c3a5f

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk

MD5 019071b98916ae92d9f09d521a1c39ba
SHA1 9074075f2681a60df5be11cb9d94544c6d2b2c60
SHA256 6df13d3b3ab17d9884a4fdc112983a1a24a54bb7709be6d89d46b00c850860d0
SHA512 d3b776ca711fe4f10b52e0ea098ea929186b38ef094f53bddac1c7a323b4e386db63a6ecd71357893ce344cb342812352f541acd7e5523e1ca56a0bfae46c0f1

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk

MD5 70b20d524352aba36af2ec8d47a20211
SHA1 4706ec4abf23f85b71fc86824bef96f458be68cf
SHA256 d5b7a964cfff4cceaa3895c710895e365a527715253db613780c8d42902fc18e
SHA512 fd9603d3b8a8b80be0590254b2ddef257a1d64aa06a63d1bda34dd4e26aa1fc96d50a8a2ce62d69a4515523f1131f4e6aa22d08887bb31f8ecd8313aac6a8207

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk

MD5 79b419ab16e984b6fca5d66480efb52d
SHA1 33a93901d2268d52a16fc6bf46236c89ea9ffb85
SHA256 6972665cfb581b31de6fbd7777b46daac34a3d337a48f3a3aa92140be6a72203
SHA512 dca3be7bb3f7ba88c983f4d8478de50de4241707be7fb493037f0399d126c8ebf3e1c98fdfc4f77d8ed51a5b248b8c896932b22f5f4af7d816d4fb0893b3a37f

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk

MD5 2a25ef1a5d8cec5a2c8b91885c6c8c2a
SHA1 a0dc79947f4c2760a31e7f753568fbd46eb1d5a2
SHA256 9a67d176b404538bd71a6a6c6cd8bbef7e48095f06206acbbaed482913f09388
SHA512 febdad0637e0f2d5659ec9e143352fdeefc6e21096454c050aaf53d20ac0462c662f85d30e769072305dd4854c2d5cb8abf153eeeff6c54d88a9db70c5a01f68

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk

MD5 53e9d536319a03cb831f90dd372e9f22
SHA1 5e81e135d010c6db12a42fbe4b648c50a985459d
SHA256 4693c0c3574a0696e1419ba28772875fe871ee8400496d585a3e473677b1ae6e
SHA512 4835faa6da6e0bf028437eec8617142d1ca6272f7d76e084086dd1e2d80dd3c568e731f60ea2a84baef35db2a87d08bb828eb4b05ad8baf6ce85649b93f33ebd

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Administrative Tools.lnk

MD5 2538ad96af01abbf9469a8fe6fd237c8
SHA1 5ac93d6300b06133eb1219e1cd995cf4a5b4e687
SHA256 11adf8a27bce60e635c8f2ab74bc2c48b08da64f873df84f3503b7cd9b0a03d9
SHA512 57bb4d042b4b49fabf8676f9833d7dcca7b4afaf73fbdd65f721beee78dbd97446dbcbbb2e3f617fc4d0e5116c77c4460827e31ef9eeaee2aac6cd0d8c633a05

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk

MD5 f6c94383129709e97879c12d622458cf
SHA1 e96cc2e3a5e5c4ff5dd2466c7026bb54997f01c4
SHA256 e69aa5e35e5d22918908a27eef4501a0a332e7204e7b37048f0c072a424e342e
SHA512 6f6d71e60f3d00b73cf0ff31b24a661d2bf27f4be6eb32664127b36541ef71e3b8d11eb7e45403df2492100c67b3597a6e6b7fb5de95fcbcb380dce0c288fcd3

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk

MD5 afcaef95b06bbc2b7ab1359005dcfb90
SHA1 43cc108287a008f36e9b90e3b6d65c91e3649a4e
SHA256 978bec59b926728d6dd7f2b2c2a75aa3dc895a427fd2316b4e4cbfad9ca4a1cd
SHA512 64abe4d4a764b630977708125e40f1731d9fcc5447d02d390560810c44a03001fab24cba29ba9ca0dc67b9b49bb1fb931ff0bd67c6b7684950f4f9698787cf3a

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk

MD5 1eafedff5d6b3ee91e53546d3792be4e
SHA1 70f83797d08f02f6b36a5a230edc61b5f09f6a54
SHA256 c242b9b0e48d8364440511f37a0793df14faff160e39c5aa3c3d2bba8e88a556
SHA512 d22c1a6377bfeb8d3faa2494ffc54427a9e9629811c2d604b18e17dfd43a27931b6953cd651c0148a42d4fde5021637b519ab1eb5e55b9e0bd379e1a32e67a3a

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk

MD5 3e945dc6601d44a08a120cb4a8e2d91b
SHA1 a471ff8e6097067f53f237f2bb1c11781268c443
SHA256 e8bfd6769cfd1111ecfaaf187c6d83e1c833f77ee306b29fc386ab132bb6f86e
SHA512 1cc3c026263adb73419852d7226193a9b1e8d74edd2ba57a5187b95a6e2bf5bfd1aa97a7bc4a9841bbdb412151141bcc0aaafd5b8412476ba5f028c4b69527bf

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk

MD5 3744042983ebe576f93835a8bc01b87f
SHA1 a8ed0c94c59afa4c1edc3f660959f70992e363a7
SHA256 65dfbbca0351adb53862bccf80679b4cec37592ae54055dfb2f078e00eb6445e
SHA512 f656796fb4031a26c53b740834ed713ef403f78410d8a3a6b0ebc56f417038e5f2e5fc71c3146f2229484319d22d96fc7b97319e05de3cf7b5569fa069d2a047

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk

MD5 641c64dbfdb7dc879fd55cc87bce8098
SHA1 ebcdec0667640515c6cefa257017026031e6c070
SHA256 1a474e73d337f688f999ceb9192f5e66ad90c50c8dc9d3bc5d394972a279e849
SHA512 f5e5550633ce6ebee0887f513796246f41265d6217225930dac71cc45098c57fedbe080f03e292da1f218323e664b80a13829ea2211073dd79fb79e477aa783f

memory/4820-9806-0x0000000000400000-0x000000000040C000-memory.dmp

memory/4820-10810-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.153_none_90dc0b923cd83016\Square44x44Logo.targetsize-44_altform-unplated_contrast-black.png

MD5 5911b6203a9e87ac02fe2171ae0d99a3
SHA1 84e323792453e16fea4455d6484e21debfa2a07d
SHA256 5374534f2edfeceb347cb651392f51bcd18e350dd9cba3a947003ae5f1ea5574
SHA512 01ba6c3ad618aa86efeee750b036ad977854f38e3b5436da6d78fdaa1e985cab9b0225a300996fc288f08542cfd8f71e77148b626f5a7209bb2780b87263e8b2

C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.153_none_90dc0b923cd83016\Square44x44Logo.targetsize-44_contrast-white.png

MD5 17a5bb7e9facf0d5ce2e4efb93e69381
SHA1 d2af4164dc0cfc0e07be5eb1f57d74f1191c3655
SHA256 b2f7e267a46a9ac4a6bf0805bfc5ec2b7ba9bca4af8bc424c7ab4d1cab7c636b
SHA512 d20dc04fe1fa86083b55a740f46972ddc3a7ece7e4d75ef537bac7dbdeba226808dff1440c4d0ddf7d7b35d78b5b0ffea201f356c37846ea509940eed68acc82

memory/4820-11169-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\Square44x44Logo.targetsize-44_contrast-white.png

MD5 bc1491a9615dbc77afd531237aa4639f
SHA1 e80bfa780f0a98d2d06c4415b2a150eea513a1a2
SHA256 492d020df8678bebca8bc04e86fbf9e1196656c5d461e45e975c6a17ee5541ba
SHA512 84653cf4a7ba1b4f265529aa625bba2e3c39b08bee1e19ac5249d9a986f7aa40acf02b5d48358af847d76c9a1fe2a2a987713b95f529583d3441d9b91a06d63f

C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\Square44x44Logo.targetsize-44_altform-unplated_contrast-black.png

MD5 bdd38d28797f8992535fcfc55313186f
SHA1 2bdc9fd86d2dd33a742f591d1e4014f2d156a5e1
SHA256 97ea160644955f2785cc0f3b81d3e383740cce58ee47056653b07ea31563eae6
SHA512 2ff11f00eebe82c5e182943622aafd3050625d5ef1e13c4e9f3b6a9dcc552dea7fd661640a234615d28ba2b88879bd6a15d8b7e6d5823e83f96cb99e15eba416

memory/4820-11210-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\WinSxS\wow64_microsoft-windows-onedrive-setup_31bf3856ad364e35_10.0.19041.1_none_e585f901f9ce93e6\OneDrive.lnk

MD5 33ac1bead3dcff519a1c4860c0385c8c
SHA1 c052fd7fab8a61ef66fbd5858958abd7ea5527d7
SHA256 036a776de39cfdc54f9370403008c4bececd427df0b0e41b7ac1653276ee3d6a
SHA512 6f74aa4602578ac7ea29e74b9049ebf4fe918df0fcdbe53361f9c67a2bae48d8b6887a9cd103bfb0b0be3f353c674231d9b87debbb7dbaa46ea332e7080bdcc1

memory/4820-11215-0x0000000000400000-0x000000000040C000-memory.dmp

memory/4820-11216-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-24 16:12

Reported

2024-11-24 16:15

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118.exe"

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xorist Ransomware

ransomware xorist

Xorist family

xorist

Renames multiple (2188) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mog.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dms4sut3ZNms53q.exe" C:\Users\Admin\AppData\Local\Temp\mog.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\de-DE\Licenses\eval\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_neutral_3500779911f7f3ca\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wsdprint.inf_amd64_neutral_f91980f20f3112ed\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnne30a.inf_amd64_ja-jp_b2245ba886355a9f\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_aliases.help.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\Dism\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtx64.inf_amd64_neutral_410e89ed86071c9b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netvwifibus.inf_amd64_neutral_9d0740f32ce81d24\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnep00f.inf_amd64_neutral_a5f6001b957bd7e0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\ru-RU\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_type_operators.help.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\DriverStore\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\eval\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\eval\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Parsing.help.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_preference_variables.help.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_trap.help.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\winrm\040C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\angel64.inf_amd64_neutral_6bed16c93db1ccf3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnca00d.inf_amd64_neutral_0600b2ba575729f4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-OfflineFiles-DL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Assignment_Operators.help.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_arrays.help.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\de-DE\about_BITS_Cmdlets.help.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmtdkj3.inf_amd64_neutral_7e1053ab483310f6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnlx00b.inf_amd64_neutral_89b555703683b583\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wpdmtp.inf_amd64_neutral_28f06ca2e38e8979\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\040c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Language_Keywords.help.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmdcm5.inf_amd64_neutral_0bb09f3e5a59f3a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_FAQ.help.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_For.help.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_FAQ.help.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_WS-Management_Cmdlets.help.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmatm2k.inf_amd64_neutral_64a8fb018ead55a7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmbtmdm.inf_amd64_neutral_2e4da8629fc5904e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnlx009.inf_amd64_neutral_d4b76afd08f308fb\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\cxfalpal_ibv64.inf_amd64_neutral_4c42ac5f00413365\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmnova.inf_amd64_neutral_b52d8db82d8c3be9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_requires.help.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Windows_PowerShell_2.0.help.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\DriverStore\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_amd64_neutral_dd659ed032d28a14\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0007\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\System32\DriverStore\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\OEM\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_scopes.help.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\IME\imekr8\dicts\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_debuggers.help.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0010\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\eval\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_script_internationalization.help.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)greenStateIcon.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21318_.GIF C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIcon.jpg C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\UserControl.zip C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\triangle.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABMASK.BMP C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-docked.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplate.html C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Interface.zip C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\setting_back.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ar.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\Windows Mail\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR47F.GIF C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR20F.GIF C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hi.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\requests\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access_output\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.jpg C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\Java\jre7\lib\security\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\43.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15136_.GIF C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-bullet.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv C:\Users\Admin\AppData\Local\Temp\mog.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\GAC_MSIL\System.Core.resources\3.5.0.0_es_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-fax-common.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aff85da884c1c36e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-iis-managementconsole_31bf3856ad364e35_6.1.7600.16385_none_ee1d395a09294464\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-themecpl_31bf3856ad364e35_6.1.7601.17514_none_54f35b041d144465\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-w..ewall-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d6c694821c5618c0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_netfx35linq-system.data.services.design_31bf3856ad364e35_6.1.7601.17514_none_57f64808c4ad1ed1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\msil_system.data.services.design.resources_b77a5c561934e089_6.1.7601.17514_ja-jp_c2cd124fbd8fe089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_ab6782291b0ca7be\buttonUp_Off.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sysdmremote.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0743e6fa5b05a465\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ehome-epgtos.resources_31bf3856ad364e35_6.1.7600.16385_es-es_29826b65facd5de8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..rityzones.resources_31bf3856ad364e35_8.0.7600.16385_en-us_89134efab9cef638\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_prnca00c.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1f38a8d85141d004\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-rasmprddm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d786c9d638c838ad\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1564d79270d6651c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-u..-core-tsp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6e0196326b6718e7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..elsupport.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c8b14f4212bb6712\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f738b35ae7fc9409\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_srpuxnativesnapin_31bf3856ad364e35_6.1.7600.16385_none_447807b31b9d298e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-t..-coreinkrecognition_31bf3856ad364e35_6.1.7600.16385_none_53e1dd9e49047bb6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-dssec_31bf3856ad364e35_6.1.7600.16385_none_5a3c2da65ddb680f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-n..ion-agent.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b84244e51975b866\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-securestartup_31bf3856ad364e35_6.1.7600.16385_none_c922e7c7a7c903d5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\678932d0c6c5ff6417c634eea99931f0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shfusion_res_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_32eab9f37400f61e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\da5da08245467818759aa44c4eb948e1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\Boot\EFI\fi-FI\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-dwm-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_19862df907590cd6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..ntservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0ed9b0b44700e5cb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-snmp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a2ae934ba06cca16\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-mfc42x.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1987390f017a5bf9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-s..tore-main.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_af15d02a5a7fcb4f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-wlangpclient_31bf3856ad364e35_6.1.7600.16385_none_b87b9d5131eccecb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-compact.resources_31bf3856ad364e35_6.1.7600.16385_en-us_29b7d82b94f046f3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_rawsilo.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a026d78a5b0b2e88\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_server-help-chm.iscsi_init.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3e6d766787efdb75\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\msil_microsoft.windows.d..otingpack.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_5e0447f42bcf99db\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-uiribbon.resources_31bf3856ad364e35_6.1.7600.16385_en-us_33ca509b38470ebb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-mdac-oledb-stub-rb_31bf3856ad364e35_6.1.7600.16385_none_f1293e82d1d4041c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-dot3ui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0cf656045fb19cc9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_prnod002.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e49b0017c31c4dbd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-irprops.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1c622e88915b630e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\inf\.NETFramework\0C0A\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-wmpdmc-ux.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e4b25cd32e356f5d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-p..leshooter.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1172d366ebaa01d3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\msil_microsoft.powershell.gpowershell_31bf3856ad364e35_6.1.7600.16385_none_c733b6c1d1d8ad54\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..rolviewer.resources_31bf3856ad364e35_11.2.9600.16428_en-us_28ac906f194ebaac\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\inf\aspnet_state\0404\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-windowsfirewall-adm_31bf3856ad364e35_6.1.7600.16385_none_e6508032a8d2c091\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-w..ck-legacy.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a2a13bd60c8180bb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\62765bb26133f581e10bb7c866f35c83\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\settings_left_hover.png C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..trics-sensoradapter_31bf3856ad364e35_6.1.7600.16385_none_6fa6b9c88f2a3ba1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..layer-vis.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2ea33660333d4ea6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\diagnostics\system\Audio\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-e..ardplugin.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f9195b60fdea3e26\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-getmac.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a1aad48480a13372\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_prnep00d.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_96efb0715b3ab4ec\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_prnlx003.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_812e88067f43e93a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\msil_microsoft.web.manag..nt.aspnet.resources_31bf3856ad364e35_6.1.7601.17514_de-de_8b9e99b408da8463\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..ent-accountidentity_31bf3856ad364e35_6.1.7600.16385_none_44d0906fc7b835f3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Windows Print complete.wav C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-r..izard-mui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1af6befccca22aeb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.ComRPCChannel\8.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-stobject.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_2242e72b1e80255a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\mog.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mog.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "CFLABCYXEHTPLCP" C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dms4sut3ZNms53q.exe,0" C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\shell\open\command C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dms4sut3ZNms53q.exe" C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\DefaultIcon C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\shell C:\Users\Admin\AppData\Local\Temp\mog.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\shell\open C:\Users\Admin\AppData\Local\Temp\mog.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\mog.exe

"C:\Users\Admin\AppData\Local\Temp\mog.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ftp.gtarus.p.ht udp

Files

memory/1672-0-0x0000000000400000-0x000000000045E000-memory.dmp

\Users\Admin\AppData\Local\Temp\mog.exe

MD5 7ca237df45877c5c2885b323bc311eb8
SHA1 2c09e1d0e5d7cb2eefc193bde8030ef4f978ec41
SHA256 1832ec5aa127ca1549892560088ff1177a872f83a253d4f9b508e6e40ff87c09
SHA512 59fcc6de1828cbe5f4869dca176a1a1edebe2390f9e47178e0f158eb13a7b340392457619d4552869c5c83a08283059dadf721e9144575f5615835fb549ca3c3

memory/1140-16-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1672-10-0x0000000002010000-0x000000000201C000-memory.dmp

memory/1672-7-0x0000000002010000-0x000000000201C000-memory.dmp

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

MD5 520c33eb1996d5f944bf2c0c20d22990
SHA1 d0957414458c49b914801432034da925012f0b07
SHA256 414ac5be57488b7cb56b3e9ad509ee2eb73a510bdb3892973a9d42bfdae427e6
SHA512 c689a9b2fa329ac6c02f939ea011187322adc2fc20a9117f872a27ede4e366f8bab23b55145436bf49cc9b4161f49ce442affa31777e694d540dbd3106ba27d6

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

MD5 7213bc191203b23264f0f6496fc14ae7
SHA1 9ea532bbfc2cc7cd1e483a7d93663c8925d0e700
SHA256 9d4b6aaf7a70d54a847878c06a7c33aa147b2a277fcdd5c619192624f86856c0
SHA512 46cac91ec2c9d59d0dd54165ac6f769e1b1569f28413bf20ea0f4495b54d04e65d01ace2efb9d8e745fcbb3e328abb33ab87f58ccd59b08a3027adbc2488a7ce

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 3aa4b3b763d1c3a80cef54a721168ea0
SHA1 b27d9b512e0ef7b6b177f47ba6e1970b3d6b2822
SHA256 38055bd36dad1f1964312b07d4f505144a35f1eae74ccc66a2a4eef62c1aea5d
SHA512 0c2334cb4faa840c8863874c830f7e639d62d3dc50b03fba61599f0c0e6928e84776f5801f23fb01693a0863fd0205d415f8f56b35414ec3a426ec167a1b9f52

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 b7c651531bca846bdad7b5679526a10f
SHA1 3246ddf4ea0670c5bddd5a49655eb9354e5e6f3d
SHA256 7d8c0b690efb30fab200972008ca0f7961e4ba87bceb74481478fad74781f8e2
SHA512 4d67fdf279fd65307326d5e9df3425f77f72e9041b82bf270a7893bffb83424e9a5eb269f3c10fdbf1933b623b6c4cb03f80255fda98bb5494cb4214c143d0ef

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 07852da03d38f45e881cb10f049ba209
SHA1 092b33d3cc7f98fa46b9fdba5a18e2476a5ad3b7
SHA256 d7914731ccb7fa7289cfd0e15fb4ace3144d1c71efa142adc46375483be8d979
SHA512 7ca8c0acd174ec400b34ee0e613dcf80ae9746fcc2af56d16c8e25ff51e5f46d6226be9ae76bbb333245c8c2fe07afc21fe609ec4478ba25c521b5c699638b1f

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 45d6acec25d45734455938ecb5794760
SHA1 61b55642f46ca493b9f1cab98ccc16c434334de4
SHA256 f8cdb66af97c27557916f37ecf1d1287a58537312a1cfb1ece03572ed6b51be3
SHA512 c28d62860515c9ab5a19c335a224cbe4a6ca7d788b5c2617d047f0c0bd34606db51d85168f726807d4889b3b9f3db0985964d95b54d535319bb0a1acf6767e9f

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

MD5 92b8a46271940168f63dbf79d763789d
SHA1 7993b74f92846cc384d9635aca6e5f58de76c9ff
SHA256 540da8f1218b64f7001c2c67f9da022ae9b97bbd4ee357bb983781a121df2219
SHA512 fd69c418f1fb87568ab7a9b2f7d1bbdea2ab8f8a89187f74f8659b547e99f5d1a761317a3b4fc5b1df1b19852ab0c2b358ad4f5b80e2e20bccc4a69844fef02f

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

MD5 eb17a0f559c8c2086014fba9733409c4
SHA1 3e16c9f19790bd2b7bce306c746cbe74d2145f3a
SHA256 ef780e290bbcc56e263a39c123d285decb9bfe9dae8389e91306c0684bfd0795
SHA512 7ef37bf6de98a3515947fef1ff19bd5e339a5fb79ff67557265c7255f724038b84951f0608d6cbd11a65d89cd76c0d4c2ab9225953ded6206db67889afa38e2e

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

MD5 6668330c550ea58081cb08e90b9a32e4
SHA1 98dc4ad4df7ced54b04cd2dc468f7672db2160ed
SHA256 53929a1b416a50f0569926fcc7f882b5d9054a82c5f351a4d540df0826d9dd80
SHA512 7a7a752eaf4939dffffb47c18fa9b8166460b94216fb71470db013b6c54eb22385760620c909b6dbd44b5b7b6e2fd18e6513be6e2b50c6dfed3cc2d194ec4f95

memory/1672-3210-0x0000000000400000-0x000000000045E000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

MD5 a6a537b66537db9ff229f56a10c2ea67
SHA1 3d87ca7136a3a0fba8a66b6fe2a14a2607709c95
SHA256 11071bba8f898a8b7a4d6bacd37103fb70748bc6ec999fd5a941ec73f4d5212d
SHA512 cb59c37883a646023bbb18fb52487127a04c9cac5bffb2038016adb232cb43e25ff05ae5d18f2cf3c08a8224b3c28c269dd2bcf508e8a6bd686c508829f2585e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

MD5 1de6d81b3e249393b67b132d6d120172
SHA1 481ab1643b93974014b22907a8263c44104a687d
SHA256 e647e69317a08eebe73016afb69bf6dabef74343ab82f8ca65d8feaa7ce22861
SHA512 4b70233a2ce748f60e1999c49f74937b3ae28747e438f02e06af48b43df5befeb9a7fecdd02fefa0474d756b236bdb891efb96ec32e495b9ae94c6046457e147

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

MD5 71ca21a5dbbb9af0d7cb2deac9952928
SHA1 59469717f9df1eaac4667f40d8dc294919fa644a
SHA256 1e008682dbb963c0e190637bf954862924d79b9d7e7b073715abcc94f6806eb0
SHA512 341445350bf9693443b926bd1046411e62e11e133a442a35e8716fa275160cff2695ba990eb9123d12bd0d1aeeb517a2e7fe37bfde810c8694103ff5012f36e1

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

MD5 eede3a8234e00e50d0b877c1860a927e
SHA1 09c2e33cb50639fb7172aeb4e87cc12a65c54c95
SHA256 42d45beb64580942c4c1f9fa5f9209a1af61a32c08144714ca0fdcc951895569
SHA512 4ffc862b9c0e3a25075fded68e8d79aca8ab2604b38611c5c746b0dcb4050082f495f69dc555d0b26effd51345605c56f5064132bb374598f8bb7333002d76c8

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

MD5 09ac001e75e9cd0d78ae2f039c262ccb
SHA1 c640bb9341770bbc521202fd142a47447581a25b
SHA256 3f2adb2578cdb621cab02e4e7a797107d69b8abf2dc29390c963ca8391e70f3b
SHA512 2856ac2700b0c1bd57d75a8534f149c686bf7b5a30cdc6489f7557cbaeea8d7da49d76113b6562cab9200150a64a06d3695a7519b96d155b72fd4f97fc3ea2da

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

MD5 5af5900afec66f404404e91f68ac37a5
SHA1 72bdd977397255ef745bb5ebb079ced3e1c166b1
SHA256 aa764802ac716ec4be022c0899aa0c7f2834a7af373500dcb685bfa22db0b7c3
SHA512 8252652c6e6d422c50be6ef529026bc0de99ed8189de95bd68a4e5cb338d3c07709bd19cc7a44648a127643740688677e564d8381ca63e83a71ffd5e5bddc73f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

MD5 596277b8a20406ad6362549da2871872
SHA1 98c1be4affb93bf026a3e49816c7bd240bfd204e
SHA256 77d1e2272ee1e9d18dcef22dbff55c8bc476544854ba5ac54ef906bf6f31dc2b
SHA512 5db29a01e5bb8a75ad01da35025cd1bbdf3edf7eb4383455e8d75f45583809a03a8c90eb24505368f02372adf374560084e2a5b2a69aaa7a80c2e3874b555274

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

MD5 44cbab13c375f254806264e37fb68cb6
SHA1 8b26641ec22f861b0549fa6654fc45c6afe3d067
SHA256 5942691736e5918f938d20e027c8e2a40950e47cbf5f1e7a453364de47458567
SHA512 32af650e514a4c65b1204ff008c3099d4f5f598322be8cf435132ee6e578174b9bddc0680ff765699bac178b4e02739d44bd923b46581b4ac276b06060eac539

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

MD5 9323df19153feae4b7dddfc777ad3173
SHA1 714cab090d1a7ccc6a0e3d402907b1955d6dea30
SHA256 da6a42ab0a9e1441c5f1388b0cab094f296c7b342b7d0c7536b7f487e1095acf
SHA512 55dd2bcd3ee54219ce25c545ad0eb24be380631b60eb42fa0996e6f343256879cda0defeaf4bd815008a50fa0ecee410cdf6dadb67b1a09437c961a5c3f3d9e5

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

MD5 4d216cd7085f21a3e815b278a7a03830
SHA1 8dee49a6288146636b67fccde75829b5acd7222f
SHA256 43ca4e7cb1c459eae3b6c7dd8acc330676e7291d8a05127c9160630fec36a7fe
SHA512 8485113183bbca35e03dc5bb56d44ad5080fc4f30e2d22dd804a1d3be77604f0f020626e350c98e668005733b4ca994feda0c25d0ee46445e446d7319dcb4ff6

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

MD5 94c2596769ba36ce1d39c010b0bc2a9d
SHA1 ad953100f7c998b44cf4b471498ee26d8de15b13
SHA256 c8090e5e449c523cedea30ce0a022028aae64dc56f12c39948d9c2331a0505ad
SHA512 84d8dfa44816163dccd08dac0cd1dbe4703dc76ad661959c7747e6deb2342f9557b39995e68872b8bc030c6e50b1fbae7fcc2bc2073b39d62328f9e072004c7a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

MD5 2906b6c171d6d79a84ede2722ba572af
SHA1 640d1374c98be1ada826a3b2bd289d4db4c58643
SHA256 87fed3f5663db6e3d48424f63b903670c2735f2b7cac1dc6e14898c7605995df
SHA512 7a81aca71f2155d88281d1478bfea53f4a1c9acb25186e1d59f399623a9f8b762014937493c64bd72411345d4eebe794f515223fcd3b14212204610a2d2c2b4c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

MD5 6c5e259d581f1b07fdf7264395839674
SHA1 4579f1ca1eab8b1898a1c108adf05ee3f2af4b8e
SHA256 221e1fb01fc4d3519fd7f65a9a2c131497a0ab66a83c54aa6b16dc392196554e
SHA512 8532d621d896fffbbe13467a42c1279f41c5cb281e03a549ee2a7153aaa05c6a185d984a6b6c3c41e7caa8fb27af35bd9b78838cae8a773be97482b487e6c467

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

MD5 edaa486ba8d524758158502c8db5e60c
SHA1 68f3f3bbb0ffae362994f239b35640dfe4b57f98
SHA256 b5c8ed229e1bcc1c401573276fb2702ade93a7d3cce57cfb92d0b992b1365c9c
SHA512 1b79a8e3fef144ae0f9ae4216d764f7a3ceae6cbea2f5c56b1bd9e2cf9420013efb617ccfb4d06dac0529927ced05b4ba0cebf197a97d75ff27e0c3775128432

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

MD5 fe0656fd860eac859a45583829f25f32
SHA1 5811a45547ed34b5d45acd76c43fa604b158ad6b
SHA256 4d0d4852005f5bdb6e981483a6874865356396dfb36da4ddd7d2e1cc775ebb05
SHA512 06cba66af15b36d944bc1dbfed6c2214e32ea5975ad5472c2d251ce110bac2b1d9a25fa306207ea09c63de0faf3f1cc799e68dac62d0e2189010649476d5a7a5

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

MD5 56181148a3435f6f8ed1a5fc0db40438
SHA1 99385be4a17ce9e2c2ca962e7880eb0e4cae5c8c
SHA256 6b3f19cbaf42c427c1d826d75b97e90293de5d2701f6c016be2cfb777958ba56
SHA512 859d7dfe2ebbadbe04516ed3a19833e1c727aed1ca36233b950456561d70f3ee3135535dff934fdd6935256b0236e4f72bea7e1270a66c0849955d5006d9b678

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

MD5 186ad01f2035eff8180a5a71d1c9e5fd
SHA1 1b8c989701eff2622fe154b20838ed6c2115825a
SHA256 af75b4fc3e87ce12b0350c8aeb6f4f748b3af5124cbff3939968c55ad8721397
SHA512 231f1485f2ec36fba1ad3ac168ca0918d56ac103dc4d307ff86ffea10a6278ac38dc6d3ffb63b8c90a852273eb9a58f366bc576fd987e66e004edf2e47673e43

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

MD5 96e43971d423cdd693d27fa5cfda6da4
SHA1 76e90211066658bbeee367b10927658da6e54f84
SHA256 fcb9bb4e6df23dc2e22c4f0043bdc26a37c485f7a0d5bf4da06942ba6eeac6e9
SHA512 6aba665e501aff2f71f1bfe2d37df9226f0b7c25c7370d833b763aa2e2c4bf04401c520e273285c41093228c126c7da4c181a871b38274b5d095dcbb4430a405

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

MD5 6e16ec2852badb87a361475b790ec36e
SHA1 804f495f9df5585db56b34c85720034d8ce705bd
SHA256 2a70ab57d98e18344fe3c239b01aa70df28ce118981c7c428be471589db2bdc1
SHA512 a36c02bccf7eb8466a19d6641bd247d68c94eccb34dc4ff961d005c6fcdcce58412c1633f4b4a6db453899e2b3922dec2a3f8c3cbc0237b602dcc42b5322afb4

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

MD5 e8e29a175a220a6931d95e4b2ac23474
SHA1 02cfacccd257d2fe09285840967a3f122ae58886
SHA256 94b950825ed0362cd3ad501060589bb73eb6d3786737327ff088f7cf2537fbe0
SHA512 d87786cb5186648541a05c071908fa09f2bca15e219150d8ef0ba69adb9505b83bc5f02898728aaf656877c6601908ca48b354a8490a943b9b47d2329f92223c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

MD5 7e0ab98f03c56011bb43d17fb74f4d0d
SHA1 e32fda5e0cb83c93abd585b43bec2e9dc93e520a
SHA256 4a75155cafa8b074ae7fe69c2ecca94d1f7e7c6f01a4c2245b9363513ea84016
SHA512 e8902e1af9a12eec749bbe0634b32b4928d3503003c92cad19c0db843b8eb543fbd3f7646bcf3a65b194468496661ba23d0855780536a280a821091ce01785a0

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

MD5 4ac83d0ccf387c99d5a0a99a6cc2c7fc
SHA1 7ede4c8bb1d5a21a9f0c5d58215fa4213b87ea8d
SHA256 f6e0081e3ec5843bdf4370d4ee3c67ee85c8d278b8ce1fa75377e32adf79f909
SHA512 62c9d298dde43ad3a041606b15194f2af4c16861309083061a63b0bff09b334541fce820fd938fbac79a20ef9ada9008b921a82aa1d998d52906409aa6d17365

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

MD5 2cef54eadfaea673311519ce7ff5f04f
SHA1 33eea6a9e05ba042acb4943dca24be19879c8f37
SHA256 21177ba5c15c9a0e05652a4f63959e5daadbdfd4e0704171ec71972d1d7bc7c4
SHA512 f94f7063d4a62eb7e00cbe31506e8ada5509e203d5b34ec6027e3597fdb9dd5bf0d2571c473f6bccde9f785345eb8594a0251b2dc7fe6f7d7fb706057e5d57be

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

MD5 68063fc79030405dbb51a363b7c99206
SHA1 291978385c99a256883f615cf3639bea74d6610c
SHA256 616959cbc4f3c003f4d9ad256e55f968c35b58a0686e31b302b252c679e6d825
SHA512 e17d33cb1d5faa5f8b5e7516f913832b182a21277c2e8d6f750d838e21171826594e08136a1388f34c07f7937c0555c1482a18235a4f56538359226395fdeb1a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

MD5 1462f42c1c0f2dc9c0a2ed6e9210b594
SHA1 397a6f126947b392aa53747cdd67b6ae8a1392d5
SHA256 44ca34f058a9044565804c3bf4419f35484ed29cd38acd076ed0e10ba3987b91
SHA512 da752f2bf95fd70f1f0729d556a7a4ed4223462e01a3401db2932c0cb9c741815ad83285a9e3643210b1aa9b086f9067ec144f0cf1ff19e4306b2b058064edfe

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

MD5 ebb563c0ad6677675b7c16081c74d0d9
SHA1 c5b4636f687c00ebc81a6de44447bd9797d27ae4
SHA256 400b4d93b03bd9e19accfca3ef9bf2882862cc0d954bc9508963f6a574b8d55f
SHA512 24ba7a0ee596c70c2eee1b25d15864c00efb01a93e41273b2d95f99a7dfbd8130d4cce36cfb38e246242ecd612b0b87d1f666478606ab5f904e7239ba350f275

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

MD5 8edaa3fc749687540a8a0d2fa93cf0d3
SHA1 bc261e38a4a2221e28f37d20dca26e1a611dc776
SHA256 9a7a75ff1d3f0c06062b60061496f2da809a09493229f96ca95cd04b34e548e9
SHA512 274d6b3cc00eb2ad751d5e69deea8837065575984ba11bc37ca9bcb361aeb7a98023abd024459d8e2b88f580932677208b5f4756fc3abec3d97da2d7701b8952

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

MD5 32ac91a43ccd37afbca853a38ecf8201
SHA1 b82a8f7a363624cf5ba324464db8ae069007f3ce
SHA256 3294361f1b798512e6762598af48e06ebfc53d577ef55ab67a48c02d56c36120
SHA512 85e0e32e8d833885a452e46550ba6ba7a188c04ec98ec89d0bf60791e1e48b80a05fc92b97d29f46ff783869cad76e3ca1b573dd885c48151e6dd6d0fe2ca09a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

MD5 00cb57e2b537589e83316319f8ebee80
SHA1 4adec8f21457770ddf1b9b707082e5dd04c81174
SHA256 846d0d5cf953d8098c49ce80c1493b2ef6cd0cf74145ea7ed29c0b70c25ad5a3
SHA512 d21b04af88c3237baee785e8497f8e13c3fe2167fb505e3f39986e517157757be13e7b4d516bc91e0b7dc9d02f3e8fe8ef44b388068c1ef5c3edd92ec3805c3c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

MD5 dd01a0f3e806435eaf3765c89b5a2954
SHA1 fe3fcbffb8308f66cb94150d9977e32486905b2f
SHA256 ab1adba24464efa1d8bf5875eddf2b5cea53a28842d776e3756cd278c91ac88e
SHA512 5bcefaf86d927ecc9d9a536fd8f3477d714dbc59d2ceca22959361399d5e947c489b05715d0decc5741b7d4065d73bdc6e12a19d92550b7330dc4508df1de181

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

MD5 368e6c8b4fa629759590c4f32a018329
SHA1 6f6a69697385abacca2ca1cd93a31c460cc32d5d
SHA256 7ac7a52563eda81d40a50acbb8bdea56bcbb291cf91dbb287a2b4c29a114781c
SHA512 f4d1c33fd35c61149398a8b8128b4c23d3ca390ccd4a19e90e129ad9f5e4f7f0db81f864c8e244162c9e5a164baacace56768d6c301d03f246fb7e30f329c7a3

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

MD5 07b99ae26c5ee5bbd4be8046403a45c6
SHA1 ef5354193d796f5bc5b74d61d0f23a6b95048003
SHA256 35f9e6208512cb13e9ac0fa46359981213b71ddaf0c19678f8f325c8e9dc3097
SHA512 9919bfd69bad142308bc84e0bd97ce7b86aa40bf91e2d6ba2e2eff661f4e11ce5c9f06270613a1aea3c2d3233ce4f968c653d63b7f58cb09d3deb7616c7e1b97

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

MD5 f71d20d77b85333ec71dfeabfe9830db
SHA1 efdea0ae77fcea19d22dd6840afa54201eb5d96c
SHA256 20a7c8181c38e3b84e96c2a5437f66666f1fbaf0da34c13fe6ef592fa5c97b02
SHA512 fa5906876bcd878bfd04a5071d2fcbc2163720750b665a1d2bf992b960d88df8bdc4b5b9a562f6e9ac8cf6878860acee5f73fa00d2ed7292f8e7bbd9cfff9dfb

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

MD5 15ddca2e7483329ea448164f6d452556
SHA1 7eaaad016297b8bf8677450ea8dae1c420b4800a
SHA256 bf43bc79800bb62914993a722fe7c1deaad8a33d667a4be847a7b3148fa22df1
SHA512 a7ab5c7ec5eee59fe67d9fdc185de84423d708e8de03f1fc0a5237af4039d7bfc5474b816cae141e5a682396f88362cea6c86a8057da9a891de37febacc56db1

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

MD5 6a3e2c54251f9d1ce61c4dc121b64ded
SHA1 cc656fa50ac3346c4b7843cc989978df4cadc1f8
SHA256 659971462045053b0bcd35ea506dda2b9ebc4affbd0c916dc8e79a2f810a55f6
SHA512 ce2afd5ab3b9155ffbbfdb975c9cf7e61b421d8e22fc925a1ff452ca7da92d70f6b7b9031ec3f894c11d1578982c187ef178afce6118a07ee8bbed55480c8502

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

MD5 07fd782ddd7e9d1cac4f2c495373767c
SHA1 7ec2babb94e6a855651a689ff5a7d72a13009608
SHA256 f2d48f0d443aaa6c21b77efaf1a6fb8264b56e7f72647db79e6ba31bfe67b549
SHA512 a15b0b7f95e263c868b204314fde5f8e485a62cb9b41557b486c1f22c351009d5d2b4f148f56b50fcd2c1f444f8772077c798b8d3715d74c9506c84cdc216cc5

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

MD5 da36a3728bf762541ed3582e9727d1d3
SHA1 7b3606a9e705e22bbd0bdfc16e3abcd4977705f3
SHA256 f778ec054269d15e4348a86195a02e4458ee62fa5210eb7c7b713170d03eef10
SHA512 bac82a0c1d6194d209f12b6a9dce104fda5272fa5af72b55e5ba1a43c781f87bb20e965becd25796371261426972c08cd9a44f4a71787f99eda2505280f6f280

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

MD5 892637ab0daed76a4f7ed6f696bb2d86
SHA1 f73bafe633572c571d84e4a4c7af842d3e7bae5f
SHA256 9cdc3dff09a1c81b46303dc4121880d4d734c1903be93a8837b8e28291e8455d
SHA512 08b91f0b701edf59c2875548266d9223d8dc9188a39ae74e06d4ea45856dd59f5d63418eb89fa74729130d2b5f973d146e6505bca1d3317869d031963a8048d0

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

MD5 e32151c02117eda4c1043a5a0413bc72
SHA1 8dfdd7e45c5ed8f6b2a906930d2e1c1c32566e98
SHA256 e8c981b3d6ca34b5fef8de66f7928def91052f5312f85b5e84558efda084ca46
SHA512 b15786c7054dca7530da8a425bbbbb9c05b5d6a972340e95b2e204ebe7f6ce97b6dcec2550204466457ba720e32a2b657d375f529cae19a41e269a4dcfe7b331

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

MD5 99b31220f73102c343137f891d1049f7
SHA1 9664ef974824435debd3ad402f418362b4d96c5b
SHA256 16ce6a7cea925c59950c48cc34de57dbbfb699f44920d58062007a2a35bac756
SHA512 cdb4236e28ef6b18eb5cb31788dabe07bf5136b9b1c443d656dc7c0962a9acadfec998ee6807653c3001bf85b84006b46ebba2fb9cc8bef14c4b0338db165825

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

MD5 5e4b98e8b6e016e9bb27b2761a30ddc3
SHA1 53881fe566d5efa057c5b9a10d8a824a1708f8f0
SHA256 dae96b39e95a44df8241f48f82775b6b744c637500034e6114d74b60468efcbd
SHA512 601f38e0333216740168418254d1eeab22f7a25f41dd31708b06e679e87eb3ab255d78e2f8989b575e21bbdb4b2d16a376e140248f79e5b30beadabc3484398a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

MD5 4e7bedaebd0a03233e4043fa615b1ecf
SHA1 9a2246ef90c340218c342802e89ee4b67d29b6bb
SHA256 29b6e98eb7d074efa9af0bf0e3422c754b3f49b4a2a7f3719366ff43624777c5
SHA512 fb1a462c78f6a9ee434f13972e9ca9aa89567e4bd239cb10f9fc1fd24f27823d77f2a0d4d758c8600eab4263de4bf02224435da2de301cb359007a3cf4c69876

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

MD5 551ec11f5f29ae7d98db5ae6d5a2ad72
SHA1 1bb78814d7c0ccb89a0fe02578f643064c1c362e
SHA256 645ff07541c580cda0a560af90c5a5891e50aed9145c50754e4b26b6ba29f6d8
SHA512 482285602dc281828ea9ffac4fe9d474109f0bd0ff76ce718fed33bfdd1169e59a85b20918eb3491c597b1763dc48daedad82579f24f9d81cb879abcff72be74

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

MD5 0a5c044dc28780fc559c029f11cec9fb
SHA1 472203c5d666791cb26596fbb2f1f8cf8bc7ae39
SHA256 3be659a03c67fe1bc8316be7ec85872514d04ac74f8d52b56e717b48517dd537
SHA512 d83fa3191efb474ebcabc66368effcd9b9ab1d3fa9d799386331669cdd0964850718c399f78734b137cfb0f8fc8a3d46b6e7dd9e0eaf43c4693d46a59668a282

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

MD5 0c09e19c73c060bfd63644495af7c96b
SHA1 27e45f98e16c68099fcfc2655e1ca3f61c0dc071
SHA256 63bad24916ec8ed1c1afba3fb5a822440d2b36fe511ee460791ed5d733211b91
SHA512 2fa4768efcdbca841c403022937b46669e7f689cff1b1f3cdca6121136b0586255561ccd1c7d0138e03bf09d83c46663a74b2a8ca27c398d9ad7999240d90f3d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

MD5 935fdff437a3608f48da5515f1bc854a
SHA1 612a5f44272bc98c9624d111db9239939a79effd
SHA256 e7fb853770e21563449e380f2c6c21b4d55468be0e364148dd253b5f5b99a660
SHA512 95924b4c952642705850969171cfcccab7b397815236bd3af9a1238589c0a7f04d284a542840a81b2331d4eae37dbe5e3419534cd0bef3a9be9062c030470bce

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

MD5 d1bed6dfc605fbfba3efbacb7225bc2a
SHA1 b34f750fd013d791bda06500bf57aeda637a4814
SHA256 58ba82323824352ef656a0aae91bc1ef31c1201f6a8233c8f0d2fbe7873e1a1e
SHA512 99cde3473616106099881e9f394ebeb6fdad53be33bcde032205bbe1d50838193812882cb6cbfbcc0554bebbb5bc1ce938c9041a6b11f152344f09829bb8b782

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

MD5 4539286e32de116702737cb5dde25d75
SHA1 1002afa92b420f1f49f7721dfa12218b43255697
SHA256 b7b2cbcf78a966058b01f844dae6228e8c5e60d3f5a5d87bed55a9669b99d37b
SHA512 f1743cc56c2991855174c5c7bb6e63f086b81163248d98efea4dca7fbf21e1de4ed7e92fe4219c3f66bbcbe34a4d7d7d49e5ebfc996ce55f0f79e64f159797b7

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

MD5 6b951e00a35b54892d3b6f0a23afc5af
SHA1 ac65bdc7994f076227acb077fb1088a9c6f3541d
SHA256 5fd1aa7dc1fab508ceaf57666f5aafef147ae2e2f3f710a34be43e8b81481e53
SHA512 f41c171a311d5e1b22ce1a3252cc6813063ab5e04a62ae30a47645f3f2235f4976e841ec05ce603da977d8c3d4cf653f70a6b52075f2eb308d93173ff7929698

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

MD5 5448fec9f16641f14d8243d1cfea7efe
SHA1 90e200b5ab789bf2e3a10020e90d2dde7e9ba5c1
SHA256 b128478025f3d794843d0b68b108a507b07f4924cc13937ab66b765be31ed238
SHA512 577682d3dc308b234d3a4d69b1496888fe9619cb5a139b12ff5290f66ad1d44ac7837294bb26aa5ea0811747086a48308a7e911418a338359a97fb6903ed9f57

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

MD5 745a90caf626da6d9ea587773fba4a26
SHA1 8612d249e86d2df71eb153b25dd61aa65531779e
SHA256 fafa3d2d5dcdec3c693dd6b198c67021a114cc2f1f19b0009a57bfc886b669b9
SHA512 6a840bc6f0fcbaa833017e34ab5712ac733f520b0131a9c5bc99426979b6544a25ecac6406b32786751785fd29cf7339ae673eb8bda05eb04564869f25f14173

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

MD5 3e04af2657bea330c741b48047ebb107
SHA1 17936a33e4b66374cda077dd026932298c7bf447
SHA256 74e6af95c197ac33d843d6cbd4e6c40c253a2c657a6b0d69159204a2137042ae
SHA512 67c0bb76b98e1a782c322d2c34b13357b20b53a62d75e3c9ffc86b093778d576b0d75cc0fdde53f58348a469c64b699ca379f71ba4e8b2f53ce556ffe7702a8c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

MD5 b64b4cf240fbcdfacab4947f9d2b4f6d
SHA1 c339320b456113b686b1aaf8c33955063238efac
SHA256 cda0ee82a3769a733b6900df84d81d063be922a8a63f03befd221ba1d90e2de8
SHA512 5c9dbb2c31f4ac11b4e1b3c42aefb8563a195c460420e76896fb704c6e8c895447cebfa9f61625d6217955e0e2efcc747f2d75c6828939be1797b4a1be91d171

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

MD5 fae784e3d83c04a9a8a4adbfd14faf13
SHA1 2f75df0b5ad72a38df86637db83ad7808758d0c0
SHA256 b3535632164183cb975a3aaf96b110cdacf1c037c143c937bd1d94c91783b774
SHA512 83e9c80b9e55b96804cbe4ccc8ec3731ec3f325b6d8eb68f348bd0db0e93d4d56b14f093802b10d6499caf93d82dc388193289739df2dcacc38885c50b60313a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

MD5 69e2c4383f8d26500c208d8c82557ce8
SHA1 c05f27073aa2aa0abb128df4bf44d399e64f271c
SHA256 15c2cd1533909bed1f0a98c0edae466e9ec074f4efb9d2ded9700b6637e7d1fa
SHA512 51a5f46a9f1c467af3deec1c5bb086e4094acf8becfa2f008511e4006c744bc84039b48226ed955574aa578989126fb3a6b30a462fe8c18e1a61231969e5c28a

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

MD5 b61bdc82c4c63f9a04e2ea4f6b7dfca5
SHA1 bc58c8ec0c9f3530c6da9372fc0cbdb2fd19bed9
SHA256 05c6b8ce5cb283d778297f6e7b193da0a18da31e223dd65f050516fda94fac0b
SHA512 1c08a13627c12e7e114d876ad989edb8a083a0c8635d6db727897a91bb43fec31327cd288faafd1242b25a97604dc6dddf919d67b9bb41fdfed2f7804e70cc85

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

MD5 941b94a87f6302ed1726af7b54b008ca
SHA1 bcd232e57e73608929d7d7446d83d339de2b5ab3
SHA256 6174abc23a5d9476a60b596d9e97ec38cf7513e166190ac7393efa207eb7e092
SHA512 8389d2fb5ca57d5eae278be47ad71246c45b256179f51901a11ec03a57ddf3b6e42b9bcdc1dfcb7d0142f8395130e78d0b1ffdc180242fe094cd19de078efea6

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

MD5 d0f17bdc7b58ef56d185e8ec3469feb0
SHA1 490e119031c25e11426f146a405e17512cd74c28
SHA256 50ccfd9925ae9a6f5fbc90fe783762f98d3a757b8e2c3512f1e70f92730bee57
SHA512 f557b19d767af172d0ef043f89bcd8f560fb7545791fe5373c8acb42654023a7514ecf712ca3e0b45bdf07f6c41a64e0ff3069ea0e07a266fa79682aaa47701e

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

MD5 d02b7220ce90d7c8e3ae38ae149598a4
SHA1 df318bf256425ce3bda38b10def747d53191efca
SHA256 6cb21335331e38eec2b27103ac334247dfec496ef6558453ba3e0369aafa8781
SHA512 7f6240b48497867909c118770621739c30ebc4f0d55b644c42e4d92816516ca0821abaa727adb5b183fda05bbc3ed71201f049970016ffb1763083f072a85e4c

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

MD5 743693c83a38b55ee24df0f350dea790
SHA1 7e8df727559718e88dc030f98f5c6fa8adb402d8
SHA256 ba3ae0e9aa98a9ab57bb0f683c3f1a87e28a23f2d5b25adc53fb3e122c0aad7a
SHA512 5d86ea75993235860917291b4f6b28d0b4bb7274ce279f71918ea97819297df3bb3d862432d010a300e4be79218cfd6f8b7a54e6d50dedb1ab76b1d7b9264797

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

MD5 f1d8929fedd24827e11e8851f798da5e
SHA1 c843d0b664cb9559d0b82abd4910e27db312c4e8
SHA256 0765ed2bdb01e143ce740406c889220ca570d2c7be92b6bec9ae55494418c163
SHA512 1e3480940ee1df0d7bd051ffbcf30c112809b1e876d708573cd3dfcb0e1183f4182c0116ce93cbdd080a89d5e3279a27adf72436582bd6b87bda69f625285366

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

MD5 c67045249c7d18a71efa6f4ede270a20
SHA1 4a1bfe7e124a56cfd41f75d0e036581825780f85
SHA256 6bcb3516e9ceaca2fd5a46fefbe33119579181c2fd99ada67c7c5b1900f87f9b
SHA512 b56104c78743a0ec35db435ef95af658190f7824da28b9a65e0d6f8c39445309404c4b20586db237d697e9cf3a5c927968041012613490777647a0d97f974fc6

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

MD5 1b6345d286568c4654fc75698db2c9a2
SHA1 611bdd40ab072d1a363b8a92e98242c275525ded
SHA256 938a519cd0a27e6612c7ab88c542ca83fa593ab66e926f898a5fb93fb17e6b25
SHA512 8b3995aaf0eb34b86d19c714cfac4ac233ee7f38ea7a6967a3c4b192094abf7510101d0c93b594bde20231faa9d31ba8e01a3f9634f4e99f3f5503f668adf3d6

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

MD5 74ce574cc58fcefa9fa0efa942b74b18
SHA1 5ff49d78cad41fd75278419ffaa33acea1dbc640
SHA256 b18ef565aad0f7b192c13b3e2ee5d655cc3a349c9008d7f5b80010966c6a4830
SHA512 e98eafe36bfc133a168e8bcb16e0149fe79cb3c02443689dcbd115e9e7272d5fd99f26afc681ea396dc6b3e0e7849a681664c93672c0a91f9b19791d25ecea3c

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

MD5 7524a38c82121080b2c336ecc8019b7a
SHA1 83be0a561687c17003eb8f702d3009b82fd884f0
SHA256 b0e49e0bb9055ea1bd204ba3ed561b21fad5a5cc491ffd8f2e96c0534bb9000f
SHA512 23de3c3ff39bc49bb41168fe0660912e9d0f384091dacf1f6756806c06170de8256a54a41b47342689b4c19ae57ecae0ec13ac9442cd505f82afa01ad0e33564

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

MD5 204e8db0d037a24abf4752942e95c06f
SHA1 30d2bc544c18b96217b00a32f016b29054b2e5a0
SHA256 453b1ff0aab5b82f096b8df5c770356da9f44d34f54bf96b6eba2b424261084e
SHA512 2805eea3b767bd7fab0ff47b920a37a49eac4535284c2a6c774374b72243c367bd6b52ef020d8aee306a17909cf7e5e1a66bbb9305fdf0314e0d84ad4a9c417c

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

MD5 3de1f7380e480193a82526260901967d
SHA1 78046c58d190f78e8f338a777e4afc4dfb3bd6d8
SHA256 9a28337a3f9cd2141e7655e1f27d83983703c418aa90ced9a9b58b0d8ecaa9cd
SHA512 2b69092ee448ae83580621fcbb591aadeb787892db1b10ac812ddeb2cf6e20bcff1b542ce045f6c1e7998be15e03f4dffa557d18d2f0c6ab59bd207984975a33

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

MD5 bc60d114ab69b8788b87dbbafc5f6ebf
SHA1 4b567a2ea842cc00af56e4b1f429b0fff35d2c07
SHA256 7bd64e2c1dff6019282bca56a03456ac11d508fe2d32b7fd8d624d40a90ee738
SHA512 2fd55da2a543702cdd05375b78f6585610bfa15af00e87a69348cd602128f8a095184d5224fdc64452348bc4ac03b483c69457176e0a1f6710496d46ae9e7fcc

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

MD5 4445c7cdca85d7d2dc3a0e23196bddbc
SHA1 986b80848f6c267eb0d1aded62d87a0a90ea068a
SHA256 3f948825553a62620840bddf9e2ef561fe27bc543d7869ba0057af9bead40e35
SHA512 134497802ee9b1174fcd709b1cc9f217d6f083d7180d3297eca45c7225e16802b0600a2d37aa71393126935621291fb0e773caaaa7fc74566e9541d1892b0760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

MD5 26132a20cdf2b406398a16c1e520afcf
SHA1 9670d94bce85810476a21a47aa800046a46505bd
SHA256 16c743b2c3de29cba451659b27632cfa3e2c1888b3eaff475eef65f24e44c4ff
SHA512 429684b4e3668ee03e4b45b12074b9ddc440591732cb6010c1164a83fed0c4fd22518488dc8e3154d6600fc4e3b67ed66a7be87d1d265894c860dd81641bd76b

memory/1140-9011-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1140-9012-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1140-9025-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1140-9026-0x0000000000400000-0x000000000040C000-memory.dmp