Malware Analysis Report

2025-01-18 20:59

Sample ID 241125-qcjvhavjfp
Target 9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118
SHA256 1c17f4f6e4991c2847fee5ee7563d05c45fa0a9b2cb548ec20b9a1c6e77fa5d7
Tags
xorist discovery persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1c17f4f6e4991c2847fee5ee7563d05c45fa0a9b2cb548ec20b9a1c6e77fa5d7

Threat Level: Known bad

The file 9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xorist discovery persistence ransomware spyware stealer

Detected Xorist Ransomware

Xorist family

Renames multiple (1829) files with added filename extension

Renames multiple (1697) files with added filename extension

Drops file in Drivers directory

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 13:06

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Xorist family

xorist

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 13:06

Reported

2024-11-25 13:09

Platform

win7-20241023-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe"

Signatures

Renames multiple (1829) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8E5m8RbwR5qceHG.exe" C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_operators.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_requires.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_CommonParameters.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_job_details.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\Column.bmp C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\oobe\background.bmp C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_eventlogs.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_operators.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_cmdletbindingattribute.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_pssessions.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions_cmdletbindingattribute.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\erofflps.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_providers.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Ref.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Variables.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_scripts.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_do.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_PSSnapins.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_types.ps1xml.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_output.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsMovieMaker.bmp C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_format.ps1xml.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_wildcards.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_aliases.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_wildcards.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Redirection.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Parsing.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_methods.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Assignment_Operators.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_join.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_output.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_logical_operators.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_methods.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_prompts.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_If.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_scopes.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_providers.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_WS-Management_Cmdlets.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_CommonParameters.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_command_precedence.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_type_operators.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Throw.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Arithmetic_Operators.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Comparison_Operators.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_regular_expressions.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_pssession_details.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Return.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_regular_expressions.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_jobs.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Windows_PowerShell_ISE.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions_cmdletbindingattribute.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_methods.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Session_Configurations.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_logical_operators.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\erofflps.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Continue.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_split.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_join.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_providers.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_data_sections.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Quoting_Rules.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_hov.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01332U.BMP C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_bkg.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR11F.GIF C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_s.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\slideshow_glass_frame.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099198.GIF C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\softedges.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00164_.GIF C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\REMINDER.WAV C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02116_.GIF C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_m.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_windy.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21326_.GIF C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_TexturedBlue.gif C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\drag.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387882.JPG C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\COUPLER.WAV C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00172_.GIF C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15136_.GIF C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR35F.GIF C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hy.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099194.GIF C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_few-showers.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14581_.GIF C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\26.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fa.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178632.JPG C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21504_.GIF C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR44B.GIF C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\ParentMenuButtonIconSubpict.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_properties.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_725857cf41f74c3f\settings_left_hover.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_4b7bf556f6fe4db9\dial_sml.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_679a6ba79b07a3c0\delete_over.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_gray_snow.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_command_precedence.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Switch.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Windows Battery Critical.wav C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_22f5c6aadf559287\ClickDownExpanded.gif C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..howgadget-insidebar_31bf3856ad364e35_6.1.7600.16385_none_a8d08d1343d8b261\slideshow_glass_frame.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\calendar_double_bkg.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Media\Garden\Windows Hardware Insert.wav C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Windows Print complete.wav C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-usertiles_31bf3856ad364e35_6.1.7600.16385_none_f385bacaa98d1e8b\usertile44.bmp C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Media\Delta\Windows Battery Critical.wav C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_black_moon-waxing-gibbous.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\Postage_VideoInset.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_pssessions.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_22f5c6aadf559287\ClickDownNormal.gif C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Automatic_Variables.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_join.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\play_rest.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\settings_right_disabled.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_black_moon-waxing-gibbous_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\icon.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_a79a90daaf5bbeef\dial_lrg.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_functions.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Media\Raga\Windows User Account Control.wav C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-audio-mmecore-other_31bf3856ad364e35_6.1.7600.16385_none_e8f2b9ab2a40e84d\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\settings_box_bottom.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\WindowsPhotoGallery.bmp C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_methods.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\Penguins.jpg C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\9.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\ehome\ja-JP\epgtos.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\diner.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\play_down.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_0dfaaaec65b0831b\calendar_double.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\calendar_single.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\PassportMask.wmv C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..sc-style-rectangles_31bf3856ad364e35_6.1.7600.16385_none_258f1924c482b7a1\vistabg.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_parameters.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Windows Pop-up Blocked.wav C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Windows Navigation Start.wav C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Windows Feed Discovered.wav C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_07861dacd36a18f4\item_hover_flyout.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Break.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Language_Keywords.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_functions_advanced_parameters.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_trap.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_0dfaaaec65b0831b\bg-desk.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Peacock.jpg C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_22f5c6aadf559287\WindowsMail.bmp C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..eady_eula.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c4a3b307f7533c7e\playready_eula.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_gray_cloudy.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-oldage_31bf3856ad364e35_6.1.7600.16385_none_02ee3365ea53e1ad\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_split.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Windows Battery Critical.wav C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\img2.jpg C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_jobs.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Landscapes\img10.jpg C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\shell C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\shell\open C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "KXTPCQKJWIKVFRE" C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8E5m8RbwR5qceHG.exe,0" C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8E5m8RbwR5qceHG.exe" C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\DefaultIcon C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe"

Network

N/A

Files

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

MD5 02fef62ad3481696efe34e6d9bb8b370
SHA1 4907f17ab4077ff3b76919026dc53f0a89796222
SHA256 39efa0d0d116538de4f1dc36fce2b8af6b82b6984694889ba7048de9daa5ad3d
SHA512 f2c0152db123bd66f6362e1fa56aea0fc319d2c5fd774d8e9a428ed1e2932ed7bf8bf388e2ff0fbfd173906a9fb38655bc2b9c50a679968bd3697c33caa034c1

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 e5375465bde6ea94fa0eac7f05ae00b1
SHA1 75fe4646cc1dba808dba1f9b9c0648a7fce71178
SHA256 1001e55d0fdc088d9688254209323eb79ce955736c3b91c5b20164b9179d6958
SHA512 d02241bc6d89b715fa7f07531fb9f9f1443f8aafa4aa72aecda7f3cfd78b8a6251687ff2908c3a10b64868145a67e7a2fc16df17ce7c5a8d0a61a47f9f19beda

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 ee020e5e08455e32dd7e05bbbbe309ef
SHA1 76ce173c79185685d10aed01378c5628b2ee4572
SHA256 7519421d7155d8351460fdc99b60f435d5b3bf32d6caf561d1a226fcaaefb1d9
SHA512 eaf78ab5a67eaa07a31c3bafecb3feb86029504c23205b88f9e3cc1935f3290e3c2aeedb0233f2a66478321e49a12063fc0f5c1f3a3bd9f2a74047101a4201ff

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

MD5 5c2f4c87c589253a2440474673550990
SHA1 f051513d29363288de0d4eb3c5115c067b75cc8e
SHA256 dea7f27b5821349ffd1f989d9d7ccc5abc8ff5e1275254ba659d5d12d2a288de
SHA512 b945682fa5ad6dea392d2793dbb41418bb5254febe93c932d454749f54b127c1244d99fd3ef8ac38eb63140bea859d5795311c4ed714ce57fe3bcf241dbc57a4

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

MD5 109af57c7d314d67477b29781468433e
SHA1 5e12216ec1fe806c07b6b63a539e879fedde14f3
SHA256 8c74c97090c25d7d805e21a834aeaf4c79711b2be50cba2e8aea33b01104e500
SHA512 2009d9fa11d1add0f3cd7d5f8f440152716b755a7783f9412f3025e2bd8b8eee46fb7d33b6f5ea22ac94bc20dbf9bfd5158f0d8b042a3e703b572d7c8d223a27

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

MD5 08b1d5531eb3765c87805f58ff2bd361
SHA1 c13c736b0e9d283d5ec9c3e49047ff39d14021e6
SHA256 c4354b861a2b43c041a1121710f7b9c085c7174ee0c2b810bad9597dbdabe0a8
SHA512 67506ad6874a0a39f7953c46e2c7edad890c033640e7c96f3a102e1626a468c413afd6930aa7aab715758ff9ea1bfdea1380840a604ba3359459dd315f4606c6

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

MD5 35d2f79331c6e7ef4a19e8c1c5eca180
SHA1 828a7b890ce9ed2edde5ee76deef702f99515295
SHA256 0380f3e2cfc53808235a43ce45bf1513b8d7565acc940f6200f67360a07f42a0
SHA512 209abf2447716fe1cd978f009a2e18a14d15497c6d19ec354ffbc90150d41863b8942c1693adbef422d34abc64f6f5367da60e71169b66179ae835fff0cf8f7e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

MD5 a1b3902d1b62e6497c35ef615b4e7438
SHA1 21224dcc24343cff9dad43c0814f8713f4f582a6
SHA256 88e396587b720df9e65c7a75b19f60d7e6f19ecdb04b9174e0f151c2e4cbe198
SHA512 2568f8689e74d0f1aa8ed8113c45bc4e29c903d01abd75261e6a6c7d7f553b5495e375880e2e7b1c9217521f662c997548922f5c497d15c80b880b4c39f27882

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

MD5 0afd641d3fd3c09e1573927cbf95cb1b
SHA1 84d2facac95d63c5862dfd6b132f59088f7124d6
SHA256 d0e0e0ff68f87f41a7427ed6579c111d358b7d0159becfbc7eb8a30febb29e23
SHA512 455a5b62e5d35c0d1d05721b1cfd8940396308922d588c9069c27968aca6c7b0181ef0b8cd1e40e8624ea565c6cc60bed5bd565e16c916d8fed77357f941aefe

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

MD5 18b87172caee2a9a68b2eca4526269c9
SHA1 c45e7432df6d2d5db2ab03a245ece87a766969fa
SHA256 c7c7e3d16922b79051dc211e190df5981ea074131cdc5f2d7cf559ad3dac87e6
SHA512 342356d8e22de18b874884f89236de98ae8db84d17896e95488ac7c9e27ced5e33725d2b2b9b7c26347d42be605ed9bb39aeea6a643be59c5852612d95eae39e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

MD5 8849165907d0980b6533eef790acc766
SHA1 1e27096982c101c42010fcaf775fa946b091d9df
SHA256 0909dde55a99c315626e34a3912d0865c506de393bb46a4de16ce7b749a65f9b
SHA512 8e7ffe19af2b9c0a9dd2bd6f5f93d11662dd4f9b8f27160deef03710d6c28a3a6c87ad5e34227c910422fafd45289adea5c5d6c956ab24f5ab9f6e2be2787670

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

MD5 9a93cf0d19442463c067398415e2e7ba
SHA1 6d3f4f02f378d7e0a9a41d63c2864a07408cb07e
SHA256 099d4099846c1870b353a2dc6e1fc3d8b31b25c18e274fa92a858246adb4a36d
SHA512 be18fcb43ef8ce7510c113ca1a45f01cc2001934453c947d4cfca29c4b5581f4b2a30cc5c35d7fb7874a3673f976b574023c950d8bcadda04ec29517e4deb71c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

MD5 948b61dcb8a29081f77456073a19648d
SHA1 92d3cc758d7e05bfe58c224ed5fcb0c1db366c5f
SHA256 8ac3ffaa7b95445bed182747b8c880442beddb77a5d2fe9ab0d306bc2a0fab4c
SHA512 ff76e1a5a63c1cd14154b197f55565f8c1b5ed1a8dc5fc19953843ec94a1348bb20516a14ec22538bb06450b97852e5eac350a25e8ea9a0d908c07dbe26dc2bc

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

MD5 1e9ca7c4e23d37697a5ea841a549a8f1
SHA1 cadfe43c651348f1b31542bb8f6cb9a2f6ead022
SHA256 44158a28d546283978dfb2116f2b9a3e2c7507c7ccc78d52ab5719bb19cfeb10
SHA512 4f0a3fc49d84d0e9a2f6b59ada5fcf4f015876e54b5e2a91aeff0314a4f27420ffe1ff39c0bc2c59cbe2688468660535c4d7f0d624aafc2549a220714b9f05de

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

MD5 23eb79526e1d0f5e96fe024f100478bc
SHA1 5e0559562cc8ffcf9d3c4a14f43fff92344bd256
SHA256 64614225ef63252e479d6ab0857249e257cebf8bf982af40baab3c9a3394d2f6
SHA512 e528f9a3ec0868c3e143082597f5c54d1b9cba3ef378f8e9bea4e12c35e9e53e38f4cc558d6235400cd994b130d7dfab2425f562ae5ba1a0e7e5911592880a1a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

MD5 d5a019bbfe4dea5f9b7ae6ceff59159b
SHA1 d1ebb5a1eb962998664d0b3e3273c8bb2caac7c5
SHA256 4576f2c0a7a62990ea4713d1d6cc5222bcc198b396c0ad2ae8d2a15d86023e87
SHA512 0d42bfd2eacbf6969d17020dd6d28f3fca7ad38e634072425ede427a3559f03f853d1a2db3db6663f38fb90858f14851734450817d41721201a627c5dd4c8ab2

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

MD5 cf1f74f7a40f24957e1c8f5946c15e6a
SHA1 7ad542f892e7e8c7b1a3af6691db7b0b01bb3759
SHA256 cb590ece6dff5b819d28b35516f1b697a2e83d157700acd9f5673b6acd52f415
SHA512 6c1a9e7e79b0b29de52c9b3fca1cc52fed835874b3fc8e8fd4efe1238e7f3b998b2c79306ffb9c2ebeec13049af737ce1088dfebc0e33d31ff119c4996907f56

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

MD5 1356306bffe65f61801b9cb039d1d38d
SHA1 65e762b829ac31ab52eb8f3d98d62fb219b5d774
SHA256 2c864df7bd9901356c93139bf602b668a4aed7741b4e0eb55fa42b1201a69717
SHA512 dc697b3ee0f68c5c3deed40adbc0ed9dc5997ea7bbd7fb40d05785f7601859f1394632887aa583b345dfc61fad3174354fc2f3c67563a7796316babbcc1b5506

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

MD5 202a7f4e247bbff1502399e26d2caa65
SHA1 24d20d161cc2697fc8151ab980f160c0b48a394a
SHA256 c34a87092497f316d9f076eb0716eafb7a758c49592061d6e3cbdf8ca5836376
SHA512 f730e57dfbd6f97f1b01a13d4ed69f5cb5cc674b91ddcef0271e9055076c1c1cb19d4fb08c1d2e6044a3edcd09c96859861b02cd900060a1315fc1e8cee5b8d5

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

MD5 b56b07811dde902937985fb199d192d3
SHA1 531ad51683871f4f2070b3ca8fafbbe88c7d5263
SHA256 31aab72ae1d0c1fd6027809f26183a7af265a5ff540cbbeb1cccb6b3dada3de2
SHA512 badb3226ea013e45afb3c18c7ff9b5975596a51b47d280e0f51d1047d806290b7261e83b523ec751175e0ce69e1eed5b831a708a758e46a50a74d5e8ef336568

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

MD5 349bd51d97217ccac5209c45b7096e62
SHA1 ab2f39d3cfde33cc069665e36a3311efd7c4cdee
SHA256 d2c8277322c295e716d7e00c0be5bdcbf0fe4608bd53960d9a773ff84e3405c4
SHA512 f7ddd3532e6d6f9d0a43dc208369f59965b821f78f78b31d4d3862872e7a7943d26e9004d3ad562cdd6edd294777e9b74db91462063731443822b4edaa78012b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

MD5 626ba21dcf598f961a7b4737493ae0a2
SHA1 371b234acb98430e00ca1a28792da3b3be80cd2d
SHA256 776d6f0b755f5a02020a3536740480cdc7c198abecb39c7956488878a9094ac3
SHA512 33b293fcb4e1456f2050ea58e91d4e161243481ca42136425a5683e65c10d5fcc6adaaca375030aa5bfd59cbcbeb4ba025421066db5d8a6857a5b5142777b642

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

MD5 18f7ef059bce9049832ef050a3f75ec8
SHA1 676acb9ec611fb61c3d48d5c54b46dd92072e318
SHA256 1b830dc0a40a8c43ab52f26e1123ef73a3eb1cec9ba1ff5f99288fe2eaa7453f
SHA512 f206d00f90ccb8724f6fd57323d3cd99ea236ededbc1c96fc08fd9087a08237b143e8220d6e164e5981b5f3e5c25dfe1ae958d04fbdfd9bc55881325cefbb03f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

MD5 5e348d6d64d03da4469c9b04a5b848e0
SHA1 80339b33a7b28cfac276ebd2955d33acc658e0ab
SHA256 89701fbc5a9ce5dbc9643f8b335e0facba78b88357640c942d67bbf73189581b
SHA512 96744c0a20b342fd8947d109837a55ee920da0494008a3201b00d5c9f16d237d1f3d79062c3e10d1e465459391409207962f83f75ea18279a5884fa88bbb828f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

MD5 f03618df1fde0e5f43a28a9033c13926
SHA1 c9ac51385fafa46fe76c8370a237ac1e15ba41fa
SHA256 0535ee22cf47085e0910609d43312e97dfa01aefb834b9b3d027a1349c1e28fe
SHA512 86fcc9e9b6127ae199f32e84a7bb78f7eb3a1e8e6678fed0fde497066bfc0ad19155aae3fa3fc1a23589c3f4242e10e1a6b7b80d899a3d02e4daf4a098692d70

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

MD5 a693fd998e4ac0746a820809829f0328
SHA1 bc8629781e2f4da46e7c768f8b7eed7ea8b5bb03
SHA256 0f3fa3b1ae928988726765f3a8cd1d5ebf1c0842e3167bc9fdb1981a8e1cef3e
SHA512 56b58f64fa3b5110d1ace6c52ab5db64b4fa75fa368e95dc0d34d13702e6d6f28b8633622da96ab254496ceb56c5ec15a15a61998f2625d6cf737c9c228457e2

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

MD5 e0252112268028d76f83b597496e3b09
SHA1 b9df3fa59bf2bc1f762abc1743dd2aed7862ea3b
SHA256 b70b3132ed9b1c2f314b30f1888b863ca0defc58e288c5c2e301868fa41b2598
SHA512 8a4c2fcb6e404ceded66ccebe47f28de8617930e0364f1ea4ef80624922b988bb37d933a3c8b378a7d1f9efe4cad1c01fa26b4d608adb9be2aa14680f766014f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

MD5 c49ab1fb739f9a6b33a9f96940c36292
SHA1 1a91107ad865b626da5c74d93fe6a9ae078ce4a2
SHA256 12eaed3aff196f19c04102852b32a79957f5d99c9fa2cfca51f38a97697c0c63
SHA512 51b5271062b49ff5ebe6a5bfdc082e8ec55837fc68d0b3ff7e169e06e76dcaec996f01cc6a56b6ec3983a13ab8432382bb070a113a53a7806ec87440211664f8

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

MD5 1d402c2931e9478702fd9fa062bc4da8
SHA1 e0b3d8c92a295e1c6bdd5b54a88a7ec4368f4c10
SHA256 3c1d6ce88dc2949e4ed29f2d25fc4e834727c4a82b6817bd1dcb44129e6e6428
SHA512 7211be86a703495e710bc088ed1999ec27b35ce2eca5660ae533d365708cb68e71bb46e42ed772aa69fd78db94ca05c42e5aba6f0ff1ef1459f428dc9bf32f51

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

MD5 8128679cee9209203daa940759566812
SHA1 805875914cbd8ce7fa574a7446048f6e4e2478e2
SHA256 09735197e3a2a527624c6fc929fb38405abe133842f28fc0901ce462b7b328a8
SHA512 a26da94826ea180e969ce94a2ee7ddc8f0352146ec1e74a2557bc5b695a74e0a70d65a34651f3032082989cc36293b1f9352f9d9f569514566b380bd61a2957e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

MD5 08b905d8955c42ca3a84e3d3017963a5
SHA1 bba5d3a90e4c5607e865a257da29b6bdbb3332d5
SHA256 457cb19e1ebc84c5c78b7695fefab4c8a5f2839e8c24311763bda846b3ea0aac
SHA512 4bfcc0b0d5716b9ab352003c75b1011c7bbc9685d3af7596524b05a66a5b9daa6c43a342c51bfe9cd9b51ae9aacc324351b32a3c36aec1635a2a227ce25989d7

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

MD5 a638ac073a9b3710b2b642843101c0b2
SHA1 2829baad46378af3de1d24725c91598d0561f356
SHA256 cd00f2b6f8b9c54b223794b3f6ced53d0f753401b1ecd4f24d842f744cf9e091
SHA512 510f874c990fa3f55394abc31a7db556c3abafab91e0c33d3093ef4fc09be7c7bcf3c26b1c0bb64b3fe882466e9eccf74ec3e9219053087928a06636c85d253b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

MD5 4bdf13134b81daf47021c29711ee028a
SHA1 f5bad065b7dc14b3c6f36fd5f77456724b07de94
SHA256 d0c392d7ead2856f5f4590e2ed02ccd90653e9d26f528617d68cb496d1a3f50a
SHA512 bdafc5a10c34ab4d555f9020355b4555f1260d09466868f5e0ce9505874d1ebb899f9d272eec4e96e4d0f4e650824a36a6b3661a1307e1feb17dbd3f7492d7a5

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

MD5 dcaeddaad5751c9336ccdaa4a67ef1af
SHA1 1a3a325b08ef1b16643e9cf8294691b6d89b183c
SHA256 a931effb2970255a26aa283759625e150c77a00bff347899955ebe13863c7d35
SHA512 20cc5b5427d6c4df798a396e952e384b085b60405db886966b68ac62b5ba2ef98fc43ed69a49ced5ea7aa013e81054e49c55867de8326b65766c319f1c8def4f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

MD5 1ed415410784e405ea3ce9515eab8251
SHA1 8827aa122feae1feb1d77d431bae4a5fc0095782
SHA256 31b7e7d62cbd279eada0a77cb8b48ed14695fa691e16e5636e6b2869721a6810
SHA512 9e67470b96d8bb24c814aae34e990e1a4d0384351a1d8747674fa2c26dfe9f610f9c2ef8c8b13ccf816e4405557c1ffe4f7813dbf5526a29a4d6f08c55e7c5f2

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

MD5 2aae85d1e274696eb8fd24310ddfe303
SHA1 17ab0e1581b7341f27ee270e9c5e91beaf570f72
SHA256 13885925f224d052426c579efa7e956d7c8d504dc0984589ed23a773d07ab5b0
SHA512 ae380b685f9df6d17ed0d05981caff754b5d3fca8ce698a5190b4a0971acb1f2500480b67d7d523bdc694de63fa60b4442214dba2655e78de18a5fa6d23cbadf

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

MD5 312d1972838130915d00943fbe65636b
SHA1 8f587003fe5c77740e80301fdc510cec45656704
SHA256 b8fa3a71a3400e416e9ea1c6ee286f06836c23bd8b06b0d8ffe1050d8f30344a
SHA512 77ade7b99901860e14d603521ba01cf84224c33ee5632a5bfde30946db912d0e6c719d07fbe50965362700818dc3b0eba9b6f2548ef52d93541b5d74bac377df

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

MD5 bb0c5053afcabb461b384f029e5371ea
SHA1 e5736352b6e3e61d825fa2f289146271e5de3708
SHA256 93b3b30c2e4a2fd9c8a62d836ad8146ff561a7668460d619c5daf1a145c093d7
SHA512 c9bb843744576db62bb26ca569959ce2b0e928c425ea4542a9293076ff2a7e2ceff450a19610e71bf2a522ae7add9edc7d1a5a0ae071db72813dc1b380485744

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF.EnCiPhErEd

MD5 763a26dd0e9e7175bba8edf2e84bad1c
SHA1 35b3fb14d5dde2d5e0bdf9e2c56bdf460d53293b
SHA256 3bdd33f05793d278273faf59b408dcc3eb9bfb969c91ce65c886b12fd70f7078
SHA512 fcd8c483e5bfa5e131acb33e12654741c3a56fa1c26178e7185ac55754ec1a7efeff2947bd5b5a8425974a2a1b607f1ca2212c4a39f983fb9511cf08b25d8460

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

MD5 293876f0bd8c6cadb2fa43da9d5845f5
SHA1 ae5c8107bea9542a726833f026117235ecaf50f5
SHA256 8b008f9558eb1f92c6903aeb202d53f288ed526355f9388a13f6335b39ed2a21
SHA512 9a23e2321f6bc425f75e5c890ea0d696ca48a7c89b8cae90d983b40a64069b46f8f449a1eaa8e01553d4f394471174215ff190cfeb5688f7886e2b1e1b2cea38

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

MD5 e19f9ff32f318daa4c6fabef47d24ab1
SHA1 de1446c81c4b6e8909b6014932cb31cb57f4ec7d
SHA256 b98438d2600f32f8fc25ff3a01eea5bf515b7f769663491ec3f7f90f49ea3570
SHA512 98e5e8ec3162be06494effc1b9c42f6c5fb8d2eee307c00c56462fffaa91ba08d82a2a574098a3d311d516b59634da43e79ec9922bf16f25314481d10b92d05e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

MD5 e69f00eb7eea0708c3849fa64c89790c
SHA1 acdb0797a8adf4c06c054c8aa75aa5653373c2bd
SHA256 de064525c459c2b194ed25d8951be5b039fe429d7f4b213b8761c51897349f9f
SHA512 f5c7dfe84e25128d4b793ba089fbc2c223edc780510887cf87b3286240d0f989171f1f2a49c1b92cbf69bbbc0b078aa56350aed5136b9733e7148fe99b3a27d7

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

MD5 ffe8c8eae8527701f978cb2559d39d97
SHA1 cd90926dcfdcfc71654cf87290491dd25a3fc166
SHA256 d8628ea0798e920e071633e26039c814d84fceec3f33802cb3c008fdbf3a31db
SHA512 41ace74225b1d9ce01d987f965f66189c77d9cfa8de7483a6b71ed1a9c07e4852e2ec917074bc218dd0cf7dbf78d8b9da1974380da0307124e3dade5833283fa

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

MD5 24157b2043d8113cf96ce5b82b057f55
SHA1 0418cfd0d897c493fa12644c0d95c1707207e8ab
SHA256 fbec1e53ec429e3ae7261464d8a7bf71648e6bb41c6ad7663308b0bfe5294141
SHA512 c453e3280b9ea084eec6f501e71b6134565936667ab22c73477cdc574075db6a5472a42d948fb1b381e4427efafd1e856e95a0ad44899f12274805c70d39c11e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

MD5 74046d684db21489d452f802cc3e5bba
SHA1 a2f7637bd700c92adebbb6f336b3e7b4597e984f
SHA256 c6a74f1d611fe18db8f6fc8a4469985a19c2c02c8d9837122e55042cea18fe7d
SHA512 619ef894fe176f447004e63e8a9a9ed0b9c725d8e9361c3d5fd852c56662505be178410b88a0308795ff56cedded7fa43ebb354dde8e3206f3a8b23092447bb2

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

MD5 309b8cfe1e3fadfa1560733ca63dbefe
SHA1 6f07797ff096003def301dc9fdc3bbc7880c7032
SHA256 d569678e9c050351cf6e089192dce73c38956d5070a5c631ce01353b52764a9b
SHA512 434f80f72379c91cc0a4440b5191050225f8509936b9705479925a27ffc43f16cfac345c01543f5dacedd1a4c642cfc98b52627bf61c8415b4eb67632f2924ae

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

MD5 022ed0a10c8597abbf767b0b7c983133
SHA1 96b49926598c4fa4e39043ce0f393fd119ee93b5
SHA256 9c6aec56fa4d48dd870effd35395ba10bf6cfa471c6af1a1c68903642af8d6dc
SHA512 422cdf277ab751e6fc3d6a054c9987e243248d036080b0163d2bedc8975ce2c05c28fde5621e8c01aadc8f2e64483043d9ab93897dbebf850b1a86fa11b6b452

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

MD5 5ec882c77f56279760f41dc4ded0e59b
SHA1 15247ed3d797d622a3b162c349fd5f2f9c726959
SHA256 8516fda34e6a6e2d219d5e271882b7da483031e0da1c5ccde2e815779d2435a9
SHA512 84dd2695363ff3d641fb42c755c4c2b63ba50c8bb726391098d0f9b9da32cc83df189f517522646c563fbe47c947306a0b26ea9b798c3f3fda4db972988bd6f2

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

MD5 d8f197050b99ca49e270636c7c8c57b5
SHA1 477a0e736949e71212ede57dd6ee25fd92e0b536
SHA256 a86ee6a832d9eaf9b4e1afdc4e08e421ff4e52f5626ea0fc7ce666c2daeb3c77
SHA512 f4df697ed12baa4a2f1edd24f3165b0363fd8224883fb9983d4d8cc70cb0af4bd51ad227cc7120f521bb0146f764948f3eef6515cc979300c6e95e5926a4c8a8

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

MD5 272ab2e09250f93fb4890b734f3a9510
SHA1 c33e6d1fe17145e2a4bdf7b832aae3d3fc8c242f
SHA256 57a2544635111b6001c4f40d0cddbcafd254b46f590a6af9bd0d8baac813adfe
SHA512 2046346f747c5cbebfff36e8c9e3dd6b33b87b331dc3845723e5d7e5b65d2cdb33b322133f83d73c04631b60f2448520682f31ea542fed7e2a89013eda720922

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

MD5 b2e7bc1c8cb737ae1405dc17420da852
SHA1 6b20a5665a9a3dba08dff2a5aff304ac3fb7f1db
SHA256 9a1a398b7fe8f36f372875878983dd74458859e6ab221183fce2deb627c9289b
SHA512 0dd921387a8531ca2e18e9221cb7fbe54c77d33d529ba8d13b71818e87b55331d2512487247ac836202883bd1676d3e52a801cae84772b9b795e9bd0fd7a3804

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

MD5 83c6b884c93c8ca05eb7e979c16e9887
SHA1 24f43dc2f41f24e897ad4c91241eb2ff02fcea34
SHA256 39ea34222ac9beb87044471863eec96e6fea872d9406659e4d6bd57d80cb4b5b
SHA512 121b8837be6a0f3f9b953d80daaf80fe604f01f7eea1097cce1cfe7ebce027fa82ad24f60c77d58d04b2c192984e6ba122d6fdff0faf1ecf9a5d870f4b14277c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

MD5 d43d59692e685cb1d4e573aadcc099eb
SHA1 43f5add269fa879631ba9f47d9503e5106b68a69
SHA256 5636e71766c9dc4a7050974a5a2e3c3f12723ac23dded97a18701a5e25e70f76
SHA512 93a5c7308dbf0aa71145c89504992e4791ff2993b3fed35d4560a8985616ed11010dce7e0d3517d4593e868f98a038833c27282297318d0b84a1452525c6b84f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

MD5 2382e1a5f1006dee3824e8106a1d9f15
SHA1 4df32d4ba25f7983f89bdd591b229883ad19de55
SHA256 864b903aa0f1210e9b2eea7ca70f24828d637c39c678f1f553db086bac33ae45
SHA512 0d6dfe4aea744aed15c933dbc3e489440a65b8952233c04c3b013cf6a62251a319b210f71c047ccf6a612f73d0fd38fd360b4db45cf88a4d2f66f4e17b317047

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

MD5 94f7a83c098001873b460a866e1102b7
SHA1 65f0cd866a8b994859b70d1894ba125fa562b75c
SHA256 f0b593d0f26b802ec7a8ab50e2558caa2132ace282ccf2e1439e7fba05c5a4c5
SHA512 1a49c875b7c440486b550edfde81ab03f2dd0877cf4a0abd015b6eddade8f2be26f7646a782d01bb9a8ab4a17f4fc96f6040b6e1cf5d17384faf435af9991f39

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

MD5 a7b6f12cc5ce5815e6764388fc44210f
SHA1 62145fe0d0f3695cfe8b12cf97f3660885dd3cb3
SHA256 443ded55ce27ab2d8e6cfa302c0c63ae16d1184226da906112c669a3f02bc9c1
SHA512 26ea4a55faa8d23ed42ac0dd45e68a58d60ec28426e62c3420c6f803da4a5060fe97b37fc4e3c21e45c16adb7943e8752b50b2c5c7095a9e55515000b4e8120a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

MD5 b48d8eb040292d11e3a70452a99af070
SHA1 655c117379190e84e095807f21398357f58830d2
SHA256 49ccb6a67b62fd90d5b9fdedc5935354215a3e6c86be37b71590acb66192255e
SHA512 872dc6689ddbc9a2ea71c1fb761b7fe1a92f12eb014a4d6b45710c9cb7573c3dbb30b781909e45526bd6827d98026a46b19b9eb52664cd9084c2d362cf2340b4

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

MD5 67e3c7ab67e9cad5154720876b3d6f26
SHA1 d6bc3d2ee31c3464ec6d6b572cb779adc52e40af
SHA256 dc5e0fa65a0a9de6d479f61c06d7b3f95acc4d5741548d44bf2380ea7d207a1a
SHA512 bfcb71338cfd0158bf981cb095b0afbd99d509372ce385b0adf5ee76f790a3a11681c2fa044e2b38007cba243b2a875fc16503a80ff1d17141135d53d099d0c9

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

MD5 cb3c1d664e1e5ac9f86784c21e7a7e18
SHA1 fd233d35ed32859a6bbd14533a0cbf446933ef6f
SHA256 ce1b1833de0757e6e551d10e8db26317409a8abc31b473c83f55fcc712419801
SHA512 13e8a8aee347d8cd0b9420d4e69d49f46fdd2eaf9b3da599ba243e98542437994688e7366feabbb429ea7871248e86d701e64fd01929d4b8bf4c6e33479f5824

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

MD5 c440f04ba393a4652ac720f802ceef4c
SHA1 281d3378fba6007f9a061df1c039c6ac1dc89185
SHA256 5d1be811b6727ba523a7ce5ff1f30f26ee052f0d9af7765ced34542b59658152
SHA512 d38d51e1adac27cb13358366d50932d3e7361fd98a27bbae896e6ed14be54f54b820cacc2209cc2f2c27a19b82ecd79248823f295181aa98cfd66bbcce03729d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

MD5 4d72c098d161ed1ea140e6e85e38b90d
SHA1 1430bb1553d89873a63572bc72b8aa6529f141f7
SHA256 e9d5394c4e7b98ad3aba133d73141238e638e4180425c913224be0cbd07bc679
SHA512 630b5b4d32dc0e09bfe915d84f27ba041fc07faa764d8a6d6c8d916640190e7650af5f48debce3b98e6ad53608ac924ad4d9e7072a04ffef69e6e197e4d92194

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

MD5 406f3d6f4619c58e25c6edc5fb00250b
SHA1 3137b238aca41683858ae814b20bca4b294f47d3
SHA256 4aa35be81457a91bc4d366f2c7be3500a03c969b4884ce1b13f7247653f26274
SHA512 241e3ffeaab7caccaa757b901aed6aab4bd5f50bc73a723d1eb1a9bbc0835aaea1996ab1ab485e5e0a97eee8a094105f810fcba9bf46f56f8ce9e66800b01336

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

MD5 94d127cc4f6f7e54c253660a179adfaf
SHA1 7af16a31f64a3fb6cc502895dbb9cfcbc877d95d
SHA256 a9fba161052312ab5bfb533afbfbed38fe17446f4e6a058b6714afb695a6a4b5
SHA512 9b60601d34560660bbf67560f8df7711f436dde28ac41c43c33adb057db78e0044f3391fc869585f4077d2721b93e7338d1326fac8ffb2a43aa59035669800f4

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

MD5 a6eeb971a28dfd6797907f4d4aaa5127
SHA1 e722d698750314a8434e248a78b44a4961c0a6dd
SHA256 aa3514ad53472b4d0e61f6679cbb70e44deea29dd85edb658cfec26a3a2c7ddd
SHA512 74cd05a2882ddf26003448ffe106abe38826d22b0daf37fb88e666c3a387f26ea0224e2f487334679332732692e1085307bbc76db1e1fdc3d795cae4d38723c4

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

MD5 a8a7da26fa1f0bc45a3079204dfde344
SHA1 3a303eadac01d909c64be7ff85fdeb6ffb437175
SHA256 a1bd6e1ac8920726196d08bdf2f06a751513806b28454fdbb2377b56ca7a4213
SHA512 471283539a4a9e478f2f554d1a6797661737a284294c58df232f406a64e136f0211d0b62baa89c0d1cfd8b59696b5e7109344f83de38c78626a39e201b6935e6

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

MD5 692ae26c42436198cad6454eaae80fdc
SHA1 5c77ece4b45ec8a01f2cff0fd9c507f2ca45b838
SHA256 d676e80242774e53eb98d3bb63a1e8b17a01d09f6a178412f2a76345df2310f0
SHA512 ad3d9549e0b86d024fa029aa0d6f621e73c875bf822c17e54ab3e5a74a519b66f081aa6a6719c49d1391de3c5a5e2dbbd7b5c28184898cfa3423815c11623dac

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

MD5 72046d9ce2b319185af8e439624582f6
SHA1 46fbb2926f66469ae85f39082fb46dc868dbedfb
SHA256 fb5859c33f7084e9209e94206f2a1354c4c466e56b9c8bdca668229b2fc713dd
SHA512 17724e6706666ff62dbe233e05b299e52e96ee83685934702204a80c582df11fd18857adb2621f6933104c791450348d358b77150ce739cdd3010f0a4017585d

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

MD5 77d23f931d97d9fa42116a882359d526
SHA1 f2f9948501bff3840d09d5ee47dc3d07971a0e15
SHA256 0cbd137b2197b29de14170c24af767f44c1ee64a27fdd1645426078bc8ef2991
SHA512 4f43439e936e6da499777d1132e1b527516bf03be0f4d1f183e810500a8f6357529c01cc1438dcc271dd86b127b69557180fbbf7adf3bb149ed2db73b2ed5190

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

MD5 9938c4009be9b47584e1159b830184d8
SHA1 067900881552fc20df4295a0c2250222de591f05
SHA256 d997a762db4a3738a6372013eb3cf1aed882e40a6b0a3ed15b511eacc58a8f8d
SHA512 22b378c05c42deb626a8dd849ed7f5277bb8ce6ada42c45b783a72432ddf133fd70522ba47e9fb5c55328e5cdcc2e8c8d2b738ab5bcf7edfbf0de90a2978686c

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

MD5 56eb668315e65c8f725457431bd6e357
SHA1 3347fe1e0309bc49bb0035ff2829eeee2b1d46e7
SHA256 914c842bf18e6e1cb4ec704c20c4ec5193d9479251ef9e592d9a2e3afac9967e
SHA512 f7d5ad6c638284dc4af5706b3781316b29bd964e5c8b091effd713d2541767c39bc2bc0e89c813d0ca09f44324feb0c819dd2724374f0921977e3abb12c738e9

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

MD5 b6ae0514b9869c5264cb814d14cf81a5
SHA1 bffbc4925cfb4a9fcf203b8b7f92337f0e4628be
SHA256 d0f7d2d739bf7ad0b261085bd5ba95ca0e2c93b88323a08f1ba6f0d53667ab55
SHA512 d1f2c13f4413d0a546ea00ba27a93af7149bd9120637538459c738b81573f946143efbe3cc9d7d7c44164b5c85e41297ce9f5c400a65f7fd8507de02efac3645

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

MD5 260d37d22255554e0519fea070c929e6
SHA1 44f6923c2d798587b2861a1857e620ffd287d3cc
SHA256 a3efc5ce41ce5a4a3d17a868f9c5f45a1839c355d1ea9ec064d6651ea8afb87f
SHA512 c73e0162d5b601b67465af295aa8ec7bcea1a0947c404e079ea7c635e0291919bc97e12b1332c7cabee15949fcbb362c03c6e928bfabae11a9223bf6e4123384

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

MD5 ce25d8215346bea8042b02cf05844482
SHA1 dfadb5392cb6552ed748b653cd1d55a4dd350f4c
SHA256 8efe3a57a3db1b591bd7a8e9e2c668d01e7b8e4a17c9dd3c2fb55d80118c0ae7
SHA512 c639bdd3bea3faa1c75892e38012f20c459cd81795e7f1d9de4107f1855659e4558922a216820a701e4ee773b128c7b9d1586a94889935d7bd1486af4e7fdeeb

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

MD5 47361ef7742f17dfe8eee15a8c1e9386
SHA1 07a96e432d36fe9e1c80f7df2e3aa1347f4f2036
SHA256 0482b39af79795f12f1e3610f261423900c63501ff2668481360079b70ad8c2c
SHA512 91fedb9d7c521913e68abc7ee23777fef1d4949e5b866af9c26c46d0c695f405ee1ad354fd980bf7e78cc803a1259b4dc5a7c5c5aa0ad84456c6034d6e84edc8

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

MD5 bf7f10874675d4a600ccf6f46d72326a
SHA1 500c45d51068dc938aebc405a07f6c86c3aae0cd
SHA256 347b483e34e975231741aa2018bdc55bd7471c10ce3aee795b9c82f512257e60
SHA512 836aad6ee49ee19f7a3f8db0f5fd676850f6c2866d90d66fdc29a9798e4983535ac199473cfb3a9363484cd0c55b886256b0145caea4733414b8de548bc914ea

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

MD5 7ac7e5e540c27b7dff0751a22302973f
SHA1 e1d25781b0b2cb05e91527f9a1b82dacd2fc6bd0
SHA256 c49deb1ce40c27909eeac1b81c1f6ebe7ab0305e03add1ef5436a0e1eaf541d4
SHA512 277bb042db81a1a7b710701bb495ef8681d9f195f47b5c2804da687971fa9108e9a2abad11f9feb0c771012bb4a419c3fb137245b722b788acfdbc1467723e69

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

MD5 22b6fdd6b60a87c956d2ecf75acba170
SHA1 931d6dc3cece85ccc95dd3acfd4a6495b0c3c49f
SHA256 c9bc43f67f8e987a09b95f803c143678c41cef8b51c82a5a7fbd790c44f3c28e
SHA512 c75225133770ebd3903712e323ee77cd202481c9ecee5d8fd25d8699de46f4fbabde5b9cee84871ba32b609c7ba9497542d7ed136fa9ef8764056e4016e20904

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

MD5 eb0c3fe954a5d84d385484a9989ccf14
SHA1 2e65947644b25212646dd5d13c3160f3af100e3e
SHA256 b959e6717ebcebda6e91d33cf653af3a33cc01b30541d8e79f571afb1d9fb4c5
SHA512 fe8ab3f57f8a2985e32e1acfdb5ab19397127e3ecbdacec10f38fc5588d59cf823679e61e9fd2d5623d444f6fae5ee4fd8f17c79263ad8416d8a2ba036fe1ab6

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif

MD5 8d8d95e40029e92c8038ba48aad0ce66
SHA1 84d86f871118e6281de83df0ca8ef946e3fbf11e
SHA256 edb597578c0ae00a81a12c4bccb1f80ca824d69d8badb9abae698fc0cf996db9
SHA512 3d9e0d880ffef8d1b29aafb39dee0802288875762f0f49a655eabea523abf3ad96189854f3323e727190dd1c2ce96442024e2b5407e01307b9325d890bdee23d

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif

MD5 d375c679def93db979ce1307830dbf5a
SHA1 5bc836709102c44a8b9923cd902dc165d2589368
SHA256 ca2af55d5bace7b77767cce9fbf4589111f67c978b3abdb053b2262c95f114ee
SHA512 e99c0380ef006222bb6afc3d9bf4114cefc61108b5aa4179a3db6135bc377e89299124cc503750f37caa111cacb39b1de07dc8c8e8ae8d5c8cbd8c30dfb0e59e

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

MD5 1a33c03f12a0407f05537d1d3081e41e
SHA1 00402da2515adbb80bb613c83417b6feb2ef4c78
SHA256 0596cd6ab0305a5e38c51e4a0dfd70d1317255489a2819799b551dd4cd744d47
SHA512 a7b12c61233f4a1297fe3765ca822e8f7b8f6d18453394a0e20359d3ca7bfe7396f6fd43a4689b63790b3d24397767fcca9a163907ade3ea973925090905a22d

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

MD5 725f8d222b747209c56b6e871d806e36
SHA1 bb47a4137ff9c11dfddffb27312c2050cf5dac03
SHA256 c0d260b1769d558f84f04f8ab0aa884e90e9dd456ec052460ead7d91af35f583
SHA512 b2618b27624a869748eddcd2465cd58f73d9aec1a5f18d2ae437ad92fab5548175039408dc0cdb1efc33c3d5fc27b9c964b14d429dd69f6edf89f7ba92b45f96

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

MD5 278fa77a21ba3404103d52ea1c441bc7
SHA1 54e7f44f9d3005c035b66e615f686cc76025e0dc
SHA256 6af5dbffc43cac4b6f059213ccb69482be1a545ab3814710695b0328737e8833
SHA512 9925a5e4e15a9e13ccb1da4a64d70b4d36a23499b11bbdb82ca927c11a5b92a1f9a285f06a0138fd55ff78b71737eb896aba5a3854688ebce3bd5ad6ee1ebfe6

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 13:06

Reported

2024-11-25 13:09

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe"

Signatures

Renames multiple (1697) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8E5m8RbwR5qceHG.exe" C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\SecurityAndMaintenance_Error.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\@EnrollmentToastIcon.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Bthprops\@BthpropsNotificationLogo.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\DefaultAccountTile.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\@WirelessDisplayToast.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.ppt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\SecurityAndMaintenance.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\SecurityAndMaintenance_Alert.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\@AppHelpToast.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\@AudioToastIcon.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\@VpnToastIcon.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\8041_32x32x32.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W1.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlFrontIndicator.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44LogoExtensions.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skype-logo-40.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-256.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\avatar310x150.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README_en_GB.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Spider.Large.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxBadge.scale-400.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\LargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-48_altform-unplated_contrast-high.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-48.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\5px.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\5.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailBadge.scale-150.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\combine_poster.jpg C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\174.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-96_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-250.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-40_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Spider.Wide.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Klondike.Large.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\powered-by-foursquare.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Movie-TVStoreLogo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\theme-dark\Settings.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-40.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-125.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\bg_patterns_header.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\print_poster.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\SplashScreen.scale-125.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockLargeTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-150.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-400.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-72.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\8080_20x20x32.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_contrast-white.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_systemresource-wind..-ui-accountscontrol_31bf3856ad364e35_10.0.19041.1_none_8805ef3af31f4b8c\Advanced.Theme-Dark_Scale-125.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\ImmersiveControlPanel\images\wide.Holographic.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\logo.contrast-black.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1_none_d0af17ec366548f3\wide.EaseOfAccess.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\breakWorker.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\PeopleLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img7.jpg C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\memoryAnalyzer\images\i_snapshot.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare150x150Logo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\17.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\SquareLogo310x310.scale-400.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.Shell\Images\TabletMode.scale-125.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\ScreenClipping\ScreenClipping\Assets\SplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_7ab11546ceb3decd\help.jpg C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\ImmersiveControlPanel\images\TileSmall.scale-400.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-40_contrast-black.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\7.txt C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..ifiedwritefilter-ux_31bf3856ad364e35_10.0.19041.1_none_9fbebf8222c20a6d\ResetDriveSquare44x44Logo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare150x150.scale-200.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_systemresource-wind..-ui-accountscontrol_31bf3856ad364e35_10.0.19041.1_none_8805ef3af31f4b8c\Exchange.Theme-Light_Scale-100.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\ScreenClipping\Assets\Square44x44Logo.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\gradient_onBlue.gif C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-80_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square71x71Logo.scale-400.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\common_icons.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorUWPSquare44x44Logo.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.1_none_d1fafd8eeb2a2637\Speech Off.wav C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.1_none_03928ee4a9e5894c\TabletMode.scale-150.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\InputApp\InputApp\Assets\SquareLogo150x150.scale-100.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square150x150Logo.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.746_none_0b4ed891dd9ccbc8\Square44x44Logo.targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1_none_d0af17ec366548f3\TileSmall.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\status_heap_decrease.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\TabPeekPDFImage800x600.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\Square44x44Logo.targetsize-44_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ast-white.searchapp_31bf3856ad364e35_10.0.19041.1_none_2f147508fcb33106\MediumTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.1_none_03928ee4a9e5894c\RequestedDownloadsCloudIcon.scale-200.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\wide310x150logo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-24_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\SplashScreen.scale-100.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1e502c19c2a358b\Square150x150Logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1e502c19c2a358b\Square71x71Logo.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\columnmove.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\images\stepOut.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\LanguageService\images\previousResult.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.Shell\Images\PasswordExpiry.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1_none_d0af17ec366548f3\Gaming.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_f3a9dc0fe254a157\DMR_48.jpg C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-40.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1e502c19c2a358b\Square44x44Logo.scale-150.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorUWPSquare44x44Logo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.153_none_90dc0b923cd83016\Square71x71Logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_systemresource-wind..-ui-accountscontrol_31bf3856ad364e35_10.0.19041.1_none_8805ef3af31f4b8c\Advanced.Theme-Dark_Scale-200.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.Shell\Images\RequestedDownloadsLargeCloudIcon.contrast-black_scale-400.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..ntscontrol.appxmain_31bf3856ad364e35_10.0.19041.423_none_6c3451a09cba3850\Logo.Theme-Light_Scale-100.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1e502c19c2a358b\SplashScreen.scale-400.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorUWPSquare44x44Logo.targetsize-60_contrast-white.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ets.icons.searchapp_31bf3856ad364e35_10.0.19041.1_none_ceba36fd1b479c4c\WideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.1_none_03928ee4a9e5894c\Icon_MMXresume.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\AccountSmallLogo.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.1_none_03928ee4a9e5894c\Icon_MMXresume.scale-100.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.1_none_03928ee4a9e5894c\Icon_MMXresume.scale-150.png C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\DefaultIcon C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\shell C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8E5m8RbwR5qceHG.exe" C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "KXTPCQKJWIKVFRE" C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8E5m8RbwR5qceHG.exe,0" C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\shell\open C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9bad14c1ac8ea571e567a5a6abd3fc0e_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

MD5 02fef62ad3481696efe34e6d9bb8b370
SHA1 4907f17ab4077ff3b76919026dc53f0a89796222
SHA256 39efa0d0d116538de4f1dc36fce2b8af6b82b6984694889ba7048de9daa5ad3d
SHA512 f2c0152db123bd66f6362e1fa56aea0fc319d2c5fd774d8e9a428ed1e2932ed7bf8bf388e2ff0fbfd173906a9fb38655bc2b9c50a679968bd3697c33caa034c1

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 22a0043b4bc7d0ea285b89d79f6944a8
SHA1 658b6eae5f9be7c195acd18174e0c39c87551be0
SHA256 3f794e7e5825ca680288bf99a01707f69efb9e5b62c5ef7d42ebb8dee615f1d2
SHA512 f2638a1bb96a4a665a16676100fb3fe1b5ebe1b99e0962959376f1d69e9995638e1cfec0b3b12f998eac48244f5310cdbe74e26084eb3602a4b03eb46e6a9da4

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

MD5 a45b780e428eb5e9d3b76b2d7dd54057
SHA1 4d91dbff6fada78beae16b644729a17d8a5dbb42
SHA256 d2cd0a128890724b53987c3464b6de7e0e3197b8c02a0b9be2c609aef04e06a6
SHA512 91311500544c82268091ce34862ed446d6f7edbff2df9875e0f1ec8fea9447c6087b8a62317a4dba7caf16957f4ce74f11de6275303ab3e202bedf6bb169066a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

MD5 e59a9058740966de7392143bca08dffe
SHA1 71f762bc9e627bfd62c28042aee1c46418b580b8
SHA256 228c95bf3e10dd72d79725c425e0e7a5d9fa3272ff384bdd7a807f9b009d51aa
SHA512 287cfa306182c73dbdf2da90830f0e5ca65359ed29495d37ee1bc5b09e0d5f3a362508a13abb93ee7641cf9a0f1001e4f00cdf992dc72d8b80e1e774c4545194

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png

MD5 d13d4dfe617a18c1e85a3bc71184c658
SHA1 801f184424073737552bcbf41162785cac48851e
SHA256 736f467c51742478f3409159e8a43c95ddabda49ba68dd43bcb469e551a6de19
SHA512 46f82de00571bf640e652767a7baa83efd3dc5bc7b7d0fb56c76198493890faa7a80cb07d054fa64e21748ed9c3f6f56360662734cb52ef37389210a660389c3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png

MD5 6e708f0a9c4a53ed94e4673b63e253f6
SHA1 c188fde23887fc1ac49db09a5488c843e30d55a1
SHA256 0f2f8fb2db77736695f3b73bb61df8d3fe7b24f099fdd0ffb4d5e9ce164f589e
SHA512 3bfe5b69a0a08f3ae56a8b189f69dacbecfa2cf6088e32b91015a93f426ee717e3054915eb0f330cda93078cc3bbe4dd0ac3e7137bce6e0bcca16c5cfba9faf4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png

MD5 327be750b05f6d78329153865dc39905
SHA1 d8c9e1817cd8132a867ba4d7302ee93f38d4237e
SHA256 4db2a358933369d76566fc5bfe223c0f7b64c3b2e76b767344bac7436084c081
SHA512 a8159f2841eba8fcff12a25581f010d1ec18b665fb5afa785513e3ce9e902392af650065cb851cf9823e62a1e87d88d1afec49fd37878708ac23786c08b71c75

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

MD5 7741c570fd832372a79a4850a3d762b5
SHA1 a6f656e3e5776e302b961cca06a82508b323102a
SHA256 2d8ca9b60c0fcce4e7a04c80b58497e8e5be229e0931662ab8bb318fa83f89f8
SHA512 d84ec619b55eeeba10ba44f97c28f8b7218e919122d62eda620dfd22f53419a52e3836467bf1920dfbc83bc340bc1e5113736a8e270d77784b22728f0f038929

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png

MD5 3326ddea6d40269ad4059328ddb2ca9a
SHA1 be87cbab2ce4e4cb89c066a3a2a427880258f885
SHA256 2c8a1bf9a07ce61a014689dd54226198835ae22bf4fd2973f5fdde301eb9624b
SHA512 8c588f3b0658f89d030048610edc7ef3c25a63a20d35d281712b224df431256e6a0e7c6da15556c389b51ce36c7dc4466408b99b322eed55ff4e5f0e96e76d4d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png

MD5 eeb20c2c8c1997af2acc72d1bfd7166f
SHA1 6664ee719dcff8a7c8497685723c5f059db2d212
SHA256 19aa0bac66e9f1a21e48b7ed02957740a2befccbe773355f173c16a085510110
SHA512 cfff9d68cd4037bc2d309b1b984fac20dd08acf1d61cbc2cfb7f2b0331e232a4f80a4a8de1a64d585f261d9cd661eab876e9dc527301a4ec904f7c3aab187a83

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png

MD5 c55e469b2e444fd31902568e4bb8736e
SHA1 57fb44ade0eadc0d9520b8bf8febbe4a6640a2ea
SHA256 b0508405792d79696216f05b1052f08e791ef0f5d175156dfab8566953d37dfe
SHA512 77abbd698d203927cd11a49083049d0edddd20e363f0bebf01085caf8c389edf5d3010344dfec805f400acf7400a0c6b5b22dc1b5950c0b8170cfd96217fa0aa

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png

MD5 bcbc8af32d3e1c745b0f026afeb3230b
SHA1 ef8857ed4fd4926246410db68f1438a531c0d3c0
SHA256 7533fdab26fa3cee6ee1112f4f5dc940eb46fb1b09d73a0f8d3176120c6d434b
SHA512 0647119932e7b76c296079e995ab6b78a90cf24896111e34c092cd35263cc11f4bd43c12f3bd8a56ce8b4324766e4a6c7c3849863dfa914fab48f2859c4da7de

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png

MD5 5b54d4bc74917c920162ec6ddb1fea7f
SHA1 437aa8c76283ced7404d3c1382f4a2383c6b0721
SHA256 6b98f802f1db60aa2c69ed8fb5a37f2654632b635202fab55926083f17c7d5c8
SHA512 2518ee6aafb7b98c7cc076785e2ec990be5456c34146459f2ec24a34c97c7399d6d21f39f22ace0b30da74a5c6dcde7f9ac4c5c708ba168dc70ebcc16cfdd56f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png

MD5 e0d235d37183f730c04af4d18e0387b6
SHA1 7cc3a36f38d1799133460bf4179395752e588c06
SHA256 d9028ea3523277000cebb91e5fb3a43d8ffd84564ab4f99796032ac25951be49
SHA512 6913c6f32d6de6882309621a270d26239fc064883b9c333071af82ab5da6530fe7fc0c721e6571a0057f6026aa1069151889bb0aa733e3b1fdf14a1128997a5b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png

MD5 1e83368195d82be31d62c65292efe470
SHA1 892ab57fbde814a07eda6ff67d8e390da34885c8
SHA256 913f9940a397a5cbfefa59ffb28c8baf92cfa176e45ec2d0d7b77fa70779d0ef
SHA512 b02ede8534a0457d12956b413d5bc7b5ec8766ea8879dbda4532b1a7a57c6faac2a4aa56ae6dcf2ca8757162f3eed2b1e15e59ab36ec0034d6c5d00271e7d244

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png

MD5 343dbf60fa785ef832207e890f830b09
SHA1 3d3afb6988d2973ae38e3b866d141efe77fc7148
SHA256 41346bcaed0b43c923fec7d1c1f0db94314e6f17a2d40f313a4cff52ce6ca05f
SHA512 e68c3398ff18dab1a5ca73d8f83cbb64776e28943c501038e9488c23046bcdd2153d778691773467436bdd850c9b2917e2ec60afad3140bb719c7cb54df6d351

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons.png

MD5 513689c98256d630bc1e3dac180a798e
SHA1 246987f434390cbc8ae9c4ba09de33d3e24ec59d
SHA256 77f41334c2c49f942948cb015672209e6f12aa5dd63d9d02584238d8cfb66603
SHA512 ef5f58a261d00dd1b852355d3a8e1402a2250a9adeec75e8f4ea30fcdca69d6897a0bd56216f529ac39ff7d891bb3ce3a5d20dcfa1a7e3b51ec5a9b7fe17c032

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif

MD5 a451feef7be0f7790680b6a02a374652
SHA1 43a13ac41111ab7d6eae4f8a39cc7a5a781b0947
SHA256 baf3718424827e1d85835a176fc3d4507180d7d72f5df728a1b1f8ed2f3a0f4f
SHA512 02ab2a33850e1456bbf37cfe1eb69c316ac895975f9f430f4b651a500ef6a1d9a282897880c9ac3a2cc457f0c12aaca644a90bdfc3231983a1c9aea966dd89b6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png

MD5 18563b703b21c11ecc03f6ff8f5d78f2
SHA1 cd9b39c64ba4cb8df9fa5bbfb59490a782dcefe5
SHA256 59c2a3f79fca5c94d2d32ed14fb99cb7f280ad8aba837923ee4c18f54f31d716
SHA512 62a626d28e922255732ccfc755ff0a0e4cd8019b05275cec2d9b01340070a81097d83bcfc11879d1abe356993402b4be3c196729e50eb0f2069a91cfc882ab70

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png

MD5 52616a779318f46d676a1e811acb2d7a
SHA1 261f837d2ada7b6dddcecf6e37e294a3bc409437
SHA256 1f97b6c517cca601c618dff0d7e7eb4dda11f2be4f4d0d5c0b66a2840d42572d
SHA512 fef7d3064f386ffdf7fecba833c45786622ca7b01a9d366b781cf92d3946774561560638c90793c3557ecbcb30730829e514945a77e7d7e67f9578f1f4e8c4a2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons_retina.png

MD5 7fc422bc1922b049afbd0436b11fa9d9
SHA1 007014d6e71691a30c69dce944c5e28f7fabf51a
SHA256 26f129fbd38c6cc7b2a51541b6933fdad899ab23833c8c57c07d78587bd1ff3e
SHA512 dfb4878bc7f2031f40421a9682d7a8a56f27b77ee419fba741082b1d6339adc7a29f173115a43f60fed21593663282ffec45f0a5a64dd7e7ed5e7437958040cf

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_pattern_RHP.png

MD5 7ee4f891d04feac843c638030a78ff13
SHA1 6afa670ff162cf8ed922af35af1103834582e3e8
SHA256 bc4e964f0c22f760ee8710e81676e764857f85aeb67df8c53b70cf890fda2dd2
SHA512 e84e9fc90f109961fef501a0d8576e726e679c365eb51875a2d5ed0188330868fce4a4aeebd410542cfe2f9c7adc988056796028d9a658a4c22fc3add981b56e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_patterns_header.png

MD5 079b4ca159dfd50ab794cf6aa756fc2c
SHA1 93890bcb01d193bacceca1b737a4e55cc6bcf6aa
SHA256 18ffb322835b5194726d0944b4f89654a78c66f28405060410b243dcd07e652f
SHA512 26463c41f26eabc38a5e38d0b4f0b9b50fe90fcd3e80a3adb939d2633c5d1824208be53f84f39094ca4f016b98cb49e58a6d11976cdb0e857b39a3649c1e8062

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations.png

MD5 6bfca0eb96a2a25b88fa6b4beff5a3e6
SHA1 e3531737d5e489446ef69684e8f07ee2c916199a
SHA256 27918f0303abc073fce48a752df39c478eb37b7550f5dad9fba589800b84accc
SHA512 81387cbdfa4bb80e621b53c3cfe5f542e6c7d622ac9d39a2de88b162f27a4afe792f633570b2a212fe277eb26d999e5bf22238a58098e90cbd17ae6cc289c9e0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations_retina.png

MD5 c24b070f2e8ff9472855033fc677cd63
SHA1 6bfe0a7e72902b912480720c9f5819052fca1848
SHA256 5d96c684141ab4b706a194a6874ffda8f714f326d7d55434459d73af7d65ae6c
SHA512 dd475d838dadabe3c03f7c4b056ca288338898f58a44a5c50e0da79e5d3a086e5dd8c9436e8e6590942483a36a40fb7bdc083e2e1c62afe81335ae627e9cec6b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\faf_icons.png

MD5 81a705a24ca2fb4c53a917c1e44cd338
SHA1 38005b7d80ce19c7613b3468e5194fafae7612d1
SHA256 9c204fd009f67d82a3ac10fd5f144ed1215938373a4f7bba8436adb82399492f
SHA512 a6a991e5cf13a45fc1d04b2909580af9a646af77bab0496780db08464692c98efea52fd72fd0d58cf52cb8ae1646cec1d8519878402ae1d381b1ecf9f188b83e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png

MD5 7f696956c06580670f81a73c718944bc
SHA1 5e37bf987df328e37508ea215d14b74be481c9a8
SHA256 bcc261373d0441dcb964d7757125dfa1046c86c2b80f743206223680738b7296
SHA512 9cedb8a2b125ed05f952523c8a5719c948a1ef2e8acbdb154b4e3685938951444e9a7a9d0e99d8b5c26f0d85d80d547fd8506c072c4b30535c439a4fca97db70

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview.png

MD5 90465269634407bf41ee4f291ee95e50
SHA1 b0eb3044298e2e6545437555b25b809452acf86c
SHA256 cd7596b047da30d4655b61cb2728a1f92226bc195289f31d536655fc614feba6
SHA512 0a8a2dc025583e4a94277669339d3e7337b9e65048fbdf89b7453a8cefc2c586c0e6a50ad028823e1b4087ba0ccd303ac3bb8382fc1c23d7743b5472b78283fc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png

MD5 2e4e7a064e48ec892ba54e2221aa5165
SHA1 ff6d7c0d4f2afff5b8306b1c40e3780a75ffac62
SHA256 3dab1f8b6debdbdd6a4711839b622713da74d515179c19d312a0bc78b88ce0ce
SHA512 90d762f8482a166bc885b6cf72b3404c55f305e490399b6c507f6ebddae6521df20f2993b5908af94b1316316bab661face9b0a4d2146ee3fddbde3a29d05d5e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small.png

MD5 3a6bc3ecba7250a7145b09472975b1fc
SHA1 c0ef18b8a176bec66dd5d34a12da5d42432155da
SHA256 211bee04b7b8aae3d75d5841d01dc44011afe20c82986cdfac2f9f59df29168e
SHA512 0b72bca9b1c87789af86ec5a42170a4f83e483856cfbc6ef55f5560a8fe654ee1d8233ff0e3eca517146fe1a24441899ca5939e96f0262375cfda4ca8233a726

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small2x.png

MD5 be681afd4a9a65d5a248cce11fbb7922
SHA1 f6bfd19c2451264f7b722cd6c7a5e124f5d5dd64
SHA256 9001f34d4cecf28bf792470c4e07e141bd8ac214aa53dd2ad2f3993abd0a3fa2
SHA512 68131d013579515437699f4c2af6f7e52309c05526c65d9c45025863dbe1c5fc0de017da908d0950551541a2393eb2f41b177501c64e33026d6ff05cbe27a4d0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\illustrations.png

MD5 59e18abfb9c27e9c4f24364afbc8125e
SHA1 492f4818d78f048904a13a9bc6601bb9abf20b93
SHA256 d1edc009570e2f4bdb286d4ee76d60853dd191c78d3171e41afe103dcd6bb704
SHA512 ce42ad7d4206e70a6f73b699fb2ebc98ad58a9b39b8ff7639da3d7a2430b15a5fe0dd777a7a8257dbe42606346722008dd96c0e124fff76f83dea754d29f627b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\nub.png

MD5 9845e9ee25be27f11644097245f51659
SHA1 76f646bddf5e6000f430e907c4a249d60149b5a2
SHA256 323966cdcb5efba317c25d4e6444080e1d2f3f12583d61d4493032453cda8fd6
SHA512 5079972f780506e9902ba2a5219d80da2e2cc6a7d3c48fe1ac225a34b871f63b8543b7df07c1709c8b86dd975a87a28b86f6111b14b14da44c3129b81e4266c6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png

MD5 e426b76671435c82f93d608826883076
SHA1 2ed638f1543ec51f777e9d68b6cfc4d3cd8f25db
SHA256 a5acf15bc276db4f351aa3a7e35fc555523155b2120cdfb06180c1b2306a0f3c
SHA512 6a54ca5d537301ead0727af8f007999ec4500a9dbb1cf07d82079d3d0373fecbc6745fd32913a6024ef1132e4b781a3ba05396feaf338f957e9511881463c036

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.png

MD5 448ed427cb0914eba970370004d3f991
SHA1 3b5001df8c604e60edbf8c496cfa43627d80635e
SHA256 c8c091d902925f289e2f2abb1c1f0edd74702e2ffda51dd28685b11951d90cbc
SHA512 084f2e4e0b361eb00f27dde027bc14679be2d83de9dc163f565689f0324ea0883d993a52559fe703b64880bdc1e498532a8538286991fe7648f4aacfe510b51a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adc_logo.png

MD5 fe30708f0f2204b10a9203d0bc9afbc2
SHA1 79fc9f6f83aca7e843ff24bf929ee93d783abf51
SHA256 c594b048776a67fa7fe8103d8037a49eab606b626b05918c71324086c90912dc
SHA512 7d85f8cc9917f1f8a9aae5334e9629060f2449c803f5c40747e3b35c4d3d2e915881bcca6eb4bb2f31435a3e97f8d3f3f39e0779c1aa70552eedda428ca4d1a4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adobe_spinner.gif

MD5 00e1f3715a1305eeabe727b4e1d51a58
SHA1 c2f142baa98e06314862c7d72c3419ae90f57c1a
SHA256 d0dc74664c5531c71924720aff508b0456f6e5580e85a8374cc9e3b8c1ac25ba
SHA512 87edafdda9e143516ec80a145f94b497f7b86d60be5be4f46e03bb10e6013bd66776560a7d88a66064acc450c727632a3dbb8f701731a977e20f966fabcb3a25

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\logo_retina.png

MD5 22e04ff9debb50bbe85c56e9d94a6f3a
SHA1 517b2370d6f77b653857abd351e8f2fcea5713a7
SHA256 79afdf4baba288ce915db7c2beafea9cb19ae9da966d3701a6af95427a1705d7
SHA512 3c5e84e03f74e8808a43f109f018fa1e066bbdec8b1d432694218b1cad4df65b8fdd5cdd740ed90da499b41cf7f8dcd2d4aaaaf5e79e5488805d1efcb4548826

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo.png

MD5 d0eb2c308ecafb2140c5e448576fa930
SHA1 2f372c36f6f5c452ac4ca718c4d7dcd9e062306f
SHA256 e707405c2ef2245da7edc93414f683744a2e4b9a8b8866ad7dc17a3e6b8c8e40
SHA512 071e8210a7d73727e49be31ca2eedd4b88b3c9fe59219534c39e7a9ce0a7f43bb4d9ab8e0d0bd85c73972028157b38cb684431edded7234a27fad81d52f67e00

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png

MD5 cc16a67275c01af431d5d707820c42c4
SHA1 f6f4be094d4f15cc5761660adc09c5bd413b0a52
SHA256 92384766633debd494ca44e95ef52b8ee57d5ee3c0eaf16950cf0864e4f9b42d
SHA512 a4a17b163fe97bead1aa8beb705e5ed9702d410875bbf31f208491f823515faa8f19129e8b06542e0a4b7ab51ca320e5b3f6d5e130307b8e646a01c9e73647ca

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt.EnCiPhErEd

MD5 02b35fffbe23fc337cf1d016bc29c122
SHA1 015da3452bb586baba0e3c8ca5b45608e2581725
SHA256 1fb27b41524def2df2b0b665f3bd284c1c471b7060f557e3fd8d354db016f014
SHA512 12ec6e4a9c8005de3570440a9e77fd39804df8d52e560e54e6128aac0cc889fdd5f9648fac169bb3fd85314b952da990770af2389c3ed58489a9eaf64b27316a

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656590293648.txt

MD5 9e9d3afe2cc6bc251aa9398da99c7716
SHA1 f8aeaeac3a63baa4bb2975eed1d6d627852a4da2
SHA256 e427d23df311e589a336f27750cbfe6727b8988f1387a0a75dbd193f78b6aa57
SHA512 ce06a19ed84d66663f005859c59e37f66095f5e876bd92599b08048467269fd122b0d384c583cde1a6fbc07714c048e24bcd8f628214aea944d2330e6549f30f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656120098725.txt

MD5 42b94c7e5cc207c436892aeb6fd6f91d
SHA1 2dfee87cf8d139b2a51f2d5cf56e64d860ca89e2
SHA256 b7ae53d238b2e1fac8db9efd1ef3191f303681956c04ed9de40533023f31c63e
SHA512 4d51b94de54dd691ebdb1d1acfb7ce68b983151a170c3e6ec2b592edf8b316a84141de394fa35fb9761277eeddc0faf3718c8c2c18788b389c4b371148f9ccad

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663328721506.txt

MD5 5f44563dfd4bbbd2f92f16b0e14843bb
SHA1 0a6d892cda1651c9cb5dbd215b7d962aba44b7f5
SHA256 07d03533ebe67ca2d7cdbc061f132f694eee7ac5ae0fbdc22e6edd74502489c5
SHA512 687ca9acfb51986fd9d49edb1363da90656f113c99010f2ece32d7912f431c51a594365db88b8759501d6f0fe9264afac96a19b71db9d54ee711df5f6a31503d

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666039184869.txt

MD5 9cd3265f60d7b90125e89ce555f3f8d2
SHA1 49fb26332550f0859cd2c69f902c6a37570db58a
SHA256 5362273359b5f0165e1e66f57defc6dd4a2553906cfda4ff76c4135498f8c804
SHA512 2707e6a567e9eebc4e7a7dedb29b1ddd0eced60c0a0f228f61fd1a2f7d13b0e7b9b96b78609ba4c2b8a6c70c8dde3841033952572b17349525e737f2cc34f59e

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

MD5 9938c4009be9b47584e1159b830184d8
SHA1 067900881552fc20df4295a0c2250222de591f05
SHA256 d997a762db4a3738a6372013eb3cf1aed882e40a6b0a3ed15b511eacc58a8f8d
SHA512 22b378c05c42deb626a8dd849ed7f5277bb8ce6ada42c45b783a72432ddf133fd70522ba47e9fb5c55328e5cdcc2e8c8d2b738ab5bcf7edfbf0de90a2978686c

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

MD5 1a33c03f12a0407f05537d1d3081e41e
SHA1 00402da2515adbb80bb613c83417b6feb2ef4c78
SHA256 0596cd6ab0305a5e38c51e4a0dfd70d1317255489a2819799b551dd4cd744d47
SHA512 a7b12c61233f4a1297fe3765ca822e8f7b8f6d18453394a0e20359d3ca7bfe7396f6fd43a4689b63790b3d24397767fcca9a163907ade3ea973925090905a22d

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

MD5 eb0c3fe954a5d84d385484a9989ccf14
SHA1 2e65947644b25212646dd5d13c3160f3af100e3e
SHA256 b959e6717ebcebda6e91d33cf653af3a33cc01b30541d8e79f571afb1d9fb4c5
SHA512 fe8ab3f57f8a2985e32e1acfdb5ab19397127e3ecbdacec10f38fc5588d59cf823679e61e9fd2d5623d444f6fae5ee4fd8f17c79263ad8416d8a2ba036fe1ab6

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif

MD5 8d8d95e40029e92c8038ba48aad0ce66
SHA1 84d86f871118e6281de83df0ca8ef946e3fbf11e
SHA256 edb597578c0ae00a81a12c4bccb1f80ca824d69d8badb9abae698fc0cf996db9
SHA512 3d9e0d880ffef8d1b29aafb39dee0802288875762f0f49a655eabea523abf3ad96189854f3323e727190dd1c2ce96442024e2b5407e01307b9325d890bdee23d

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif

MD5 d375c679def93db979ce1307830dbf5a
SHA1 5bc836709102c44a8b9923cd902dc165d2589368
SHA256 ca2af55d5bace7b77767cce9fbf4589111f67c978b3abdb053b2262c95f114ee
SHA512 e99c0380ef006222bb6afc3d9bf4114cefc61108b5aa4179a3db6135bc377e89299124cc503750f37caa111cacb39b1de07dc8c8e8ae8d5c8cbd8c30dfb0e59e

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

MD5 725f8d222b747209c56b6e871d806e36
SHA1 bb47a4137ff9c11dfddffb27312c2050cf5dac03
SHA256 c0d260b1769d558f84f04f8ab0aa884e90e9dd456ec052460ead7d91af35f583
SHA512 b2618b27624a869748eddcd2465cd58f73d9aec1a5f18d2ae437ad92fab5548175039408dc0cdb1efc33c3d5fc27b9c964b14d429dd69f6edf89f7ba92b45f96

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

MD5 278fa77a21ba3404103d52ea1c441bc7
SHA1 54e7f44f9d3005c035b66e615f686cc76025e0dc
SHA256 6af5dbffc43cac4b6f059213ccb69482be1a545ab3814710695b0328737e8833
SHA512 9925a5e4e15a9e13ccb1da4a64d70b4d36a23499b11bbdb82ca927c11a5b92a1f9a285f06a0138fd55ff78b71737eb896aba5a3854688ebce3bd5ad6ee1ebfe6

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\requiredBang.gif

MD5 47361ef7742f17dfe8eee15a8c1e9386
SHA1 07a96e432d36fe9e1c80f7df2e3aa1347f4f2036
SHA256 0482b39af79795f12f1e3610f261423900c63501ff2668481360079b70ad8c2c
SHA512 91fedb9d7c521913e68abc7ee23777fef1d4949e5b866af9c26c46d0c695f405ee1ad354fd980bf7e78cc803a1259b4dc5a7c5c5aa0ad84456c6034d6e84edc8

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image2.gif

MD5 bf7f10874675d4a600ccf6f46d72326a
SHA1 500c45d51068dc938aebc405a07f6c86c3aae0cd
SHA256 347b483e34e975231741aa2018bdc55bd7471c10ce3aee795b9c82f512257e60
SHA512 836aad6ee49ee19f7a3f8db0f5fd676850f6c2866d90d66fdc29a9798e4983535ac199473cfb3a9363484cd0c55b886256b0145caea4733414b8de548bc914ea

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image1.gif

MD5 22b6fdd6b60a87c956d2ecf75acba170
SHA1 931d6dc3cece85ccc95dd3acfd4a6495b0c3c49f
SHA256 c9bc43f67f8e987a09b95f803c143678c41cef8b51c82a5a7fbd790c44f3c28e
SHA512 c75225133770ebd3903712e323ee77cd202481c9ecee5d8fd25d8699de46f4fbabde5b9cee84871ba32b609c7ba9497542d7ed136fa9ef8764056e4016e20904

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

MD5 7ac7e5e540c27b7dff0751a22302973f
SHA1 e1d25781b0b2cb05e91527f9a1b82dacd2fc6bd0
SHA256 c49deb1ce40c27909eeac1b81c1f6ebe7ab0305e03add1ef5436a0e1eaf541d4
SHA512 277bb042db81a1a7b710701bb495ef8681d9f195f47b5c2804da687971fa9108e9a2abad11f9feb0c771012bb4a419c3fb137245b722b788acfdbc1467723e69

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\help.jpg

MD5 ce25d8215346bea8042b02cf05844482
SHA1 dfadb5392cb6552ed748b653cd1d55a4dd350f4c
SHA256 8efe3a57a3db1b591bd7a8e9e2c668d01e7b8e4a17c9dd3c2fb55d80118c0ae7
SHA512 c639bdd3bea3faa1c75892e38012f20c459cd81795e7f1d9de4107f1855659e4558922a216820a701e4ee773b128c7b9d1586a94889935d7bd1486af4e7fdeeb

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

MD5 56eb668315e65c8f725457431bd6e357
SHA1 3347fe1e0309bc49bb0035ff2829eeee2b1d46e7
SHA256 914c842bf18e6e1cb4ec704c20c4ec5193d9479251ef9e592d9a2e3afac9967e
SHA512 f7d5ad6c638284dc4af5706b3781316b29bd964e5c8b091effd713d2541767c39bc2bc0e89c813d0ca09f44324feb0c819dd2724374f0921977e3abb12c738e9

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

MD5 b6ae0514b9869c5264cb814d14cf81a5
SHA1 bffbc4925cfb4a9fcf203b8b7f92337f0e4628be
SHA256 d0f7d2d739bf7ad0b261085bd5ba95ca0e2c93b88323a08f1ba6f0d53667ab55
SHA512 d1f2c13f4413d0a546ea00ba27a93af7149bd9120637538459c738b81573f946143efbe3cc9d7d7c44164b5c85e41297ce9f5c400a65f7fd8507de02efac3645

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\folder.gif

MD5 260d37d22255554e0519fea070c929e6
SHA1 44f6923c2d798587b2861a1857e620ffd287d3cc
SHA256 a3efc5ce41ce5a4a3d17a868f9c5f45a1839c355d1ea9ec064d6651ea8afb87f
SHA512 c73e0162d5b601b67465af295aa8ec7bcea1a0947c404e079ea7c635e0291919bc97e12b1332c7cabee15949fcbb362c03c6e928bfabae11a9223bf6e4123384

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

MD5 72046d9ce2b319185af8e439624582f6
SHA1 46fbb2926f66469ae85f39082fb46dc868dbedfb
SHA256 fb5859c33f7084e9209e94206f2a1354c4c466e56b9c8bdca668229b2fc713dd
SHA512 17724e6706666ff62dbe233e05b299e52e96ee83685934702204a80c582df11fd18857adb2621f6933104c791450348d358b77150ce739cdd3010f0a4017585d

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

MD5 77d23f931d97d9fa42116a882359d526
SHA1 f2f9948501bff3840d09d5ee47dc3d07971a0e15
SHA256 0cbd137b2197b29de14170c24af767f44c1ee64a27fdd1645426078bc8ef2991
SHA512 4f43439e936e6da499777d1132e1b527516bf03be0f4d1f183e810500a8f6357529c01cc1438dcc271dd86b127b69557180fbbf7adf3bb149ed2db73b2ed5190

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\branding_Full2.gif

MD5 a6eeb971a28dfd6797907f4d4aaa5127
SHA1 e722d698750314a8434e248a78b44a4961c0a6dd
SHA256 aa3514ad53472b4d0e61f6679cbb70e44deea29dd85edb658cfec26a3a2c7ddd
SHA512 74cd05a2882ddf26003448ffe106abe38826d22b0daf37fb88e666c3a387f26ea0224e2f487334679332732692e1085307bbc76db1e1fdc3d795cae4d38723c4

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\aspx_file.gif

MD5 692ae26c42436198cad6454eaae80fdc
SHA1 5c77ece4b45ec8a01f2cff0fd9c507f2ca45b838
SHA256 d676e80242774e53eb98d3bb63a1e8b17a01d09f6a178412f2a76345df2310f0
SHA512 ad3d9549e0b86d024fa029aa0d6f621e73c875bf822c17e54ab3e5a74a519b66f081aa6a6719c49d1391de3c5a5e2dbbd7b5c28184898cfa3423815c11623dac

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

MD5 a8a7da26fa1f0bc45a3079204dfde344
SHA1 3a303eadac01d909c64be7ff85fdeb6ffb437175
SHA256 a1bd6e1ac8920726196d08bdf2f06a751513806b28454fdbb2377b56ca7a4213
SHA512 471283539a4a9e478f2f554d1a6797661737a284294c58df232f406a64e136f0211d0b62baa89c0d1cfd8b59696b5e7109344f83de38c78626a39e201b6935e6

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_lrg.gif

MD5 94d127cc4f6f7e54c253660a179adfaf
SHA1 7af16a31f64a3fb6cc502895dbb9cfcbc877d95d
SHA256 a9fba161052312ab5bfb533afbfbed38fe17446f4e6a058b6714afb695a6a4b5
SHA512 9b60601d34560660bbf67560f8df7711f436dde28ac41c43c33adb057db78e0044f3391fc869585f4077d2721b93e7338d1326fac8ffb2a43aa59035669800f4

C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.153_none_90dc0b923cd83016\Square44x44Logo.targetsize-44_altform-unplated_contrast-black.png

MD5 bb827970262e5586a020ac87c25ad51d
SHA1 3f443c1ad7fdf485d3ade2f02d41fa587f06849b
SHA256 b768f90cd939bd0c934b0885f9d45662e771be1f8840e38d304839961eda1941
SHA512 7a05ce46667ac207eab690700eab7985b842e4e9253c574d636efbf599d47b1057a5bf65871d38655c315735a64b1744494400c1adee228797fb32e0bd564d56

C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.153_none_90dc0b923cd83016\Square44x44Logo.targetsize-44_contrast-white.png

MD5 00758620e18a2e962ad1bb0cd9bf9397
SHA1 e545872d387287dbcd12b699363bd3ccbb984ee5
SHA256 e95bd695b82e7acbe3b6cd1f9ffcffb9c3d60bb3ecc0f8423d4e478fa71aa725
SHA512 fe991d19b6b81bb2a748c14dac228ff45eb19bc1fae1f099a6b35cd33ee0b23f506e3edead3ce093f6cc0960ee70ad0ea42994b0f731cef1b6d5acf8cbbe3f5e

C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\Square44x44Logo.targetsize-44_contrast-white.png

MD5 7427ec8e4e93059a79d770e2b456bc37
SHA1 4287548501532cdca588be5ba172f1432616a0be
SHA256 c51d57af72111e5d14ef97d257c70665dfebd9860f3706f5fa938a1d341e02e3
SHA512 65d8dee63567b7309eee8f1218eafde425ba5d28a121ed176a05a95838e67bd54959a5ab40fbbd3daeeaae2b8cb5583be11f562b9fabbb7453d340749ef624de

C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\Square44x44Logo.targetsize-44_altform-unplated_contrast-black.png

MD5 a76b42596f45ae36bdef10a45ded791d
SHA1 cb3626c8fe6ac065325c2b0ab291e9de00ac724f
SHA256 9154e477aabad7b0080f85f8097d0a9278060aec304899be86921960f72c185b
SHA512 cf1a525c30af77971bb60e601e912c96ed219e53f51f1d68f51f7f2626c2ba34da4f83f21674d004ed61f13f28927142dcf2718b49328832d8656b5ce588ed1e