Malware Analysis Report

2025-01-18 20:40

Sample ID 241208-jvzkcaxqax
Target d6074e163ab2938305579363b202499d_JaffaCakes118
SHA256 4d22f80ca7593631a896d476bdadc16eab274a2c5f9aab0a8bfb5558a340056d
Tags
xorist discovery persistence ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d22f80ca7593631a896d476bdadc16eab274a2c5f9aab0a8bfb5558a340056d

Threat Level: Known bad

The file d6074e163ab2938305579363b202499d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xorist discovery persistence ransomware spyware stealer upx

Xorist Ransomware

Detected Xorist Ransomware

Xorist family

Renames multiple (2195) files with added filename extension

Renames multiple (2209) files with added filename extension

Drops file in Drivers directory

Reads user/profile data of web browsers

Adds Run key to start application

UPX packed file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-08 08:00

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Xorist family

xorist

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-08 08:00

Reported

2024-12-08 08:02

Platform

win7-20240903-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe"

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xorist Ransomware

ransomware xorist

Xorist family

xorist

Renames multiple (2209) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9e6T6YF2PiNP46m.exe" C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_join.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_For.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\ClickDownNormal.gif C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Windows_PowerShell_2.0.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_WS-Management_Cmdlets.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_join.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Variables.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_debuggers.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\Column.bmp C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_jobs.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_type_operators.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_If.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_operators.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_wildcards.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_modules.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Assignment_Operators.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Line_Editing.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Redirection.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Command_Syntax.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_For.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\ClickDownExpanded.gif C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Arithmetic_Operators.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_operators.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_prompts.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Ref.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_FAQ.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_jobs.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_output.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Throw.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_execution_policies.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_advanced.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Windows_PowerShell_2.0.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Return.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Reserved_Words.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_pssessions.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Break.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsOutlookExpress.bmp C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_wildcards.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_If.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_eventlogs.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_trap.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_profiles.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_types.ps1xml.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_execution_policies.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_command_precedence.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_WS-Management_Cmdlets.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_prompts.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Switch.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_profiles.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_environment_variables.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Break.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_job_details.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_If.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Redirection.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Path_Syntax.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_objects.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_WMI_Cmdlets.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Session_Configurations.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_format.ps1xml.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_properties.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_logical_operators.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\ja.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19582_.GIF C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR50F.GIF C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPG C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10297_.GIF C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR45F.GIF C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\background.gif C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\calendar.html C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIP.JPG C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImageMask.bmp C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\add_over.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\EmptyDatabase.zip C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\settings.html C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_FormsHomePage.gif C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\SAVE.GIF C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\logo.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01268_.GIF C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR29F.GIF C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_left.gif C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\clock.html C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\JoinRestart.wmv C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\back_lrg.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\settings.html C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.jpg C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00154_.GIF C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15136_.GIF C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR17F.GIF C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\settings.html C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Casual.gif C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Interface.zip C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Windows Information Bar.wav C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Windows Error.wav C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_functions_cmdletbindingattribute.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Hand Prints.htm C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Stars.jpg C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_methods.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\rectangle_glass_Thumbnail.bmp C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_eventlogs.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_Redirection.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\topGradRepeat.jpg C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Characters\img23.jpg C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\3.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e9ea273bf74e2d7d\settings.html C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-6.htm C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\US-wp4.jpg C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\WhiteDot.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Session_Configurations.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Windows Logoff Sound.wav C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-sonic-symphonyntsc_31bf3856ad364e35_6.1.7600.16385_none_d75d6085d60aa50d\Symphony.psd C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_eventlogs.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5e03773a5199eaf2\currency.html C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\photoedge_selectionsubpicture.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2b166002b7f51771\settings.html C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_trap.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_try_catch_finally.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Windows Print complete.wav C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Special_Characters.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_wildcards.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\flower.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_black_moon-waxing-gibbous_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-memories_31bf3856ad364e35_6.1.7600.16385_none_51190840a935f980\button-highlight.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_While.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-full_31bf3856ad364e35_6.1.7600.16385_none_ce3a164d3f0fa152\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Landscapes\img9.jpg C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-4.htm C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Windows Hardware Fail.wav C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Windows Exclamation.wav C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Media\Windows Minimize.wav C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-9.htm C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-sports_31bf3856ad364e35_6.1.7600.16385_none_c1c84490c211896e\CircleSubpicture.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_script_blocks.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..ied-chinese-quanpin_31bf3856ad364e35_6.1.7600.16385_none_53b99503d9f5dfe1\TableTextServiceSimplifiedQuanPin.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Break.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a6285ac2a45ae884\settings.html C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\undocked_black_foggy.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Media\Afternoon\Windows Notify.wav C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7601.17514_none_a0cf62efee3228a3\verisign.bmp C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_22f5c6aadf559287\Programs.gif C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_pssession_details.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\settings_left_pressed.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_types.ps1xml.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\img17.jpg C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\500-17.htm C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_679a6ba79b07a3c0\info.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\38.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_Arithmetic_Operators.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-usertiles_31bf3856ad364e35_6.1.7600.16385_none_f385bacaa98d1e8b\usertile44.bmp C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_command_precedence.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-sports_31bf3856ad364e35_6.1.7600.16385_none_c1c84490c211896e\SportsMainToScenesBackground_PAL.wmv C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Media\Garden\Windows Notify.wav C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_locations.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_For.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Media\Afternoon\Windows Hardware Remove.wav C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_While.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YPKPICSDDQDFBPQ\shell\open\command C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YPKPICSDDQDFBPQ\shell C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YPKPICSDDQDFBPQ\shell\open C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YPKPICSDDQDFBPQ\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9e6T6YF2PiNP46m.exe" C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.crypted C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YPKPICSDDQDFBPQ\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9e6T6YF2PiNP46m.exe,0" C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YPKPICSDDQDFBPQ\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YPKPICSDDQDFBPQ\DefaultIcon C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.crypted\ = "YPKPICSDDQDFBPQ" C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YPKPICSDDQDFBPQ C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe"

Network

N/A

Files

memory/2460-0-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

MD5 548d07f91519739ff3cf3c67dd57c2c0
SHA1 c0846fb632806f93f3f1c1c0ea4bd259ccd31c69
SHA256 53e267f53ec8d5a24310077d23d9002724c2316c92c70bf012bf96803b3c15d7
SHA512 80486d32ad36447c4447d48544ca1e00a777fad9d949576fc571b47dd7b1488406e303df2c5b11302b51ea2d3417dfadd46f9b6fba29d4e9de148fbad727c7d2

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 7c4c734a4b05f32fc0d48e7e697c65eb
SHA1 e73d9ca39fcdbe93ae478167dcd975864230f6c4
SHA256 a2fd5a52e4ca35534756fde66806a94e4425bd8c5b4ace8f2daf8c42cdf525f8
SHA512 9967fcd3c55249de49c831e07c8c5f4978f9786e5d43e6ba4ddeaa2b48aea0289c7e9ef807476ecb38dc7415cf618f9aadab9fade06c120eeed2d06ec8996333

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 3233d4cc8a9590111700f0769e5ca96b
SHA1 5612ba86a0fb867617f3610654d9630220655b62
SHA256 d79bb3e18cd5c2257bb9f4c2cb1bda9629e08f086d7e19bd3bd81e15c9835603
SHA512 550d5991caf252b4291421817bd661dce499a878f19dcb3c050cf152e24e3cdca64ed6d04134f325b6082895fd593db0909a15e040fadba60401fcc0931e0661

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 31232351614e4e53877535a859a0b82e
SHA1 9810ad90ce649ed327da76a36facf18cb73db54c
SHA256 f14bfb4e35edc9a966f0e850c4360f7b6aa6de1e7f70c03367aa3ea67419c61a
SHA512 3437af8f4832af87174c977f16f9989ae6f12cbbb95ca34d93d06c3d392fc40f4358e6148706eb05b3c6e42bfb6d0f17965e04530152433a3c3931ad430b1d64

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 2cbcc33ee63ac2fb417a1570b5f7f4fb
SHA1 7d5df62a9885a985d8d90a9b4d80d92485f5e6d3
SHA256 61122fb5ce800cc1bd77d470316fbfa7f886ac669271fa0fb76c944f4bd94ba3
SHA512 7ad7e1d5a63da67f1b0f568b99373ccb5cecfe63feb9d496cca9a249a224a4223f376d718fdbb0f62908f8468360584b51297204e112678e00ab231c85a79244

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

MD5 943a50e2fb8f79d702c5e409d769174a
SHA1 56bf0596f92ec866b60efe7387cdcc6a026b983f
SHA256 0b3abbf0751e5aa82be05ed752b8072a72156615aef02be50e3f7ce7c10186a8
SHA512 535bd75c0c6c4d42a98d00f616ac6b05ed5b880e6889f0664e38826a41089acc49b3b097c1a572f776583f24441aab562dd96f45ee76213290e64e7c7ea3a9bd

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

MD5 49298a9f718b94602a7cc0e512d3294f
SHA1 aca221267381a9534f7306853d286b87bf18fde5
SHA256 10944b7b1ec68b3d4a409373a7ed5933c06264fc270ec2bd99ef45b6cb49969c
SHA512 d467e995348866e9bbadacb513cacd51a06fa140c19cd7ccdd73f34036837077cb6f70749a48b7163b3d2b9a982e2ed5c98328d4e2896106deb68b964b8aacfc

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

MD5 fafe0ee8534f1f8e4ee6c6612499d039
SHA1 6d6d54547f8e6ca1867b6235a64bf07d3d1488af
SHA256 c034b5137085d03e987e8997a04c925d8dc251f9caf0859433e83c5845e2af85
SHA512 29f76bcbf9df7a857662ddba0d63be8d98df781f59cd928c0c7c27ff30c21e2d8e8759818436418ba2a89b57547e1ea634d1b16c0bc9122647401f17bc3cd208

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

MD5 4402350c0a282b2cc3959894020097fc
SHA1 f171657a2ffa65a4981251b2ec638cfef0c2338f
SHA256 0b1c64cb411cb644504dee5f0e538e8ae10a6d96147e5221df43167f73456f29
SHA512 c0365cfb725020017bdf13c32b29270e60799ae2e2884f067b787b889fed478d4f142b0ac9b7a18967f7162eb097e93a161d471e31ce072e5a9d4f2537fa6c6a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

MD5 67e2171d3e0158e6a9dd5bbb9aee279c
SHA1 51c5aef96cf3f54c2ccbd992db2aebcf74e63059
SHA256 56b612deb2eff1be434cddbe9d920d0677ee1093131d3d5bdfadda62daf50093
SHA512 ec7053c30624ba0cb31305b68bac58365661c0427332d2ce9be9a591dba57ea1af2656cfaa4d68bf80036c086bff00b81ce53dd288f9e3124396281204f7b02c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

MD5 5f73c7280b43eb2f8286a83d29852948
SHA1 ae898525228a22823a4ec5dde03adb67659bdcac
SHA256 555ea5acc35d2c92381b9eca9a3783a0f38f3df890bd745a3b673719a93cb94b
SHA512 bee46f397cd38402a758bde0d5188608bed175a6e1bb4e476d3c1d094cfafc107eac2f7d7a5471285df2072d27f6c1eb299f6c25452e7ed998290f30df0f9a41

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

MD5 5e3438d0da1df6f5671bf65f023cab12
SHA1 4b35ac30a0c2f853fa6746523b0ee1bd5d29e009
SHA256 4b5ece2354cf34414e1959d47776cd8fb7bb33ff0632e98ea4b2dd7ed7788dbf
SHA512 d3ad6e46a7b4d68bffb76b7d7fef29d79a2299b6816ceccf459541898a9e3160efd4829e831ccf13c5692bceb139316dadaa04d86d202150c9825471549398ce

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

MD5 9d370a9ee8434bbf1c7d078b6930a427
SHA1 e5dcd3d5929b056642cd468fae3c29406cea47d0
SHA256 6e3d3e403275fbea190a0a26a8d38d523f2aa20cd709402e55c2ef7435d16c33
SHA512 c5ae8d976ce466990032e925c3998da86a3623c260760c4e5b6981ece33b1d9380d1078f9cc4a9ba7330a2868f31ad8b99a43e8f0cfe498f3a83ef301e134654

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

MD5 9a20a38ffe7e92d73c9e5d9920b11c12
SHA1 185915590c2f78df32705ce27c741443d75f308c
SHA256 30ca1f6594dcfdc0ecb00d5d30e8b2219abce1c0ef38b5babd4937111a5a6cc9
SHA512 cd0acbe11b5bc162356966767af8c9c2b9c62b0d072743fe1aa2f2b9d0d0416a95244835af6e510d96391065bf8fc86fa159807a8dc19141577b17e7c3a4c275

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

MD5 1c957ce6e7bdc7dc1d1d0df46bed0601
SHA1 028b33921a4d4c83078b53d52310f971deb666d1
SHA256 16b34dff97708c72a54e6258fc8ee34393d5ca192b1390faaea88031a64d588e
SHA512 bf550e8f7dfd3ecdeb6829506c08a2bffd5217066b393baadb374d33fb375d4dd396e6a10c54a71f8a474d26cf23331c6427af3777162841d7b938cd90fda310

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

MD5 026c8645cbcdd46f7063e631de2067b6
SHA1 ef1d47703ecd0ca24900a1006c2fefc328b07a2a
SHA256 28ad38952655f7ff031bb08de106211a3f5bc732ea914fc85661a7b889d4c066
SHA512 8390f2648435b3409b7015815c1c164ca035987550af68506db74433aeb74c84f75310077202371b651133aeb9e6bea16578785b98c074cd479c38c7acb9ccc7

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

MD5 c937317875d773fdd88182f00c509605
SHA1 1033a0570bbc3d63ea0051d56ab7b2a0700e91f4
SHA256 88a46c24d7b2e77ff141b5ef226ddf074637fdb7253ab56f130e59afbef3bb5a
SHA512 78cf0dee75931a4bb830725e7809b6ab7a638df6a38fb068e1884723060b3d32aa272bd408484dfedc0194550a128a5851307336a0c4246f50023d07c06236c4

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

MD5 c44cfc422565254ab912fec93138f538
SHA1 56f7a31c2a4b1d004ed8cdb69ccd3b59c98e079a
SHA256 0e56446fb9726e4d486089fe39daff1de65dc688d8b620cd05b42b16cf66eff3
SHA512 19ca26cfe3ba96a551c14f61b66d8c92d1b820b8fba978cd694935e32f781cc3d5fffb7d56602859e6dae25c92ef6ba12aa8e491172f120e46cb779eac8a2abf

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

MD5 3fb0b93e9462bc653b8d981bed3f77a1
SHA1 32c522299ede2aed91252b6c9c5bde2216b70876
SHA256 0fdc66f0a9f0e2fa087fb044d8cb2d27355fec058239e4930b233ac327c90a01
SHA512 7cc61b6d51aca27517bf0f733c06bc05c1f30d376f963e85ff6e9b9d06c036d0bcb0d3f0fc866b054f9bf21940e84d8f7d0bb1377826024a6ff0e2d53f2c01eb

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

MD5 54f2094d097760578a70d253130c3594
SHA1 9aa8df74f8e2a4f7ec51ca60cada3e9f5587ce09
SHA256 93b5abfcfd4b3e42975584c03db5ae0ca7a265374553a89a1d0a0db29edd725b
SHA512 a470d9a602fcf972467e756e987d7e0d14bce4a8fce54f7482b37da03747ca9a3468252ed10ea81fcd496be2219d7e390aac3651d135c23297498ed8d28c8b48

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

MD5 dfb366aca02b2bf54261177a191bff2b
SHA1 fb23e288a952b218ca3865c23baf7977c9e10597
SHA256 e7070c6fe262c794495c182740111ecc47938a11665a3cfe8cfd9c92e2edf7ec
SHA512 3376921c922667460d4c629f51c0d4b3f6ec533c96c0e0c1f3c5a0142e667123678284b4fcc6d07420ac21fdfc8e33e3d84886497dabdbaf65a825d87b95e780

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

MD5 99186d033f89a89bab289aca30252747
SHA1 3aad5b2d320971fb2f9767d9b4540bd52a16b912
SHA256 c7053c244aa2cdd486f758f5cbaf8e738550e7b6e399c5f5c38d5eeb8ef12cf9
SHA512 e073dc05eed6cb6ce97139cc55dc7e2bda6cae8ff47c2d98110deb4539febfed51b78cf82fb52983f210decc51799aeb150677c5ca9d701b45c0b319a21168f3

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

MD5 6840a526521da8493879c7b2c208a5bc
SHA1 f88473a3b126f3986e20b1a7d3c00eb0d2dba07e
SHA256 0c901cb5610343e9c2706eddb8ac60afcff805c7f4631e388153c4a1d513b015
SHA512 03c83c6fa0c004d88e1c842c7708adb94f8485e72e2f9ac3a1d028bcf7cba6d554fe48aace7c8d6946bf06f18d065db760f8bc89804ba0173225afb6ff6a032e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

MD5 b5552027059149d2dcd1838f0aaed761
SHA1 be794e042f1f36a976b3b511734762311958be9e
SHA256 b1e8f714e15b5f9bd2672214ee4af03a0e7da8e5542a5e2597926dee61254541
SHA512 9869e9de1666b9a37f0f97417c9771eae52f6d80ff1ee46ca41b5d6713c9a8d4939b8b1196afd60c2b4629da0cfa07f2601e1abae314022fe6199d88c99513cf

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

MD5 642543f27b93482070aa3a61ff081734
SHA1 4c6f6358788c06eaa9a17c9eea364a6552ad20f5
SHA256 ab99e43f77001b36c552ee0119df560927376374817ea8bc53137a9429c2d6ed
SHA512 7badfe266de050ae301e7e38de2f57843cc7705adb54df7a00ad8f1459cdfc2c585acb5e88d02547707bb6bc2d4725af506b6f2021c2ed3041a4b51d0149ca16

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

MD5 e5488adc612adb41b309e440157d0cd0
SHA1 23614c01205a7232178b89e3de69e1e3dc3812c4
SHA256 e58d09ebc94d9eabd672e50811c7a1d4b4bfa53daa27a94ca80a7ea575eb9cb1
SHA512 2468603a63418fdb5329c781e0368dfca0928d87784bdf27ff19f228aa8544e1ddbcb351d7f17182121f6095119a606428df7a1c05a14aef0d1eadbd672a1337

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

MD5 a1c748225da91c054adfb99227d5e868
SHA1 9d53d2b22608a3b4adb3d685f63d06a9a923f89d
SHA256 62a80eb8efc6b53ec2219654d181af673b010b377f8cf30c72d7130ce144a97a
SHA512 5718ed62aa7f343db3dbc936934cb2151666f10e8f7aec45e64b5c535df601d2eefe00302a8184d90b1b62dd76cb667dd2d655c5b55b86018479e9aa88d4622f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

MD5 c0dee32dbc1919ddbdab8091d513af0c
SHA1 f28c8fe5a1f0ab08f716da4fda187c8e62d094f6
SHA256 358b079cd393251e0c08a2a6725d369e4ea5e18607ca2bca7fd2f2bf00b2e379
SHA512 9a287c11201e58da91361b14147f02a85a0819e17c56d03d5607bd5dbd33110518665c139c1acfc74e6b1927f712bc48481956d9f404ff906018a57e7c675e4a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

MD5 8f1b0cb7d337d88e3143e852237ec5de
SHA1 a56e9c5ccbbb5a72153673302e1a32c69f51aeaf
SHA256 a12f37e8fa7c9a23c1c18a60eab9a9b1ea49f717547c5743b303ee1a4e381a06
SHA512 b4820cda170c8f6a96ad83a2be3621e0a31f4c3c09dee2aa1d5f2c417dce9cd529e2b750dc33bdc4e80bdafddedbbfca47e48a0a4e7ce02cf3970e1610f0a33d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

MD5 f6c9b89810f971b9a415b88f9d2b3ae2
SHA1 087bf2299333933e076361e0f49e3da3343b1e4e
SHA256 de2e31fc35d654637b78611a02a235d2d4d7f6e5df6553eba8ac0aef4fcdb75c
SHA512 2338f48b1ee9f72f151d0a5bb9bbc274c9b8bfdf26b0a1bab2be7d3cae249d09b08887673405738cc47ed59aaafabf5f5d69a84902e8e481debc59e0eb315e29

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

MD5 9ce351553905a4117fe1576b88c36677
SHA1 355ce6cc76c3d3881cdc29bd71e76af73d12c71e
SHA256 bb1429424a63b63938a7e58eb28b61fe393318d7a8c2acbbd350f2196f5741fb
SHA512 a348ca0981decb700fb56670d668dda2b8d360a49a07472c4204e0d21642e888f101469cecc652a23785fcaa5e5ff9e699f37cfdbfe765183d3aecb183c00dc1

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

MD5 45ab68f520ac442992707da9f1248f2a
SHA1 422334c160c43dc7184ddbb87bac23987f706370
SHA256 dd91d5b21ecef61b963ab751940a7e008916366fdb965de15eac1b4fc32c00f6
SHA512 1764634e50b1156ad1ce0219b2107f0324d951a6876c289dc6ee58ca8750b31ddb6ab31381b502e1d3af862347217b6e99a40cdb985226142ae55cdb8c5d8790

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

MD5 2ed15270fa15c875a71eb1e63ed1757f
SHA1 3d2023a1fd1cddc963759995b06e1c788edfb2aa
SHA256 c8eb9c4d9b9a1b17cca108b2007ec9d7d1db6710ac39e2572e07a5d94da71816
SHA512 814ea6772563f77a575ea31f2829bbbe561c5a861eab958e335cf5649d1dac43f7c4ecd785b1c81c7b241fed21153a5517f8ff7968590c11a39987d2013f19a7

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

MD5 3afcc5762c51404a1b21fbd56c836123
SHA1 27115ca3a1fbcd6f2da8f36f9d7126b403275b30
SHA256 271f43ce6397c1b7b83e09e79eba7aa03bd3ad1869f8de5f2c282c4085e74ec4
SHA512 018d503bc0dc4a15bc0caf0f432339280b7bac1d8d76051126b3be9e4d5e20207e0de342bebb2a423e024ff1b5d836d6149d9df03a86bb59be93fee11e807db2

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

MD5 ac164b1b1698390c7e10b74accac872f
SHA1 10148209863434c40588626ba4587cfaa3656995
SHA256 76ebee661c5e3b0393e0daf4a459183aeae26a72dff9116fda89372c766aff89
SHA512 a8a450868c261603ac2ecc2d8537f964a480ed5bba3893f2bdc5ccc05e4832ac933effa96f595ffa42aae89e8f6d059e4bea16fe38fe56c89eda96db1015e12a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

MD5 3f8e8d23dd19c0d802c9108033e720ca
SHA1 fc67e38418a5c68769728ca0ce0a9fe8312a12c9
SHA256 b71291aa7eb333283c471510f2aedf5396048ecc5b1f080eb2d9516303483f73
SHA512 49cd03c1cde93723a2db9f90a1f27d740b73ce37cdb091e024faaaab1e8ae120b60d8a580050aacca8cd3b365f82a8a61dc52e7bd754a41c6b2cfe5ed2b0e999

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

MD5 b1d2d7cfdc738e2ab5234b00f3d574b6
SHA1 abe16138e079cffa0422a1abb114c1b6bb3099f0
SHA256 d70c2cbf64bb5b00a65455b39c9831448b8e85c2de11e267dd9951726f63a27f
SHA512 803f4280e89d57e10459d25c22b0b754a46d7b8a64695e9bfc9cf7f77c97a552a852babf104396a946146e327b78eb5069116709ae73bd38f5e9d45bc834043a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

MD5 888dbcb9e406c85d5c326bc8cf8d3aef
SHA1 669dccb282394829a1e65e21cdeeb340a561e293
SHA256 a3dd1fc716ce7bc9d0faeec5b14103e50808b0bde439b9f442237299cc8a13be
SHA512 b93e8f296e67f0c45e40f5cc5820396f1cb263f7c016852ffb31b7a696168297cc4648631ed5a3772ca6796220cf1c59c2a372051196a79b3393e79bd58fbde0

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

MD5 c6017b3e6a2902995db744d86f8b86f2
SHA1 4a3defad9c9ccba168135bc2d03be09dc64815c5
SHA256 e4801252a2ee915233682d1e6680db5fb122a12d77e5e7768e9200205bbd23af
SHA512 9194a30778ca3d40991d46b4b089c499376da7a0dbddd0cf9b56a162bc70d8817f4c8f2a69cb734f8edcf085d10cace3f6cbf6ccbd0769d5f47210978c20fec9

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

MD5 060b4349d72df9700be56a4abdb2f413
SHA1 8aeeb3bf78963848046257b5cc3b96e0868d5147
SHA256 27e38642212b7a7606e8904aa48cb92d6a9d17a491e01724ba74876595fd7dae
SHA512 5f486f7e26834a82bd521e4a0420d93c3616d73b6c13612ee0fb071b27f3dc38c293e56a2401e05c8da1ca529526afd43c85c3d697c8aa9d9369fd314bcda843

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

MD5 dee2f293a2a8ee925efb4064b0614a5f
SHA1 daf1327980bfaf4a8d549083cea221a4929b4525
SHA256 4b1fffd655fc4ef8b8213e84aa8ffd5555602750b0e9a14b635616e622607ffa
SHA512 769d383462a9b53e574316622e8f2ebf7621bd50a39e7e0959ea18b0b3cac08c87a4fcdcdac0ddac00155d8131e13d7851ce4b9633c99c0b51f76a6dc282be9f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

MD5 a193f4445787925253fcbb9288f8b77c
SHA1 946bf7d91db3b0ce1010c3a67eb96b9f53b6446a
SHA256 b8b3609fcd7a56aa5fd6bcfa4fc6b70aa8c364634407be690a89a957791010f3
SHA512 bf837a2c60b780ca3af3261ef1f5e95ec6e517ec69dea14096872f97e8887dc87d3f7f4a6f1f92bf65a1ef1cdb5095b3cc151c136349e57eb8053d1ee1c3e4ad

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

MD5 93b61f2204e180a2033207581beb5ea8
SHA1 167056bcb51236664168f989b5f2f4891c344138
SHA256 6cf9a5ba83b79568fa264d3565351d1d3fdefd33cada651b5d5042deb2905fa1
SHA512 47964514f04725578919ad6ae27d87458a7a29fed312f96d9ed809f74ca5efad51093a79818b774681dafaf994ca9f61998c477b109be0e15ff4cf2e37ed4ae6

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

MD5 b0e90b07943e01e2daf5e7c791427cb3
SHA1 68cb2eb458e1434b84731b34f5b4b54a8ede861d
SHA256 2bf0e350a02868e52f22f8283821978125a9a452d5ac51fa864cdf9f9868257a
SHA512 ce870d844ae021b9db7b71a51ccc3bbcc9c40d7117f989475c617d969562bf0ae45191e4f776043f6f9221917b7ae30fa820f497ce123c390c039e4a83934d65

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

MD5 22e264b194fbd6a85b254babb0ecec64
SHA1 764716fd5415cbab8530c0d312643123028cce4d
SHA256 58fcee3324208d1556e646bd73111f504805afb1920ecb62fbf0f49ebac84fac
SHA512 e9c4ac789f0624c4d876b689dd9e875b95c11580edcede4fe57b322c64c3295aac408eefadeeeb25153a0e680a7610a0fa73fc319f2f31d2d2fead139d8a864b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

MD5 13066a03f732481ebc1e7f30d7c43bd9
SHA1 4b915ca247ac9a486ffed0ca091941495ddf1e13
SHA256 085226b8cbcce44ceaadb148c3ab76eca7a658fa459c22640f0ee8827b8d2754
SHA512 2bd17e616b6581379c407044b4f6a6773cc6d8e34d2cea19a8e50e8828bbba0d03ee5e240686818f9c1a778f55c860018def343a3f097dd7f9dcfc75a7858f03

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

MD5 49cd291e0f0550f534fdf16e0badd012
SHA1 5cf29d620254cb5b4914901f3e1cafab9ab63c22
SHA256 68c2ef8537edcf4971b020f686ac8c25bace1220e0387f073b87333d2e052fc5
SHA512 4b0d1f3d2010ee3e3025ddfd13a3d95af8cb84587a62a1394aa46e4010f83bb98aea09b132252740ae1ed1ba590d847304cefadb29d7b5c299e6bdb5bc3560f3

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

MD5 83068cb449ce54446782bb838ca44596
SHA1 80078bb9b9f02dc82473e788d7be295529083170
SHA256 c20d78356d88ba34b22a2dd94490a8a2eaa119f6cec820f944f20c703885aa56
SHA512 fd547c2fe646609513ebbd368d62c7645aa7d8aacb162a3fd0a281aa879528119a2c16626a81028f1e92912e576140c2762d921f50368ecd78d37ba332a1d58d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

MD5 17f0cb45caa2dc565584fd75bdc1900f
SHA1 364aeef6c1492689a555b7101361ec2c68309ad9
SHA256 cc0eb236827a6feb0c73bc2b09be4828c6f206927c1f68e52896c52424ce4b0c
SHA512 5d46766afdd03742f9edc85f7b98264c3961b3aa4a8e1d819b28ae90c24a71ccc00d636c1052bd62fbdd655815451e96a319abd13efe8c4a91aece9589aed385

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

MD5 f17cec127408df325d32a3447527d36a
SHA1 1c3247d08d6f1fae87c166a523b8f270e04c5532
SHA256 613f402600758d2f2bb33aaabf116db11d35c61d9adc1d7f3db0ca91786c3c1c
SHA512 ee758554108b2347358b5da4d41e2640a7bdef8578aa57a2374fa4485226b0ed015da7f7fa68593c82d9421e30558e8cc2f7d30ca8d0fe9b758f69ad7179d275

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

MD5 617ccf52ba4caf850bd6f3ca08f54c17
SHA1 c664ee4ed2072c2726852fccb0d06a051c427c53
SHA256 b0778f86135c9bea54a42d7f1b9d0bc1a396291bfd730b9fb5e1982e2d660739
SHA512 2ab205ff5d35d2226dab6cce31e01f7fbe00e9575f51880570a8d96bc7dcb1ddf736b15d4251af22f4e3d1e8b377306eb4a8c0c7253928035df2c79fc7ba0eaa

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

MD5 b1f3adb60e53013baf81ff497a9a86c9
SHA1 4c06d5fc42f662224fe8bf47cea8fedc90dc41f5
SHA256 6918b6c07e3f66419f60ffe9d570dd8a8c281f0c5e0b95b4f42760cd24c66856
SHA512 d80576fc765a8497e86ca9c8b9c5afb58b65d03a3254167b3be5fb5a358e6e3b5bfd1915221c5da887a6f9d41a892f0059381b5bae8d7a6b4d812294bfa14ada

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

MD5 2af9a398b072f46a2f53b6896530ccf2
SHA1 7b9b297007f88fd7ddd4475dce9e71c103adb89d
SHA256 c6e2b6af7f3dfce93a890945e10255a8c497c4d63a881628a75667587b7fa6af
SHA512 7eeaa0c377e87193d8e59a17f2b45d59b5f991102bc8a5392516be202319733fd269663576d933076fb8782d356d837714b343ce8c6653956d9ea01f52ccdba7

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

MD5 77b5a3dddc2d575466574e67b8972e2a
SHA1 a4abbaaa52fecb34c2cea226df78825255841001
SHA256 031a06b8bc8342adbe32330badb1694896c59f5624df52842e83e1a8c4d0934a
SHA512 b61ca9da27741e74bf8a3b64d016d5f1c131e73dac7395d076aca6becb1b425d278953e43990b19a7bb7cbc50024720af195791316deb13b40e936449df0f71c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

MD5 050d2156e20ac358d65a62f5fd24430e
SHA1 1753511a338ad1fd7503007e0a73313fa86aeb02
SHA256 ca9ae3fb7feec2c66f521d6c3ee3806c8c4db84412c11aefd1729dc08390085f
SHA512 1e76129974bc156455235fc17dcfc3a65d741d8466728a6dcd493b99c3ddca24daf6d795651f115c1ec3543a6ce8062bb1435413d7ed513126323673488bc7b5

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

MD5 61cf408b87dbd21646ee9fcb25c38a88
SHA1 1e2f6691d227dcd292b9c89258d8536476fd83f4
SHA256 6405e8a92fa9a4b40cf4f7fefadd048f1418a8ffbcec8096d4ae8c0516fa04f5
SHA512 f0970f2f0b69c64021560cbae55b26e248093f3871dd49abd238d5837ddb3755148730c9917058f30f86ea7f16fb55a91dbf02578d17f6272f54233d9fd7f53d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

MD5 799e1ff712c625a503863dc3f5b70941
SHA1 c84e1aef1f148a4ebd770043270ccf0865d878b9
SHA256 4567c9d134baada7b68daa42812f751d2cfaf1c20e27044281c56de519304907
SHA512 0ff9562fe0da3e3bae8be7a5d134adb4d2eb3d86e69916897e8cfa93ba4e7efa0754d36d7326b19fcf8d725451fcddfe9b5f8489f2109bfdbd8e8e7ba6fade2b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

MD5 004b20073b8446c6a6702d24c375508c
SHA1 265dada0e3bd4b35a72799ea1bb68898d950e78d
SHA256 514d1a618e3607b65a314e3cd15a45eb9c9d5e2a27e9c2419ee0431f8ff8bc5e
SHA512 84d8b4a79dd0493f8fdc2ab6b0ba67bf23574ad843e468030d282a0edb978f27f2ed68ba89fb622c031be45113f40d73263ad7f2918e499e5bf902eda8db6438

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

MD5 594368a5738082d714001ebfa5bb588d
SHA1 d1fe6ab8ef4b34bd7b164825572bf2234dd2b18f
SHA256 56c26fd7865770288a20775353d0fdc90ba85aded7f6cde4ce911767ab236878
SHA512 7415d83bb5d4e1a76ba2de504d665eb6546a2dcad8af89f66246b95fa7bc21fd3fdb6462d5f06f3c9d3321ad755b957862d2a57dc1a26012d89cb9f0a5b1289b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

MD5 435d44134bf053af99a5074c555a8d98
SHA1 ce5bc40b976977df53b52120ea87fa3d232e7b93
SHA256 80d5c7269a690db814bf53906566a2b0bb4092ed7e884828dcbe4447fdf6e895
SHA512 d212d43bbc1d8c75efead3e7497419d8eeeadb1676c470bf527be76ab9fee8af7f4fc51167bd9b4099c86fa0df7a49a639eb7107d4a6fca37a46c043246f3a9d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

MD5 fab7daee2a3c1dd65ce5891c3dc8517a
SHA1 53a856017eed45a7ddf9c26a77b473177310ef1a
SHA256 118670ce99302ea71bbe0d60956c818b5f4e1b765f3901a08997648a5e52586f
SHA512 cac3eed5538dd2154e6583e9b23798c342d8e3af4a90b00abbf3d993eb2c0cfb7a0663ad679d5c494222c7d4cb62fbc689a43c4bcbee0378fd5e1569e9299248

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

MD5 3026344d534156d775a0eb37c108f827
SHA1 ef1ba764002815049928dfa732b625b1673e2798
SHA256 9b3efca918bfc9decad74612f3bac43da3b426538c574f7587e7cc301f8e4360
SHA512 4e1025408e4b26035df3b4d3141e53b8642e3b8b6c710b28e8704660cba0020f125850dcd92393e2e89f1e19959b7a315a89e7e2c008299937cada8e7b1c13fc

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

MD5 aff7b620d7f110784f98665d20275d2e
SHA1 665d5f82ca05460e0488ae6f02ad212c9a485337
SHA256 588d819e71a11947bb8eccc2b86c9730e1e9e3cf199069a63431d3ea07105701
SHA512 cb44adaf7d8ac9acdd93c483041c0852c35f134c281d217da3fba0d3f3d0e04cca0f575dbae49eadd8606e35de30567a468e038b37419ac499a10274786b96b4

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

MD5 3e150f3ba2477fc3aab7f2ce44bb60d1
SHA1 2c51a002eb01ca36062aeef209dd56dd28d74f1b
SHA256 a3e0304e0133beda085cc3b686ff9a0ccd4b518f834f75c0e1db55b39b8ccc0e
SHA512 1099e7ff86d7ef407e5905be01e592a00424dd53dfa9cb8906e7a7e15762cd06e48f4e6b27ac790babd92d8fd90614de36e985f8d14eccab436fcfa38f0bdcd7

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

MD5 c259d550149c6c1824c1ec91d60f2be1
SHA1 d3b5894722ce58b519f50b7408c10618fa5bf861
SHA256 6037a668dfeb20f00d8b29ffd650957bc4ecbddfb4db99e301db86f6a0c19792
SHA512 f7ff571036c9e5836617edce10e5cf7da008ba6db628a8d87b173026895a9c255f13db26e815ce9eb2d34362773808ac1353b41933d42e278defbf1c1e20de0d

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg

MD5 c23d361aeacefcf5ccf21ea1b94de7a2
SHA1 c5d12ab768fad9e348f152eb11f3ee4bdab7c6f4
SHA256 5e45ab3ce95d94638f81ac84bf834f71a21a753847008a1672c574d9d449829f
SHA512 13e67cb0690aa599927490ca3fabb6cc16e16bafcc593f3606de35abef83242421c9d29ffdec573462a2d3028f96d5e10de2016ad9e4cd918d15ae8d5fc2d761

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

MD5 6d6aacf0c45d5606dbece38a9464aa48
SHA1 4d6e4c23eb82e681998242f57219526e211330ad
SHA256 ffe15a9a01d7469a394e174c9848924c732c2fda57382f565ee1df9eb110f8ab
SHA512 427dad1c8df6aa44ecac360e01ce2c72b4f34af583d09a7cdf5b005551fa0beeb94a7ac882fe077c2d4b90e8cf1bb39ef5f76e4a69336008a04ccc62995fc04f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

MD5 a28306ba4e3f74f736fd79e7a8db08c0
SHA1 1644dd4bb464e440393494ac4eecbe1f4b1e0564
SHA256 629fe7af73a76d68b2734a3c14b9861a0568907dbf9c521f3d02830c60b011be
SHA512 33740d7bee9940e6ab2dbe5a58facb281dbb18f0515cd588c382cb1b23bcc98ed526aaa48ea79fb105a390813742b592e8255cbeed555dbd1d3e95d4dd2c6cc7

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

MD5 52d504e47abdf0b0d0ba72640227b5f2
SHA1 31cb3f623ca44e4561e3caf480b67e87066d0faa
SHA256 8b59358ab208f9f0268d24fd94d29d83e360036033795e65aea5ed348b3abe16
SHA512 bce5d6b636075dbfdbb26677795295a4a2fcb81a93bf5421b726ff187eed28bbb03651d1340d0e2024985d73651ec5e231f574b3ad930b31fdf3e1ed472c7475

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

MD5 9de492c294892052e542c3e01361585a
SHA1 1edd2f761acd55976c816ffa085d114dd0257fb2
SHA256 6ab9c67fa623aeb9bb4aa4f0f410816945087ca09dee016fdc81e8051fdbefb3
SHA512 acec55ec9883426edec90921bd0384551892d99d8d444c2b95ae0e1cae6f77d8f626b6a235ab5f81263d421f319e1a06e1b521629b1a06bc9e4d567e0c501658

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

MD5 1b6f96986d788823530d4e061f82b194
SHA1 0b86f0391c0a8ca3c375b3d53a0b3a6ae0fcb36c
SHA256 de26a2d7f9e08fd57d394cbb91397445c5bbd2e6b2c4a55e7cff15d841b527a7
SHA512 3fd4d6faedac2126c9a4c749bc511ecb2361fc842b2fd3963dbe5a720734a370cbc705ca2988e9c289b1c3aeb22e06400a503e05920b9d7b5b5641737a27ffa8

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

MD5 8551280aee5ba468ba8a2a25fca9b0bd
SHA1 a380a1cccaf7dbfbc6476c7cff75bb333ba62553
SHA256 23deb6535b16d9a94f0258085a3de54f53015316b033dffe731e47e75f0b2235
SHA512 146b1def16baa963a3750ba31e4d114d2a00b81ba1c8d43274f21e84035affb9a72e5bcd94cbfbcccbef216acd68b11fa3c08f78490f8d0743daeeaf7d83afca

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

MD5 69f3a274d68acae95123d74849e7ffe1
SHA1 f207ab35dd5baaeb50e237103a36036a73c746dd
SHA256 f43661039a169f42d190b795c204119dc745a783f54f030b1bd6c9afe85f7d50
SHA512 94556d63ae6281f100e4915fc2018d884b9e7d308e8bbe3afa9af139337a643fcaf30ae42e7f8473d890c12bc9a1057a4db624546aa4269fd16f1ae3dffd7bb7

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

MD5 c7523e44e18902a9bba92e7177e87a8d
SHA1 2e6915c9eeeb2a1f73d5056b19d76b161ec31ad6
SHA256 ea34819f0f99d42a6852bc575a45128f6b07e173389483b01a8b486fb8a1058d
SHA512 748bf55273abdd6d77d1e0cdf334f3f2fdccbc511f43951eafd2a4fc29652b06044e54113e7a41197b937d8c06b5b19a322dad155c7483378cb32f333ba545ff

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

MD5 b9209f415a8a2e168a58092d48d34ef4
SHA1 1389c610dd59ee317655d2d8db74fb42131149ba
SHA256 de1d15d7f39fe09c8e8af567cb0ed1237b9a99efa44c892685a93550d215d20e
SHA512 404dc07904103a5e8bebca0c4f1a8aa1add2430d6c0c33b585fde59e79a07b89124b3351958875e0921fc6f2ca000ebbef0cd8f34fc2d770c9001bc1e7037f0c

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

MD5 fe1513bbae26c783deb5f18d29ca909f
SHA1 62627645352ed75eea6be75a182a31a1269fdd11
SHA256 1e28cc52cee10ae543c5ac06e7ff886b3a2bc2dea5f5e1d795397527a3cfe84b
SHA512 88388ef94f2c559a0e448425a4581666d186849f34067ec84bce115cc2c8c468965602bcad534af64ef759e8e4f6b708d0f942826dde77062649ca5030fcb9b5

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

MD5 8b64057f8c022f6a5cbfec80fb9502d9
SHA1 8968c4546c82841454f529c2e8d320417b012e73
SHA256 fd1d8ad83a3b14e2dc376a39501a6261e56d3358b64f57aa313f7ac212982ba7
SHA512 2a270beab4941a64b16ac10bc6531cbe428f573c7a9be66330fb239b7e37bad242eab18a524ffe57beac0d711ded584ed7a676d459f44ad6948d5d0f030f33a1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

MD5 cf12675f50d724353846363ac965d8f6
SHA1 bc1f37ea81ddc995ece2e47eb28dff6707a4d4e9
SHA256 ab09a97815949e4c52944deec82f52cf06fe1410444d8178ac6bffb5b9bcee8d
SHA512 1442e6331be0083483f1306191a601e17b8cd9ae48ec097b158defcc05dc98d24f3400e1e96ecc042c374f11c2c80672c9e88df79083191aaacc3fb76572a09d

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

MD5 ada5c508c353b01bcf7ddd666b3bfe7c
SHA1 119a980d36b197c35304b7e294722cd374f76ee5
SHA256 5ac2d6be000ea72476a0a73e0a2434fc7ea3f74538c48e47bb21dce34ee4b873
SHA512 feb7c30c41aed8a7844c6ca3628131717fd53f8eb01a24ac8adcd33cd3355b55a44d2a7c3b53e3cfe68fdff728f9033fa5e2bc254a3e61d09ddba55feb16585b

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

MD5 a4fedaf691989338913d9325516d69c6
SHA1 cdad3e997ef788a7bb4ab4f34c88ff25fc83bf84
SHA256 198680b6b0c72dc40f6688e6c89c20563c19bb533bc442eb674391ce939f566e
SHA512 5016ea58d25710f538294da3377459d6661ff869b0cc8c9dd15772a55e9ad3f68a864a300e5a2f053cf67a9768c7bd44e04af8a761443d02c1e48125e6185c65

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

MD5 39c287c5040641fc77ddb7f592847a22
SHA1 4136c22f039dcd82eb4605e7b75d95ebd5d080ee
SHA256 098a5c7c213a3c86c916a6533dd5c00fd4ba8bbf235dd7a9e06bd41ae0ffa585
SHA512 9f4c14bcc5d1c4fbc03e44c106fe10fb93b4b2d3715e2f7f240db81677a754ad1ee0773d758fae7da3647dd20d98ab8beac215b0bf93aa83ac292932f4300e0f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

MD5 33fec273eeae968c3bde4fe0769e5451
SHA1 e1c5724fb353f549ee4df20f4170e7c4df1efb91
SHA256 1494ee5ff99831425810012d5a09311f7fbc36b4eecd2c0f5389ba2a9a247dab
SHA512 7b6837a9880212320e1f30fd439ea1e5b45ef6f924ceb2abc57b99019dcf1530524625f8e18485f55e583384140a7a620ede8a2b846afe394bf3410bf8ba6321

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

MD5 8179b5d7e6ee7d6ef15224a823cc1640
SHA1 0fa6fb8f3e5eb7ae048133b1708811b3ac059042
SHA256 baf7ae20fe504248b41e7ee63467bcf6abb7e7470ce009bf1adcc611b94ca173
SHA512 a85e2c904072597aebd58803ffa83e0a948724e26ff80f03d7ec1b38b9ab31a20de46d3ae1cbb1f0b431db5505c7a329ecde28012d15f4bbb1680b96cdd62dca

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

MD5 5b388239dde0b1edae34c5e55ace1f2a
SHA1 fb45095fc3823b241b6cf5409fc31023a07c2647
SHA256 3237d2a7732a266fc440623f92f15ba33855792996a4060be79bb6baeb71bf24
SHA512 62b3ef25fdbc1215d3443c3787c0a3043b579246fe3427429f0ca921808460a01b944e70e800c73170846962c484332f2d2f090e484e456363f16a3544ed7b12

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif

MD5 f4e9f6ed12fbd52c3abb947d89a2685c
SHA1 5eaea2ca9903df660616752f4ba14833a21bec35
SHA256 954a25dc7471e0a94f51579ecfbc65c6a1a90c1aafe9cd35b1af197dc64787e6
SHA512 704c487558855f500bcfe787850684771522efae6e7650e087abcc85391ce0a4c2d8db1acfc49c5d2fd42454a78e76f115b6dc712e472e2e91e69239c7a9b3e8

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif

MD5 0a09d169495b9d1380e9ebc92e528ec7
SHA1 807fa5b9f4c409fe0c528f968b5a4fdfc191ba97
SHA256 2076ef257b14c91c02e149871b09f3aee1f11340009d7c3ef3404693c1f6e224
SHA512 904b2e3b7261dd9258547202d2b760ed721f6391e3deea074dc4db2848cee1d8c74c82621e6452860e92b295438707255fccbf376d835019d0c10ecb276d8334

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

MD5 1712e563955ce5e81cfbead54611033d
SHA1 f86d457942870e0462003ac85667c6d97a11a7ad
SHA256 e919f1c63ac7d89ec9c4a085b8f321e953babdd786d3ccaf85f131e78db9ee0d
SHA512 0592930afbc0d4f4b801f8fe86c60d84f038eaf171785a4380c7355c45e9698badac768cbe1d4fa1d83fd1979b92d17362ab3b50c0c5abdb856e782a59b96d22

memory/2460-4420-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2460-4419-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2460-4421-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2460-4422-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2460-4423-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-08 08:00

Reported

2024-12-08 08:02

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe"

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xorist Ransomware

ransomware xorist

Xorist family

xorist

Renames multiple (2195) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9e6T6YF2PiNP46m.exe" C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\@WirelessDisplayToast.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\SecurityAndMaintenance.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\SecurityAndMaintenance_Alert.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\@EnrollmentToastIcon.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.ppt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Bthprops\@BthpropsNotificationLogo.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\SecurityAndMaintenance_Error.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\@AppHelpToast.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\@AudioToastIcon.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\@VpnToastIcon.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\DefaultAccountTile.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Google.scale-100.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-24_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_contrast-black.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\file_icons.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\LockScreenBadgeLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\FetchingMail.scale-200.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Pester.help.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalSplashScreen.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalStoreLogo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\3039_32x32x32.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-256.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-125.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-256_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-400.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-400.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\dotnet\LICENSE.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-48_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-250.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-72_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-unplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sa.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSplashScreen.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\AgentPlaceholder.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-400.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\MedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\10.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookMedTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-256.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutArchiveImage.layoutdir-RTL.gif C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..er.appxmain.ratings_31bf3856ad364e35_10.0.19041.1_none_ff46bbc9afee54c5\RatingStars32.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\SendPhone.scale-200.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\dom.html C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..talcontrolssettings_31bf3856ad364e35_10.0.19041.964_none_d1ce1ea46e50a943\MicrosoftFamily.scale-200.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\square44x44logo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-black\AppListIcon.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1_none_97b0a47239f6db64\PeopleLogo.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1_none_97b0a47239f6db64\PeopleLogo.targetsize-96_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\Assets\SmallLogo.Theme-Dark_Scale-100.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ApplicationGuard\LearnMore.html C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..ntscontrol.appxmain_31bf3856ad364e35_10.0.19041.1_none_44197b0fdd55f562\SplashScreen.Theme-Dark_Scale-140.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorUWPSquare44x44Logo.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\PeopleLogo.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Media\Alarm03.wav C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\InputApp\InputApp\Assets\SquareLogo310x310.scale-200.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.746_none_2b9acc2d69574796\Icon_MMXresume.scale-200.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\surfaceHubDeviceUser\view\main.html C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPStoreLogo.scale-150_contrast-white.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.746_none_0b4ed891dd9ccbc8\square44x44logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorUWPSquare44x44Logo.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..riencehost.appxmain_31bf3856ad364e35_10.0.19041.153_none_dac5d96a5dc8a9ab\Logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\logo.contrast-black_scale-150.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_45a6c0aa2ed16c7c\PhishSite_Iframe.htm C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Ring10.wav C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\ImmersiveControlPanel\images\logo.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\images\ProvisionedCertificatesWhite.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\InputApp\Assets\BadgeLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.Shell\Images\TabletMode.scale-200.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1e502c19c2a358b\SplashScreen.scale-100.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare310x310.scale-200.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\Wide310x150Logo.scale-125.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.19041.1_none_91b1f58702057373\CellularToast.scale-150.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_sml.gif C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\11.txt C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobe-retaildemo-dialog-template.html C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1e502c19c2a358b\Wide310x150Logo.contrast-black_scale-150.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\square150x150logo.scale-150_contrast-white.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorUWPSquare44x44Logo.targetsize-72_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorUWPSquare44x44Logo.targetsize-80_contrast-white.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Alarm06.wav C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\Assets\LockScreenLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\wide310x150logo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-36_contrast-white.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobezdp-main.html C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ast-white.searchapp_31bf3856ad364e35_10.0.19041.1_none_2f147508fcb33106\MediumTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare44x44.targetsize-64.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..okerplugin.appxmain_31bf3856ad364e35_10.0.19041.1_none_11b2da2074e7d6e4\PasswordExpiry.contrast-white_scale-400.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.1_none_03928ee4a9e5894c\LocationIcon.contrast-black_scale-150.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\OfflineTabs\OfflineTabs.html C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\wide310x150logo.scale-125.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPStoreLogo.scale-400.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.Shell\Images\RequestedDownloadsLargeCloudIcon.scale-400.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\filesnodeicon.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\badgeBreak.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_systemresource-wind..-ui-accountscontrol_31bf3856ad364e35_10.0.19041.1_none_8805ef3af31f4b8c\Exchange.Theme-Light_Scale-400.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\DefaultSystemNotification.contrast-white_scale-150.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\unifiedEnrollmentDiscoveryError.html C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\i_sort_up.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\tabclose.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..in.assets.searchapp_31bf3856ad364e35_10.0.19041.1_none_501fda1ac26a3cf4\store.contrast-black.png C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YPKPICSDDQDFBPQ\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9e6T6YF2PiNP46m.exe,0" C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.crypted C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.crypted\ = "YPKPICSDDQDFBPQ" C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YPKPICSDDQDFBPQ\DefaultIcon C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YPKPICSDDQDFBPQ\shell C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YPKPICSDDQDFBPQ\shell\open C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YPKPICSDDQDFBPQ\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9e6T6YF2PiNP46m.exe" C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YPKPICSDDQDFBPQ C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YPKPICSDDQDFBPQ\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YPKPICSDDQDFBPQ\shell\open\command C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d6074e163ab2938305579363b202499d_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

memory/4544-0-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

MD5 548d07f91519739ff3cf3c67dd57c2c0
SHA1 c0846fb632806f93f3f1c1c0ea4bd259ccd31c69
SHA256 53e267f53ec8d5a24310077d23d9002724c2316c92c70bf012bf96803b3c15d7
SHA512 80486d32ad36447c4447d48544ca1e00a777fad9d949576fc571b47dd7b1488406e303df2c5b11302b51ea2d3417dfadd46f9b6fba29d4e9de148fbad727c7d2

C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md

MD5 0a975e59908941c496035185c1d47a54
SHA1 5ff7c45e066ebf4866fe91fc8978f0d6269a04ef
SHA256 63c411223b7893a7385073c8124d57b07c35e55e8ff3f4a29c62ee0c027a83c4
SHA512 fc8597d22a7383ce33788f22430b7b835f1fcfe341fb415218d637992ee9afc600b97b6c293f8194be340eb3156efbdbbbff3ecb1cbd23a7e3dc6f9bf4fc3c85

C:\Program Files\Java\jre-1.8\legal\javafx\glib.md

MD5 41bf4a733dd9e89c1bd8134c0214a428
SHA1 78f91d0a1652f934e9df23adc868691b1d321ef1
SHA256 7eeb9e0cae9507631cbd4b26b95f402a134c9841ed244dad6e169650d1683cd9
SHA512 dafd4b0a8a4a0716a5b44c35745df658a8f26f7b6751f888470b2566ab6743e099512d782a60db7c4e1e96dba95f49149570af5495b058b7365de18955c36146

C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md

MD5 4a1d5479605065e7fd9197bac3a6202a
SHA1 87e44941b7689146baf2e5f6be2b9b427b5f673f
SHA256 6a9f8e349e092bd5146adbbac72d8577fd8b6f5adffc9c67ff90ad75579883ba
SHA512 31c3164d563cd547c7696a9bf2cbbb72008be97268590367c5caa8dc9381d37f747c2625a93465e0f97f92904b95f55edb4d0f7c88e79449ddd850e5b2987dd7

C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md

MD5 e47a181aad70aff04c46f9bc4f26181a
SHA1 b26bf67bf4b7fcbedf527de23d469745584f82f7
SHA256 2291dd7fd311c7700e562f2af941094a3592552fca5954ec611e4531eab512ab
SHA512 13887ac5a2a1c2f3fba09eef122546de2ebaf58299dc74534593c5a5d395ddf5079bb59e6cddc5b0b1e1695d43ffa97c40d94b24b2960b064719359c37ea1216

C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md.crypted

MD5 dda189647a166373db80c666a0eb82a8
SHA1 e7446656146a6c3965350cc3dfac918f221ce6de
SHA256 fdf1ffd3a499b583658aabc6a0e4b8999d0b001d239297b33e9880788471c1b6
SHA512 d4d8065dc7b083ebd7d5e2ed168ec9a7bd71338729bdb0829ca41de35737e1be6be33ec0c49245e3199a7b7cfd87b7492e14c854c860ffacc171073ca3646c81

C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md

MD5 66916e982173fb2f085a9b3d821d5a31
SHA1 9aa4d587e869946dbb5cfc28a71bdffee7e4d0e7
SHA256 3908c23f5e603136264b3d54882120d963a8122d93aee49110acf836f895a3c5
SHA512 ba0630cb682752717bab113d7cbec9358731b965f7757711e3824f39e839eb1733330d6d23c8c3b76c5ee3487fce21f49301039e6653c6a4c89602cb2768f754

C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md

MD5 35a59d345cc1143050154d7241e20886
SHA1 0c0fb15fc3346948019cd4704c7a955e2fcd78c8
SHA256 ee4987f71fbc7a16c0ae9f4b202383475e7630510ed1dc1143d073fceb963269
SHA512 361887d12adf67ab06830d63dcf203cb70b09bb1cbea7def0039223bef14378138c9b7ea1a6805255f8426586757253a069ebff9ed5fbd352cff8ee7dc7a0440

C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

MD5 89efd69835d4edd5736a392b850a9401
SHA1 89c5e84fecd5a40ce00e39a2a45502af1ccceb71
SHA256 976466c70b41253e9ce6bb74a3f4373df2032dcccde4f13ec77a031cc10e8cf9
SHA512 ac449be1447506f6611b3a4abb37a0ed11bdd68f10e9bf2415909d3e379ebd3abd103e3516672b14885527bc5f8f87b2afa5cb76b42540384f67117c77bc31ce

C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md

MD5 fa087609416c88d9b35d05b3cb4505d1
SHA1 cd469349a8cabb8e07e134aacce0cc932144a178
SHA256 14bfa156f54d438ac682112071bd7f19d8769e28f6899bc9b1ea9f6b4c3ca3b9
SHA512 0029c0ec84d24da05f01f246a41aa39dc613611db18e6bcb1dbbfd945119206712be7dd2397f2e5c7ff730eca1b1debb44363a325dcd98d646c0c39d597b03c8

C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md

MD5 eeedffcca03be7aa89970454e07336f6
SHA1 2a362005441475dec4f2de7c6bb8251fd9cbda0d
SHA256 724dd85a216a681de588a3fdf56eb346d4af53ed98122840785c8569f2a7fd9e
SHA512 8ed2e979524d6e24e307bb2809ce935525d18a4dbf5935af19c8b3ba450fcd2631d2d64c9de06c2b73137731f177903aea3a61bf3a1b4669198d1889512d1b08

C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

MD5 8a2e7335f6ad817daab90f120acac7a1
SHA1 71e1e57612a89d849887b626b5c8661d18c1e91d
SHA256 d6ebe4f9ebd76fd231edab4b0af21fcf30560fc8016c7e958b89541ec42894c6
SHA512 650d50356c591e7544dcfac189ce76a172a00ae23f709905ed7171d997951f216dd9ed88a7bdef1d00770671416b2c5dda70cce2757b1bee29c13069e4d6ac30

C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

MD5 2310e3a3572fde6036d8664e5065b2f5
SHA1 8a957cbe5db01bfe99cc7b4784946be11e276420
SHA256 5361ebd3032b44dc30247cb9cdbb952148cb60d702b08236b25cf566dc53769a
SHA512 3c91799c331fad603034e6225ccfb1103bd3f756e4b89f8f446779e882a6f83e0834c3376b61d0cd4f4c262372e54b2ffe84836468ac6aef3300b0c699c4bde2

C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

MD5 c10667f7d45ac8eb3191e061ecc3123f
SHA1 315fac269c55fa1711abbc826308130e2d52df1b
SHA256 52473a448b9bacc672ff86cadee612d762b356fa3a81aab53f17a34f63fc6346
SHA512 2b6f1ebea07daf8d4adea32c92b397a1067bc4933cbb5fb832443ec78e690213f71c4caa15e4753f3063682716718240650237e65fd6427033115980ca97289d

C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

MD5 b600df5dcacd2f7c44575a53c76bd6d1
SHA1 3658972967af80c28c61d30f84e70a954d27a425
SHA256 e3378622ae65081c9ba6eacda0eeac34830750c21d9f71faa90ac86287387c14
SHA512 911699f77f313ecd9ae65be6a188e19130e4934ec4a77f479b9a155982a054e67e139619787760006451c2636a1c930c64401448cfbf0c68d59a7dd819e80520

C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

MD5 1d9f68e0912efea4d152e8f1afadae57
SHA1 b15e0ed87fcd2ae47f82736325223fe010288f5e
SHA256 1f331be862c3a8aeb7ba6fd532fe7c39f8e03a5a55c4030afd3567b6f11bc89c
SHA512 b666236e3256d2996c9df32bee7510c2fa6c2b9b36b9949b67a42daa727e503bb3c885264e56748c390e44abc38a55b10d05811978aa6dc87d13928cc32a5af0

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

MD5 5ee5fa9734f504325e5b4ea31049f928
SHA1 ab6d4e0bc400d5ece515524dd9d7236cabe7fef0
SHA256 027bfc84cb34f25ebecd8146cd1ae09e55ac4884800f06bb82d26c1c87f947c8
SHA512 f2f8eaa2c1a1c9b84865041a772f336417da4ae4a2cfdae890a9ff38d28c9c426a66cb75f34ee8a596c761e496dee8f3e8436911401e973902ba588aeb9bc384

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

MD5 a1c8e5253d98310c701c016c55477d96
SHA1 287eb92dc90dcffdc857cb0c4c09e48c5e98a8d4
SHA256 a5f55ede28e734443c6ba5d1de703f105b9b4ee203b987144feb9a24de883490
SHA512 29dfc9224ea8aa40c5c41579dcba2295639298b19496fbaf553dc8c2c1b66acf38b11b985cab6fe95e41d415a17686ba0ae23771f9ad451b9c5ff5ae401d8f03

C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md

MD5 6773103979f345bec2a007944694b28c
SHA1 48e82df5e9eb27e0954604e6a1a3a5f55b1e3bb4
SHA256 2fac7222d25721244b1e776fe717a56ca7f3c89bb99138cd46a62a31d04ba44f
SHA512 0d6361e980cf4d411916d7a33b63af2e38ecc8a3be2e2671aef012f89c5c5856a40f9205ae9871f6eaff79d15eb8d3354eddb284fa2acc0bf5870922b55cd231

C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md

MD5 86a5657dbcf5e06a7ca0cf03f67f254c
SHA1 ec86af69ccf255377700c80bdf0403adee047d30
SHA256 4885311276b86c44f78a3c1def52e73816dbd02fa17356b12918178b6e1f8bd2
SHA512 e64b9bc67c3eb81b0f7bb8f2bdfd7e1243aa5efc9d4f4c2d03f9bcb1d5e3c2bde67dbf83eeda7229e8d276653a88a1350090439157945dc2d5d4e8082c0fd998

C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

MD5 adf42fe7ad05fca11b33c1e27fd3e705
SHA1 73edfda9782d0d96d55be4d448f4fa85bdce2c6d
SHA256 700bd024ae829eea369ae1ac855457ac704b2b8bbddb6f2bc51b2e218d465f32
SHA512 4f4708db3bde796024e63be3da290db5cffde9ada13cc8e9a38f13cb3f6c7fa500340dffc8ed952706ffad01c29a6a9033baecc0b9404f516b89463a8d8291bd

C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

MD5 01cde8cac68cca9418d0ffd602469757
SHA1 d908613e778e5573dda942a046d0e07d5cd7ae5b
SHA256 100af9be1023c8f290eee35cc6ab9e55da2ee64095e2c6d20c2b30b19fb722f5
SHA512 941ff6ac18c7c0fd297fbe7e6ae8ebfa9c6d3515867f70751b74add65993d20f7cabf8529bed8bd50fe665866a0e7de6fd715b082f6f56d29616a42f8827b0b1

C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

MD5 a373bf630dccdc6ece41aaa3834f62f7
SHA1 fde87857af217560c24bc88db380b3bed190d6fb
SHA256 2d8d281bba406eab530c93c55edb388deaf063f7f6d6ebadaa1860f0e2508f02
SHA512 21fb285fd2bf26e1c310855975800671d76300d69bdce66163d5b44ea0f33c3f6d89c4104273c1c1afafdf154379f1ef3da4ff82dec4485ee26ef9cf97c6f5d8

C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

MD5 c14e825161dd17cbae79e366b62acdc5
SHA1 870d4acf478c5dc395f7a476cda198b97b8d149d
SHA256 7cbd1695344e44130c8fcd5b650abbeb051c9f17bf2c580b81d5c019125be83f
SHA512 9a20feae9e4a6387933b22fc1e72a523a9980b8a0fb8354fc30b34e92580d240823dee4243d4daa135a7c0278f181a2faa5b5bd9eeed7ba496a19239aea54dcb

C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md

MD5 1a1b8efe5bf37f9bfa84c3e480bd054e
SHA1 92a595d5673dfad8d5f30745ed7eeafacbdcd664
SHA256 502aa4808e4b917dce68a8de9e0e72001f0085fce5f6d3de9f2b48b7b0f34740
SHA512 299be9f6918ff597abd25c8b8b114750ea2ef5d6059af53101cf1862fd16126a76c043b9f649c761a72eb54f21155b48591236385d1e3a7c86cfc99a927ab69e

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

MD5 72de39ba201dd1ff11369ef17e28dd5d
SHA1 ae5e849d1daaaa7674332d8c902bc57977631e76
SHA256 d1ea9d45215ab6f95296f7bec5ede887ef07393accf5236d70c27ddc3cabce7c
SHA512 ca92aa7970d783ee1bc3f386950656ae9277ba4acd920f803335657eefcd0fdba2ae676357f6b6294ec5d6c4065accc973237631b547948661671d39b2605634

C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

MD5 5e08ba886a192cc3f49d7fb18ea9066d
SHA1 911f4e06381b3b4e1c7ca8f7d118f442ecf791c5
SHA256 59be736dcc3946597ce2f6f6eec5b15a4ce3b9fa357bf56f696ff112ec8fd964
SHA512 4ed052c592718808f5d50c29f0ea016742868e9cebd7667eee4c049a03aa0d9a89305661c8d46b9b246af8dcacbbbe92f92b1aee237423d576b336495e3c9bdf

C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

MD5 69399c38732b68ffc84ccdb18b275557
SHA1 fc7ced6e14aced2c78bae53a4770ebb2cfc4498e
SHA256 13ae41522a730787dab20c49ca7945e107c058c8d2c289faeb1a79539a1364bf
SHA512 d92ea85238a1b22018a5a5519bdb6fd7af856633d9f1138998c2be5892e1fa4c19eebf6f7e0d721dccbc2b133f8e5a6d0941c29333217da158411a31d239ee8c

C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

MD5 0b52c583e18ce10a467eebb740bc33b7
SHA1 eb4a549b9b981c56fd9448b8981a9064f5f21f50
SHA256 c1b2bfc7de9a5627fd271d6904ecb139f5d4256798d16dc7177364e873bf50b9
SHA512 0cd5d5333b79be596902463ae204b163d9535cab810ff3a39bd5856ee3e1d57a6b635a147e3163d7cadd0713a121e31f0878186bc6a6a094985d23118421279b

C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

MD5 3ee68a9fd61fd856ce9d371b3abc5b89
SHA1 d601c300110443576100920398dbc4a239f852b4
SHA256 a2ab576fc23c8c9816134a21d6ed45e0a0814b5d28fb21fb1bea851ec6bb41dc
SHA512 41420d5b9d8d53f711f77df10875dcd3c7604e5bb56a413c9772fc5b0932c3cc46ea787102120266265fd9e54f4a4a9397a4b598b1a8293b3c48f5030218fdc2

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

MD5 e6be516d922fda90f0bd25c48d48d651
SHA1 3e31fafc0e49dc11391cb3150761951ad6a027fc
SHA256 671e1524d3c74ab7ef024a97e70e71eaf801efa1177d7529af7db3fa2f8f384a
SHA512 40a50590d644a0a79a45b0a27b8a6018ed17b32910bf726f5eb08f326c47321e514defdfc724d19af289887dc6b9444ba3f10f2a4285dbd6004d1d05bcb762b5

C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md

MD5 b31cc21f9be79586e2c30ceeebebcbe3
SHA1 53af6789e6732a4fe494178f12005dacd8f41f36
SHA256 dc8f2d4a7aec54e5701368956a665215bfd3a04a5a3a3360e4e8162c4af6fe95
SHA512 4756a06a2f045afff36726694aee0d96b13d8d55c34dbe8ddd28193c78b8f10950e9a64377951d28bfe45049c30cd1dd674d62427ce22e351685caa561ba4a80

C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

MD5 f9b23c7948bb898fd64e3378d24653f2
SHA1 9ce409e730617d2246059c8a9451187014bd871c
SHA256 aa5fd055be27325ff77a42e8871f2c3ef885ed3f3b3cadb1779c55a386131eb8
SHA512 c7f429f4ec8c7720ebb5f803bc4ea2821928fbb6ec15ac2af2d64e94fefe466727586cd79964441ea89d5beafb14cb947b66ee15e63a3300adadecf43ac48e52

C:\Program Files\Java\jre-1.8\legal\jdk\asm.md

MD5 837a72488dcca5c9f657bf177f328500
SHA1 9bafdc50e9a93ca086efd786574d1ba76d7a25df
SHA256 c897fda76ecf8bef9f33f08a70fa0d50ebbb6116693867f40589bea61d531fb4
SHA512 7dd3b280af7aad850e4b90bb80877dd112ecf1f8ec098ee127d8703e2e2a03e72fbb3830ab8a255c23430d802f5f2f6574665d3b03a1e7ff95100edeed018716

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

MD5 aaa20d8a8f1b8c559237a8b095451529
SHA1 44142ed21f0c25e622fbc83f9b72e2cdb3f79b8b
SHA256 d7da768a1abaeea947a82ce39e818bbdefd663a20b9f3925701a52a64b08c726
SHA512 438fee454573de17508d135e854dd55ce18b4de4b1e46f4609588eeb3b86569f89ebf4071f6ef01dbba6f6098a64d043e59078a5991c4b9b29e55e5f6d21387c

C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

MD5 6915ebd95aae578b88cb412fae2e8888
SHA1 c9fe42057106856e76a4468c6b646ffe3e27ec0a
SHA256 6ae1b5b7cf961c95e136c8b9b992ee8010f7fe64a93662fec698796ffda8abfb
SHA512 c6f85e20eb4b2303078761c21452523059510286aef9641d7338f5ef34c31f5624c275442307316b0ba8631bd2069db0017cc1a90330493276259f8ff91a9da5

C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md

MD5 4692d89d942471d67bb23e9306198066
SHA1 1dd0057037e12463bbc2a20e5e12a33a2145a4be
SHA256 3e96ce3d03c869471f3edb7faa0c9e6c057193fb66f87aa427055e42c926af2d
SHA512 aae289a243652ab0f85071406a975f5188c73ba927c6167f0b9146bc0935895cdbcf263bfc3dc20098ae719f64d0f612328e67be04d85ef31b026a8f17000cf4

C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md

MD5 8a0e846e684ea1f6e5daca7f4ad16e62
SHA1 968487f82a412f1205738d57fa690afd946a588a
SHA256 ead76343567e8b9a52dc3d66abf946e9e7f76fe1e904b0825c97e6fd691f031c
SHA512 bac3972f447aef79362fd94fd0e0345d94c44408a14cc2544e53df1ed08160db1645f03c6e770c92fca329f2cc95b6279464d8362de511a534e40c0d30baea8c

C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md

MD5 2e70dbd79d95c1a703a6c97d766a8298
SHA1 69b4305a46413bc94983f47eba308fe0bdffa3dc
SHA256 ffd881fcea5bbfffa5117553a7554d65c72f5975017debd66d768a5a399c568a
SHA512 449993ae18e611522afd3b1605622da3169a4f8321663ac1ea6f5020b486fc10a9205dd4c79765abc8c09d465b8f5ac7897e5ae8fc581a74d9e59239d51b936e

C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md

MD5 c528fa998592dc9e8dc03841150c83ca
SHA1 6b7e16cf7d114b4e698f72e8a3366f1251b3dc2f
SHA256 7f61cfc332ffe3ad4712ac729c9d0e13feda9a605472ad14a08b86f58d7781e3
SHA512 561c4ca90322e029e9e8cb63df3935e76c59c82f72377acc2127a24d9b9c2af493dd4aaafca3509be3b5b7ee91f159f509880d5ece361c931646bb686bc9843c

C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

MD5 35e36123e2f2f2f4055d43cabaae109a
SHA1 aeccc304c061675e3f41d6b43289b6b726f2a473
SHA256 068b18dda881921f6fb964450c52cecddfdf412f053aedbf792da0f3b930550a
SHA512 541a324781dbc1ae4c1a8684fc327d75b4186cc21c49d58d7a5076f1b9e5d55fddf742595fa304bbfaa327ae7e4bd33c778cb785496eecebbbe929d6cb01c881

C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

MD5 602ab4ab37b51dce29ebe34a8ece05d5
SHA1 fd288e6cca29874a3d18e825103db2e992fa7d32
SHA256 ba716da9aa487d3db35f018735b730cdf485287fbf2c918c62d12068b337726c
SHA512 a6f978c97e0c9d8932ca898b59d82904ef1095591a2dd649e3f96c19ceb6af4308fa32cdc9369e5572708ee239e36584d90cc7a9f1488a37aee3494c5edf17aa

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 3f744d4b34ca511e28b0560f8be3dc77
SHA1 7f72d9c40ffd94547cd90f66a5d4f27ee03ff2ad
SHA256 89e99b3642a7404df4c80f4ebcc6089efa857f23633933b621e8e4fb8f4c62e5
SHA512 609bbe3321cfc6640ce15332bbcddb6847b60ef1456ae993ab3b3ca2ebd096c3d0fd9ade633ea1851ce32b5ae8f11436cd0758f50691e0bb9be41a2cde4546ea

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

MD5 221cc86cfb8b99d52c3349a29a70e053
SHA1 d9e9f0f35d3c9067c691ae4c5f0543756dba4d23
SHA256 a290c19a1f685b865cea12849e73dbbb14429eaf8dc04f6d0c6ae759fcc31c4d
SHA512 2a6663df30e28bffb693809c46a692d103c8b8b8951573c208e49010289f779258858eb9cc9d71a4d8d9c01eceac89b94981ddf870b9b823ce11ad25fe8fb0fc

C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

MD5 e61a90532a0eed76e42da52444fa34ee
SHA1 91527388d6875769c577bfb2c9c147a8229465eb
SHA256 8d54274cfc4ba0f61f13b438a135677710872b22a9f76a46b3bfe019bd365f8c
SHA512 1a67ee54b01d9aa6050978753b6dd5f81c064e21a60dea3a2c0d52fa4b07b132a7476492adb51f8f2467831afdc1fb3f9bfe32ac2efed3a12de2a588ffddfed3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

MD5 9e26a60e9204c30dbde6d8ec0b4055ab
SHA1 22a060ef72be7c4214634f249b71c7a349e0e020
SHA256 128c875ccf975ba078c2e149b57ac3491a86a4e0e5318212f0db8e27f2048b25
SHA512 e0a38f81327318e83addd08f115befd108f2dcbd32134faa4b9f5c9d2ba2fac7f0bd820718f14d7de0ec85ba11e4d57ddadfc370f128c8ac71376e99e373ba52

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png

MD5 0b9faaa09aaef4c07a1b935f4770b4e2
SHA1 80d36ef6b4091ce780745dfbd888c3cceb557433
SHA256 e598887a9f887ff01e6b2d6119478cbb323e7e4ad079d8295929e944e9917c67
SHA512 1481867402db803e2bf6816a89ab3204a13f200437c482bc995194f7ed5bfee676c6c2fd4ee0d263c1aa08fe936f398d13ad79556d78e0bc006247e3669339a9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png

MD5 21a0c8957d8306e758fa1337bd106803
SHA1 0ccb8ec9c788f6125b41c0abe76d2b1b1b5dcc27
SHA256 32db3315ad6763200300716650056abbc298b03b49dddc34a8695cdb0ba94c17
SHA512 8d76f5b461d06b443800f25665654557d07c75e89c221a79fc6b6ea5a0ba97164f8dd5062195e963ddf01e8e6c3225ec988b29cc11fbd4d784afc128f2fed1a5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

MD5 c0a8e3aaae898117d8308f3457b84202
SHA1 c7452e639fbf96c31ad24f34ddc55438af138bef
SHA256 78341c907532618c67f2570c2735c28cdf9e3d6c4cfbcc72b1028856f73be840
SHA512 9cfb03aaca9344d7c43fffea975fda3395592a1945561de888c3b0e7b60b95a7716c833f25dc6070449d439f2095f12f5f118281563273e08f60b7540995ea1b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png

MD5 8d556085a2da4ede8e1cb19cc65d270b
SHA1 381ac5561a817bfbde79bc4543ccdd90c2e0c11c
SHA256 f29853ce313682d31ace45f54b235efa03743f49e84d2782c3e11e2415446662
SHA512 4f3b2f0540a17500d704fff20fe8a0bb581cedc36b075d2f432a79c1fe1e1736dccfc134cb98a6b459a41f8542a82907e30471e7242f12b5935db36676fd07d9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png

MD5 434cf560b1e3ff65e374336e4d31ea01
SHA1 490a8ff10fed22ef38fefa2786200a921f176e27
SHA256 ad4846cc41946967c725c183bad6d23e80ece1dd4c3c11571c8cc832e3ff33fb
SHA512 2ed74ec9ad12ca2a7ac27831738bc1ecfb511aeccfb229e78ec6e3d684a0e9bd6e7012283e634057633972bc5798c79173dafb0d0098a64411186855584e8466

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png

MD5 ee402ad1133ded7880ed94f7fdf3f019
SHA1 46b4c56ebb3f2e73601b9e9f1a8831ebfbadf3a5
SHA256 6fbcb55afefe7b3f96fe03155f6b7c724319970c1896bfb65fd1cfad822ab667
SHA512 337190a2ffb7a19cb8672652912ae72c021649d0b5b842be13f474bc65bf9164fd6ed1ce2442051020e446ce41c0994550251440322871e874c530d31552a932

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png

MD5 4bd1bfb9adbccfc412488bb08d6c9055
SHA1 8a3937ec56d21c3594140914c045a8ec111688e2
SHA256 fcee391ad0e7760bd6dcf157c9ae8416f1e4c6f2a51eef3d8790b87e658b3059
SHA512 07f71ff5cdd5fb5650cd869c72064a9b796e5b9f1880eda7203373ab45955c0fb3d0a793e8193ff084a846ab73fb37bad7995fb4c46ab28b0b7386dfb5387974

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png

MD5 793ace7006846349044432592d4acdb2
SHA1 2020c6cdfb5d4a9ca994e3516d461dfb4e1d9b9f
SHA256 a2029d5fba4012b46e94d5c7d1b769383e3b293c497a9471f7d47645d090bb37
SHA512 68981848e17dc926fe82860c949edcdaf27e276be3a68528689383bbc5a500a39632fd09f3691c1c6f8ba399ce1a81cdaf2f6dc84e2b854bb9e85cb00878448e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png

MD5 8afd7c62f7a91d11827a00df8011f52e
SHA1 545db6cbe297d78b166c72c674026eca030bf763
SHA256 1201affe8fe1c46de3e5df3b31d508aa3065cf6aff87188822eb6074b4df96f8
SHA512 1063ba4fd179046c1feb455c997e7bca7817975cfb8162eaf3227942807c8caf4369ed9fbaac26b54cabd3cb458298f802239019a43f1bd5227bdd33aed0840e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png

MD5 ac342c668ab112333d5905e46b80cf35
SHA1 d45364d6f3e05770287f844843c3b41b497d1d05
SHA256 3f282052bf9467eb7ed0d79072dc85c31eefd4ebbd0830b3ca20f307dddbef2c
SHA512 5882f1d393c31e350796e5f126487130e8275a482159db2887decddeb86015ae19e9e11ecbcefa6bd4b831ab9062b39982f33dcf66f769d5ed49cd34c509371b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png

MD5 47ebd6e1673a45d062956e23f9a05614
SHA1 0bd325998cc6d523ee901d49aa622a747e15270d
SHA256 403476aa4d7f4c495a22ee517c4be5f2994d7a359e8569aa20a2dbd15bbe3477
SHA512 1f4d77e0b94d7fedfa63b0d4beba736700c43f9c3aa134cae21a801fc87feeabe1b6c62558265de31975f39995017772a1d9a779b3ef23261fcd795c6a063219

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png

MD5 2e1d555b8601056125c739690b0f1280
SHA1 73518565f4e8352cfe8c3ab76d6cb06d6e2e7cc5
SHA256 943f52c8cf6f86e66b5507e3007ee5173fb640fc26669f5835b63264dbd3dfca
SHA512 9f42b16a48469477c692dd4e037c3ae38afb3abd0443008ff6b35a89c40e9c2ef3cda2f40ba8771fea46859514445987fdf8657ffe414cb18e801572918bdf3f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons.png

MD5 91f62155f488d4f773048a9a7d708de6
SHA1 ae33c694f37e59e0662556877b7a41e6e5fdb16e
SHA256 fd7eca75950cc9430dfedcd272675a3a55f0bea5a11f244c1632f5b53186eac3
SHA512 afb61f46779f7d056e0a89f50d2a846615c3a1429e57ce62f2684c48510067cc7ec3f8feef0a1092fdfb6b26d48b79e9f0abc1f1bb4af81723703471a570e114

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif

MD5 26c74a3baec65a7058c3fa6f59ca509d
SHA1 0359db1228b6b8bd4116373f74379864c44ac9dd
SHA256 7a7345f2e5c30a1b60b5f796aefd62b08afcb454c0d9384d1e7da3fafd09d362
SHA512 75fc777ed5c9a9aa207ebf95cf2d351d4e33a54c312cde85bbdd180a2ff645cca9967654e720dc3f7387c22ded64ab6d2f00d495bd5a29591e0f4a0f13af2fbd

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png

MD5 f714d8084046b362a4afb666cf74e730
SHA1 4c1c26ee796c1282fa8eff7b760b508c25a72187
SHA256 ebee1a835886e55da10590a38d648b1a63e8efd939d33b3a724c92f5e9ae751a
SHA512 8d4bed8490d8bd19cb195143af214c2225ef30bc5a4d6642544667b6e909a10082287aa796d08a221c3ccd0c4e5bb0be1cbb8b33a3f9e5e0cb946c0bd9b05d14

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png

MD5 bc37395f1de3276481791de350188955
SHA1 e9f5f4a777265645174a90e005d10c7a2e9abd87
SHA256 317564c55e7a24e9783cf07d106c77145eedf89538814a717965b8d05aef8736
SHA512 47c6d6897763cd47c41d779e46f4a56e50cb898a9c08f313dd4b88ad6964646eb97ed551d6da18121cac8fa20f71a8ccb33438a8903e36b4ad03864ec1fad708

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons_retina.png

MD5 f7cd2c05649b2e96763d7ead054593a3
SHA1 00abc47b104bcebc42270359dbb36726f06968fe
SHA256 ccac1d0ce33b93f4f7430c15d1c042791dcfe875e1b1b6a2e24b8dcdf0f99210
SHA512 9402039460410a36d562040bce0bc5fe1f1cdd7f67908b33420d0ff8fbb61be079ef6c518f845063d226f21030f04602964313eaaa216a44f6c226f6fbf49767

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_patterns_header.png

MD5 eb62b61c75ee041444cd309b2fc1524e
SHA1 c8a1a9af9deaab7fadc0bd45e91028a806cebc11
SHA256 4b117488f82d7323af2f20d883b51699c1e08b0cb6368133c76c6288ec4a2fd7
SHA512 b13db28cb11bf2eb72a5c465c0eb0beb6f9d6f8e28d473628248c2637b251a77ac00423b9ea3448c0f3ce024893331e9fdf9f389352882c6c204d6a9ae22c921

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_pattern_RHP.png

MD5 c110597d43d5fc1f60fc3fb699e74ea2
SHA1 e1c12bd59ec029171dbaadb65afbab313701bc36
SHA256 9510bc98c5884c3f8e59cb4f606da5463b2de02f746858231f300d5b493b1184
SHA512 1760626c84d1991fde94f00ad901c6d0e36db243c3f2978174ef079f01c3bb19e6ecd94b49b84274dfcf12c67a8fa9ee0d440e1b3f8b14c0ff0378865024e105

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations.png

MD5 86ef4b6a96b0eaefa3fa30da8f58ec26
SHA1 0e3d6b6f1e32142e29e6fb965f1c2a02d16f2dbc
SHA256 d5e3e6f78114fb0e4dd50a3d3c9658202e52d51dd90111d3c98063a4ebfc6185
SHA512 0a3e8cd1d4eac1f63bcbeb1ea103fd415acdd80fbb655f8e8dc9320e69dc85a37754f9b46209654d43130fef181a9e73e873ae6c8c967ca2fb96abb3520afe28

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations_retina.png

MD5 83b8c5bbf490462e03ca39bc18a49ee1
SHA1 a5cf3d0e447b324d2abcee7425af49bcb63202f0
SHA256 7e05515e89ed84941a4dbe1fa0df42566ff30e6b8996484d74cbfa7df516fe69
SHA512 9bc6054ca16a8e4969f124e03b98bdd47ce773f6bed82dd8d050e24528ec9880e00c2a01573de62596837882f609cb4dee880b500a935408932345e0c4bdfda7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\faf_icons.png

MD5 eaa95b85b3c1a6ebd9d3b086a9cee2ce
SHA1 041e5111a3773881984a5599ff73acdac45ef579
SHA256 918e5b8f176575528049f25ad2dbeff5a49870299e6003de36b60538c4da4ff5
SHA512 b2a202ed6fd7bc9b25025460321aea5354f70ca55b891b5f2ca2b7bbda153336f414ff8912ab05e8030a924d3e62a45813a255debdcca6f8d248d79b08344a7b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png

MD5 2e7955562590a1d4edc637163ec391f4
SHA1 4ce6530bfad899b9d660a5ea5033cb72c814c8e6
SHA256 6e246dbd0f1754d19d071395adfd31ca493cbf73217b8890a17b7d361ac15d09
SHA512 2a556ab00f354b69bbc142a94064b7edc7806559c8a4642bf949199794dc5c57e70094aca914acba0e6c5796ba0b9fda1c00efe1a277f70ce22d613d9b31b4b8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview.png

MD5 6282f04296cc89b03baab9009fad36cf
SHA1 e97d4e50f8f2082febcacbc5c94d4583e663f4b6
SHA256 3277db22c5ac858e4ac335b04c85d6c7e86400c8e8b8754c64dbeadccd0de712
SHA512 2fd1b46b7d2615952f466f8aa1378b2cda07c5ce7e1ba936fffe2ce0461ffdf29f1f01177d5029dcc55f6c17a184845f588826eddf73fa27827c7874b5f80f72

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png

MD5 df5d89ee782b4e0c2d8bf389508d77fd
SHA1 5d5b0b4e7b7d79d2b1f50539b879096b15454247
SHA256 f3119d482db3d902a852e9bbd923471b1082d79e1146bd11c306d531addd39f9
SHA512 48a0bebed2a6b106651aecb65f9478186cbcc768b7a6a888220ba479f1799abfd77a98a6bc54b38f0fe79664b69e0165ffc5a19219e5ee591278c264c851b756

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small.png

MD5 b032eaf5bcb0e0abc9eb1c896b1bf502
SHA1 7e889b0c7f23b164ab43220835b3d5783c28ef59
SHA256 f2e051fddfb097a5cae72bb2f9ed14367621de5a55d5b66193646d6b7dd8f8f3
SHA512 51790130840026bb411c6cafb84ab138a1007a06bdb1b8eaa19ee805cd0ed596de5f2b122dacd79d5c4b5ff8a2e059a6642199cede81619febad1a15d068b6fb

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small2x.png

MD5 48bd68c6de228a46d0cdff100dc17ab5
SHA1 1f228d502252e4f02d39f50a75edcb0d257b9d4e
SHA256 536fbcb89738b3057e95fccc0ca05f55c6317a95394503785c3c67a1261e08f7
SHA512 53f6d07cfc6a510aec39ece4f0e6472a4e6cfee48a926213a0ef0ea236907c6a80980700241b374f22b9c88dec9b912349319da71f3f0a03849667ff70d6ff16

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\illustrations.png

MD5 b8d31c102926ecdb4a4e2290f25e9167
SHA1 85062c2e2c309db2bce5ed5882e4a1448c3608cd
SHA256 d7c2838cacf7d277c6fab7d18df7cca480954000caaa0e8f414991c71640bc2c
SHA512 88eb58de9500ce9942b2c7eef466e9be70f0d01c0db9440ed6fb9583d89e6046637dbf5768a936349e0de188aa9f78d67f85c6bdbb1eea1b8e3012390fc365c8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\nub.png.crypted

MD5 34dbf21aa25db8e0b5162f0dc964737a
SHA1 92b4af5dc4f9a7910d141cfcd9e98f8090c61fea
SHA256 77d318b17fe63299f92ff8361d057510484f4b993e5cf21f4296326c1a3ee354
SHA512 1e447aa73bbc17ab052d516208fe5a735a736becb1c8de9b720388d147842dd1d79d25332fccd5ac81cb3cc1a131522c174effa2eddd33c20d2b26a75aabb2ee

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png

MD5 8f414b4ce8ae43f8dceff29b5bc5cc36
SHA1 d22db04a7b72116fcc0d5557dd2f2a7fb8ed69e7
SHA256 9c40d71900669365e955b2e0b7c65e32df5277178660d2104800b8e5152244f5
SHA512 78a6ae1c5cdbba6bebd7d5280452cad69fcf57fd36d52db615736e3d42ce7040aa5e93aa24a904da25a651fcfa87e9d5bb0bfe1f07b59ad1ecec771a6fcbcc15

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.png

MD5 9cbf4ac575e23e41c987d22f7b11b192
SHA1 9ca311a7483a1eb26f8ec766953d77f019ef8c29
SHA256 3f9d18e2d0236a3c36dd0afcf347e9bdaf0cbd194ab580f3e6fc26d1e119d45b
SHA512 05076dd7ac78f4fcf00c92511fc82eeaf82c4c531c285dfc7127b10a422215d4c615cae205a437bda18f9d4173df5289b4220924e12770d58eae33072979e987

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adc_logo.png

MD5 15e43a24042b49610ef81664b0489d23
SHA1 b63771ac20ea8519c4367bbc29ce0895526078dc
SHA256 1ff8ebc48333b0454f4e69544dbfb02c4326d5be3491a2200e324e87f1034aaf
SHA512 48c6d499fbde20bab964fa471b20ada3eb00a1068e7bb0358c8de9696697faae57333492c9f2ae59eaf1a1023d70fd8ab84a74f3c2a120a2136e833b594b5bcd

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adobe_spinner.gif

MD5 e500215e4805912f0ae861905b42dac3
SHA1 f6ed92ed357c4168322ae6a46f8567d00c089141
SHA256 cc84a2ccbb981cc6d9034f7b8ee665362f616aad1bb37c615c4f793ca404390a
SHA512 a7ff533ca650401b2fb95ba41fb994268c2ea033f0adbb9d62092c7083ac58b163f3acc544ca2489e7b74f8ba561fe6b320442f852364c6fa7820133036fcf4c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\logo_retina.png

MD5 e50d4e0578bce7d4a7d01d78dc50f7e0
SHA1 782cb407a015689901490db6b031e4703b101b6b
SHA256 62960cc966b84878adc7c759cd5b5fefa0f6bba2ad3253b00f99253bf945b6ce
SHA512 cfd918568e205ed0af6cf578ae4468870602ec1d5f52a589cf1ea00cb4187dd13acf8fe94d3518cd9ae761e97980756a4e8e97eb53d7bf4f167534a0204e9dd4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo.png

MD5 02c6471641b50f9fb02edbe491c0b034
SHA1 3bf5731f4e31291e41f8c303e1467952312ed4ab
SHA256 eceeb6c1a805f7a2a9c64026dc501b27978004b945763c28c4ba327facb7a51d
SHA512 b65898b773665eb88aed75734b797a12ece2e8f21f48dbe55f2d737af82b85936e931c8d2fa74ea953ee96f648646079e245b51b72483f34729928d2e43b6e0c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png

MD5 f479b18542547f44e69a172540a75131
SHA1 4a76e9b4f2058c839ff9b37f04ad3582851e4ff8
SHA256 6a82149ea6a346086d19617ed9388387498dacfe71d09b45fa98a29e937a2bdb
SHA512 0f6b8f506c4dfcb2572f95036d7fd31a9182cf0b51150d63d7e130c3ecae1a2b4e52ec216d48215f9ccc2203138f1ea0730c4de4c1aa0dc478a6d477574b921d

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

MD5 c551aa4fdba4e81a2a50d49c1afa7440
SHA1 25833eb1ce1387deff07dc04aac1d29e53dab31e
SHA256 7b65655fa233f0f9d213d401e8805409abc15d3cca8d4dd9eec7d95fa1e6194c
SHA512 a709a1d666297ec71630fe8146fa6eb6fa68dd599fa7e0d94a42bfa71cd43515fea562f5702bc5bea6e8d9bda239472aa601a313dd74fdc2949b5761029c5864

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656226049089.txt

MD5 d2dfe2cb0fcea7c9ea741c5b361f1024
SHA1 c782f8a1f47cb47130c85168110049f4603cd9e4
SHA256 152042b1964a7fa73f9eb3249732eb2aa0f1cf62d2cc9a10eca44ff91f5dc619
SHA512 8561b88c2dbb36ff242d1c679c64dc3da64393ba8db7011f185b100b73f1ae580fba21e6824f41994843090257188fd7bb833953be48a47ba728b2cc84e1940d

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656623420834.txt

MD5 8820276da4dc9c7f8278e6c0a150427c
SHA1 5adbf85e9d6cffdb043fadb758ec40eaa362947a
SHA256 15920487315326f8b64e4288a26181b5ceade3657c10cab82131960bfda8974e
SHA512 8f8663ee6b444386f2bfcee947e5681a1e192558ffa171f3f789f55f1f22a92044866ea1b7295093c98ddef8cfcfeb5a7231593b3aacc1d452e3b57b574b9af9

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663536793873.txt

MD5 3c09be2f4571da355578bbec86f385a6
SHA1 207253ef9944bf944132a7c524ab2cb600c549e8
SHA256 ac6ee96cf1730292b687f150e17c82c6c00e574bc4d5dbc5fe8844b6dd07ced3
SHA512 bf5e0056e71de05b4d77b215ce4bf2df07d75057276cc5397bc0d60fcdebf97651e59fadd12453ca34848747fa47e64f0e7724c5c676f800d2a629fb7de19fca

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666235612999.txt

MD5 ab7aea97fa1b44129da457dc5aa47fa2
SHA1 9c07f129d4689b2174bbbda41106b75c042439c4
SHA256 9df353a833d08621a955b8552e8bcfdb8dd235eea1a3120126965615fc9ef50d
SHA512 10dcf91fd084640f34b6722efd9dc2bc81f0aef1fdb8f5758471a89f29c10ce53166aacc7650aaf480d6e27bae98ed6fdc2ae9f98f0112b84ac82b4d15b9dadf

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk

MD5 6bc05b788959d10044152e1f3c9ad704
SHA1 ecfc404079683085d9da1ab29a5d2f671be477e8
SHA256 2b62fc6776e1b3803beacd56c35a62e6c3a5ebf181a9b2b4ac328b47d39e4ef0
SHA512 a8bf9fefb1d4a0c8b6084a78ef81fe92349cb6c9d25dafb1460ff9a0c1286db7393719d0762475e6fdd84670ed10c58f1324c7c625467335ded4ca62928e0a23

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg

MD5 c23d361aeacefcf5ccf21ea1b94de7a2
SHA1 c5d12ab768fad9e348f152eb11f3ee4bdab7c6f4
SHA256 5e45ab3ce95d94638f81ac84bf834f71a21a753847008a1672c574d9d449829f
SHA512 13e67cb0690aa599927490ca3fabb6cc16e16bafcc593f3606de35abef83242421c9d29ffdec573462a2d3028f96d5e10de2016ad9e4cd918d15ae8d5fc2d761

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_lrg.gif

MD5 6d6aacf0c45d5606dbece38a9464aa48
SHA1 4d6e4c23eb82e681998242f57219526e211330ad
SHA256 ffe15a9a01d7469a394e174c9848924c732c2fda57382f565ee1df9eb110f8ab
SHA512 427dad1c8df6aa44ecac360e01ce2c72b4f34af583d09a7cdf5b005551fa0beeb94a7ac882fe077c2d4b90e8cf1bb39ef5f76e4a69336008a04ccc62995fc04f

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

MD5 a28306ba4e3f74f736fd79e7a8db08c0
SHA1 1644dd4bb464e440393494ac4eecbe1f4b1e0564
SHA256 629fe7af73a76d68b2734a3c14b9861a0568907dbf9c521f3d02830c60b011be
SHA512 33740d7bee9940e6ab2dbe5a58facb281dbb18f0515cd588c382cb1b23bcc98ed526aaa48ea79fb105a390813742b592e8255cbeed555dbd1d3e95d4dd2c6cc7

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\aspx_file.gif

MD5 52d504e47abdf0b0d0ba72640227b5f2
SHA1 31cb3f623ca44e4561e3caf480b67e87066d0faa
SHA256 8b59358ab208f9f0268d24fd94d29d83e360036033795e65aea5ed348b3abe16
SHA512 bce5d6b636075dbfdbb26677795295a4a2fcb81a93bf5421b726ff187eed28bbb03651d1340d0e2024985d73651ec5e231f574b3ad930b31fdf3e1ed472c7475

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\branding_Full2.gif

MD5 9de492c294892052e542c3e01361585a
SHA1 1edd2f761acd55976c816ffa085d114dd0257fb2
SHA256 6ab9c67fa623aeb9bb4aa4f0f410816945087ca09dee016fdc81e8051fdbefb3
SHA512 acec55ec9883426edec90921bd0384551892d99d8d444c2b95ae0e1cae6f77d8f626b6a235ab5f81263d421f319e1a06e1b521629b1a06bc9e4d567e0c501658

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

MD5 1b6f96986d788823530d4e061f82b194
SHA1 0b86f0391c0a8ca3c375b3d53a0b3a6ae0fcb36c
SHA256 de26a2d7f9e08fd57d394cbb91397445c5bbd2e6b2c4a55e7cff15d841b527a7
SHA512 3fd4d6faedac2126c9a4c749bc511ecb2361fc842b2fd3963dbe5a720734a370cbc705ca2988e9c289b1c3aeb22e06400a503e05920b9d7b5b5641737a27ffa8

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

MD5 8551280aee5ba468ba8a2a25fca9b0bd
SHA1 a380a1cccaf7dbfbc6476c7cff75bb333ba62553
SHA256 23deb6535b16d9a94f0258085a3de54f53015316b033dffe731e47e75f0b2235
SHA512 146b1def16baa963a3750ba31e4d114d2a00b81ba1c8d43274f21e84035affb9a72e5bcd94cbfbcccbef216acd68b11fa3c08f78490f8d0743daeeaf7d83afca

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\folder.gif

MD5 69f3a274d68acae95123d74849e7ffe1
SHA1 f207ab35dd5baaeb50e237103a36036a73c746dd
SHA256 f43661039a169f42d190b795c204119dc745a783f54f030b1bd6c9afe85f7d50
SHA512 94556d63ae6281f100e4915fc2018d884b9e7d308e8bbe3afa9af139337a643fcaf30ae42e7f8473d890c12bc9a1057a4db624546aa4269fd16f1ae3dffd7bb7

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

MD5 c7523e44e18902a9bba92e7177e87a8d
SHA1 2e6915c9eeeb2a1f73d5056b19d76b161ec31ad6
SHA256 ea34819f0f99d42a6852bc575a45128f6b07e173389483b01a8b486fb8a1058d
SHA512 748bf55273abdd6d77d1e0cdf334f3f2fdccbc511f43951eafd2a4fc29652b06044e54113e7a41197b937d8c06b5b19a322dad155c7483378cb32f333ba545ff

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

MD5 b9209f415a8a2e168a58092d48d34ef4
SHA1 1389c610dd59ee317655d2d8db74fb42131149ba
SHA256 de1d15d7f39fe09c8e8af567cb0ed1237b9a99efa44c892685a93550d215d20e
SHA512 404dc07904103a5e8bebca0c4f1a8aa1add2430d6c0c33b585fde59e79a07b89124b3351958875e0921fc6f2ca000ebbef0cd8f34fc2d770c9001bc1e7037f0c

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

MD5 fe1513bbae26c783deb5f18d29ca909f
SHA1 62627645352ed75eea6be75a182a31a1269fdd11
SHA256 1e28cc52cee10ae543c5ac06e7ff886b3a2bc2dea5f5e1d795397527a3cfe84b
SHA512 88388ef94f2c559a0e448425a4581666d186849f34067ec84bce115cc2c8c468965602bcad534af64ef759e8e4f6b708d0f942826dde77062649ca5030fcb9b5

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\help.jpg

MD5 8b64057f8c022f6a5cbfec80fb9502d9
SHA1 8968c4546c82841454f529c2e8d320417b012e73
SHA256 fd1d8ad83a3b14e2dc376a39501a6261e56d3358b64f57aa313f7ac212982ba7
SHA512 2a270beab4941a64b16ac10bc6531cbe428f573c7a9be66330fb239b7e37bad242eab18a524ffe57beac0d711ded584ed7a676d459f44ad6948d5d0f030f33a1

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

MD5 cf12675f50d724353846363ac965d8f6
SHA1 bc1f37ea81ddc995ece2e47eb28dff6707a4d4e9
SHA256 ab09a97815949e4c52944deec82f52cf06fe1410444d8178ac6bffb5b9bcee8d
SHA512 1442e6331be0083483f1306191a601e17b8cd9ae48ec097b158defcc05dc98d24f3400e1e96ecc042c374f11c2c80672c9e88df79083191aaacc3fb76572a09d

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image1.gif

MD5 ada5c508c353b01bcf7ddd666b3bfe7c
SHA1 119a980d36b197c35304b7e294722cd374f76ee5
SHA256 5ac2d6be000ea72476a0a73e0a2434fc7ea3f74538c48e47bb21dce34ee4b873
SHA512 feb7c30c41aed8a7844c6ca3628131717fd53f8eb01a24ac8adcd33cd3355b55a44d2a7c3b53e3cfe68fdff728f9033fa5e2bc254a3e61d09ddba55feb16585b

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image2.gif

MD5 a4fedaf691989338913d9325516d69c6
SHA1 cdad3e997ef788a7bb4ab4f34c88ff25fc83bf84
SHA256 198680b6b0c72dc40f6688e6c89c20563c19bb533bc442eb674391ce939f566e
SHA512 5016ea58d25710f538294da3377459d6661ff869b0cc8c9dd15772a55e9ad3f68a864a300e5a2f053cf67a9768c7bd44e04af8a761443d02c1e48125e6185c65

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\requiredBang.gif

MD5 39c287c5040641fc77ddb7f592847a22
SHA1 4136c22f039dcd82eb4605e7b75d95ebd5d080ee
SHA256 098a5c7c213a3c86c916a6533dd5c00fd4ba8bbf235dd7a9e06bd41ae0ffa585
SHA512 9f4c14bcc5d1c4fbc03e44c106fe10fb93b4b2d3715e2f7f240db81677a754ad1ee0773d758fae7da3647dd20d98ab8beac215b0bf93aa83ac292932f4300e0f

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

MD5 33fec273eeae968c3bde4fe0769e5451
SHA1 e1c5724fb353f549ee4df20f4170e7c4df1efb91
SHA256 1494ee5ff99831425810012d5a09311f7fbc36b4eecd2c0f5389ba2a9a247dab
SHA512 7b6837a9880212320e1f30fd439ea1e5b45ef6f924ceb2abc57b99019dcf1530524625f8e18485f55e583384140a7a620ede8a2b846afe394bf3410bf8ba6321

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

MD5 8179b5d7e6ee7d6ef15224a823cc1640
SHA1 0fa6fb8f3e5eb7ae048133b1708811b3ac059042
SHA256 baf7ae20fe504248b41e7ee63467bcf6abb7e7470ce009bf1adcc611b94ca173
SHA512 a85e2c904072597aebd58803ffa83e0a948724e26ff80f03d7ec1b38b9ab31a20de46d3ae1cbb1f0b431db5505c7a329ecde28012d15f4bbb1680b96cdd62dca

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

MD5 5b388239dde0b1edae34c5e55ace1f2a
SHA1 fb45095fc3823b241b6cf5409fc31023a07c2647
SHA256 3237d2a7732a266fc440623f92f15ba33855792996a4060be79bb6baeb71bf24
SHA512 62b3ef25fdbc1215d3443c3787c0a3043b579246fe3427429f0ca921808460a01b944e70e800c73170846962c484332f2d2f090e484e456363f16a3544ed7b12

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif

MD5 f4e9f6ed12fbd52c3abb947d89a2685c
SHA1 5eaea2ca9903df660616752f4ba14833a21bec35
SHA256 954a25dc7471e0a94f51579ecfbc65c6a1a90c1aafe9cd35b1af197dc64787e6
SHA512 704c487558855f500bcfe787850684771522efae6e7650e087abcc85391ce0a4c2d8db1acfc49c5d2fd42454a78e76f115b6dc712e472e2e91e69239c7a9b3e8

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif

MD5 0a09d169495b9d1380e9ebc92e528ec7
SHA1 807fa5b9f4c409fe0c528f968b5a4fdfc191ba97
SHA256 2076ef257b14c91c02e149871b09f3aee1f11340009d7c3ef3404693c1f6e224
SHA512 904b2e3b7261dd9258547202d2b760ed721f6391e3deea074dc4db2848cee1d8c74c82621e6452860e92b295438707255fccbf376d835019d0c10ecb276d8334

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

MD5 1712e563955ce5e81cfbead54611033d
SHA1 f86d457942870e0462003ac85667c6d97a11a7ad
SHA256 e919f1c63ac7d89ec9c4a085b8f321e953babdd786d3ccaf85f131e78db9ee0d
SHA512 0592930afbc0d4f4b801f8fe86c60d84f038eaf171785a4380c7355c45e9698badac768cbe1d4fa1d83fd1979b92d17362ab3b50c0c5abdb856e782a59b96d22

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk

MD5 58ae14e606dc3d43b29d889f6bd1f77d
SHA1 0a1d9c93765eef3ecabf10b09519df066e95089a
SHA256 212d4873331d1b68543f0c7c4f2df3ade0c4ddea96b8c89dd9b21a0aea00129a
SHA512 cf7d33eb832228c29e84c0c9910593667f0ae67130684df311c546600be87a17178445125d48fc39aaef2800c31ef9b61ee8a72ce3e68384e83f276a43dab511

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk

MD5 5d472219cc7df97b8a1c9e3a04d771df
SHA1 207a88f715f1323df30b48c9b69fe9325e0e0d63
SHA256 47396e485fbd9432263f9ffb1bd847965c3ddffb9f1e7bd37c863ada0bab81c8
SHA512 1b4f3854704265574c392478b67f7709a82934f4ca8aca83657c902e244fa199bd132b2f709cc6fd9eb066afc4ae8d6e64145096cdbebde8c2ee44b4d12f8a56

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk

MD5 1d33eba9d599bc750aa44880846f00cb
SHA1 7b9b9940f8b789cbe03e0d04164f1d5bc395e656
SHA256 5c020ac198ee7c251522e776b7b3cd8753efd03716dfc3209ec85306794059bd
SHA512 0d38ee26928a6345403f6a74c364295a165c5123ecbe30fab430a5de66ac93f8ef71a61cdb86ea87e2a8c3247e053f313c339fe496848c8e7daf7b6ee9354152

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk

MD5 7ec2a14508d14f9edacaa370649b44dc
SHA1 2eb0d3ebe93165151c52eaa6fa177cdd9c85656a
SHA256 7c8cc1a19039a874cd56f7caa6b068e0c01ecda3dc8bb48c41a5336c820fd271
SHA512 e917e3459da1680fb4310e6ea1a111c3b1c65c03ceba8417dba4b44cf319bff3e29fa5be970eb63746ffc8fc1a3600ca93045fbedbd138b606082d6376db5b82

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk

MD5 c147cf191c2286c55cca4efab7321fee
SHA1 db282e347b98175da2a21267b6947fc5f0d0f5c3
SHA256 502bc5463eaa3d1ad438a3ed4bdcae05e887dd0bba03b80e0477b93762336c06
SHA512 9ffdbabdb2233b2076cf47daac34240e827bd0d1b3a057cd7216ae4cd44418ada7e4dee15c79fc83bd724af89ea6938a0ac0ccbce22af8d8659826913e5ea6ae

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk

MD5 55e030702050a416599a687e819fbc1c
SHA1 4e72e4c7dfb42c05fd9d276f978c83c3643bfeab
SHA256 761ffd17ae45b86e87299304e575426b6440550267002e0dbe1a87f7da45dbb9
SHA512 0a86b69d2e90e3c20894aeff7dd36a9a3adde7e8101e7d8118e8acff587b3e915602d627f7aed43a5fe3db6ad837ba53315fb39a0cd86cdffa7f0f8ecc7cb17b

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk

MD5 6df0c09b34dc57609a53a4b456ea8ee0
SHA1 6dbaf603f9f1a0115ebcc994e0f3707b3f873754
SHA256 3a39b8031bbedb4cd5a1a5b2be5a22c3f1347359121efba29ed7291c0e1729f5
SHA512 4f564c90e6675cd894de33b384f52e06790d78409a14da26af6ea38798ef75d23ef01b97bc7bb3576663c3f20ef90bcd23b569e473a4dff246c6b96da9344e10

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk

MD5 ba7c2d76d08b825939b69aaa99f52ef5
SHA1 683653ef9b7b4859c6a3a635e62ae02cbb055d95
SHA256 65509ed1cc0bf08a9f4e874dc2b12ef526191490c6e75daa474cb356d1a2676e
SHA512 966320143aa50277c828dbaaf2084903e227ce8431ea7369527408bcb84e24a65501f514f3d19d05e7bbcbfeae4014fb317549b6609474357a80084dcdbffe86

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Command Prompt.lnk

MD5 0418b3907b67f771d9ab80b66b44e3d5
SHA1 c77336a2f88ec1b2b8ec00492aab0b48c8fca078
SHA256 7e5d232e5995495c335f427dee8ebc35194dfc48fcd81f547126ec9d69c2b96a
SHA512 8a71aa392b8b49047c162f36c85f1cf2109d8ea2fbcc2ec33da8aeb1ed51dae46372aac0086fd81028251d4d52019fe8b187fc9a921e1f16927c7e23eed2c3bd

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk

MD5 6576257ef62b8ccfa81bbdd9f1c61d6f
SHA1 b2355c1cff78b1b593afa27dca05f703787ae017
SHA256 271a147356585332c22483033c67234118645978209b993112d2ac6e6fe6e6b7
SHA512 38353aa63d9d1f762db05a32aed8fd6298a5ac7d3e5bb81a06484a63d81ad5895f0a2731729dece6461d91d5f90bac25bfdeea1a215dd7528f3f096aa282dc01

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk

MD5 2cc7012610b594fec4a72f72c8f400ee
SHA1 c6ba2e3f93cf6a212e02c558b7174bfb00641b53
SHA256 5368a72ebe0249efadec63ff4bbeadcf67b6950bb5cd9fba9190099a62c4a77a
SHA512 8b1db7b54d3066b181721a4b85631eaec1712fd9e23a2bb3a67506fb70f5f14d2752d8ffc25547feb1edb4df88c38ecb066428309fbe70d2a5ee995ab85d8f58

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk

MD5 52f5c251eea6a6f51cac57d17f90ce49
SHA1 5934179b39fe3b6c40a60abbda2cc62d6fddd38f
SHA256 a998afa0588f654aae6ad965d91c5aec27decd9080add7a97a10a8fd8683cc8c
SHA512 849d552325fd90fd69f6f53c6c37574e419a30a1e7ce71a13e4053f4c3c8417b9fc783c1300af621b46e61fa6ff1b9ae2e9ede628befc6243e9c5b04c9094fd1

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - NetworkStatus.lnk

MD5 7531a508509c487ad838c3f9f32fcb2c
SHA1 30b33f773667ca806aa1b3ad195596f811fdb2e0
SHA256 4097382e1a8a0dd8c0f3e0c219b186b7e804e1f14e9f685eb6851da28358d752
SHA512 7bbb3557a66423228088621e5c594a8aedac5ddf77cb8329e044acbabeb09c4cbb7c51bd71080e19773f922cde77624a6d14be9f80f711277a103bd74da00006

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\05 - Device Manager.lnk

MD5 21ebe009856680a2c3f5765c142c6e89
SHA1 084ace1d49a30d1b58ee691375db3bf520e39003
SHA256 a6be18888b2bf2dc70736a9e6f475723f99b9f7e0e58cff7a2ff3527ca0caf9e
SHA512 2d82b814c0c1f10975c2b066cf0df3f4a262e4a4641fe39feed3c5be3b7ae83965c47e4b40c246cefd161decc208298fb0593dc37d6a84406cbffe3ba01f1677

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\06 - SystemAbout.lnk

MD5 ef0416c71b70dc70140a9276b2597362
SHA1 8aa672778f51e81ff6f02978f02370430845be03
SHA256 9cc6183b8e88e9a68d8320f60601c6363cc48829440c01ddd7ac8a99e92d681f
SHA512 f12372ff6db0712f9b75d5fe1da432ea34c98a52e4f5b43680e89f88c098d62e72527ead94ca0843f2c8ca97585efa3536fcb3f54f6ab824e6b283a1863c806f

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk

MD5 47d611cff211862f28bc7a9141a3cc7a
SHA1 306147297c40ab1803e59707ea45c6b8a5a6b387
SHA256 0d8c711b800f6e4e4652571d63774e9c12b8522be309326a951edf7442f3bbec
SHA512 02388e4ba8f6a45eba754a70c7993fc4e0c06bc0900f006fe66dfd866fc03f2eb84094970d6accd31200e270841ea4d05c47b727e58f52ea4f466d88ab0031d6

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\08 - PowerAndSleep.lnk

MD5 a77befd2adfba2d26e26b58f0d893207
SHA1 4ac6bf879510a5e5c10bd1bbe36c8002897b99d4
SHA256 2ff5f87df5ccebec5374e4239c4d2878dd82690ce8dd875d1b0e20ed92d47a57
SHA512 a44fb4c9388af67141332f8e3225eececd8d17856b924fa17daa9b8354c3104c940cb3c211b33830a0a954017d6857da4a59f74e46ebf581a8e3cb966bee4bfc

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk

MD5 7dc4dfc6064b524ebe763c04f8315d88
SHA1 60221a1198df0acfb6f436230b0d3883314aa377
SHA256 31554f6d76875a7fcce4b71a2510bae472d8178c9f39cd67fc6a5dc8774f9329
SHA512 389605025aaff4dda4ff989f56645ffb02383a3b5a0f58be252ffbd38243eb079d627794fc2756d809c8cd962836deef905b5bdc4f986c0c8b3697720761d84c

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk

MD5 fcd4664f0e82db8e848f471fedbe21e6
SHA1 162492890965a237ec215748f23d43839e5f2c75
SHA256 d481b5f78d5862ce63978672c732b2f7205245f70365dd8ef5a5242064b61885
SHA512 eeb873324ce5f98a8ecf639cb7424f189d0790d25434aa3ad760ab1337665df0c1d60038508ed4b871df9b806033d3a59b152988c62b3dc7a154f94ed0f2fded

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk

MD5 8420513bc01fed5115498278f8851f5e
SHA1 117a7e1fcdddcebd665ef1afe86bfff314242b10
SHA256 6de8aaedb9f3d94d68bd41651060570cb71ada8919ec4aea4af5d8a3e730e6c8
SHA512 2af251087b12f8bcb09d9f4c05af38e0fb0ba1aa850d5c8cb0ed5fb24a2742ee0c817f02cf0d36ce1ed1312b37f0093e1e2ef3033e36fe4defaa8cb16c28c16b

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk

MD5 d9851848f09ce74bf4044c3fe39b3133
SHA1 6f1ef60b79d7dd4c3de9d44209071e99a9783300
SHA256 149e585d64f719cd91057752109c8ea152d2e4aa17c24d0dcb84d94703fa148a
SHA512 4dae3f5fe444a498c75959a734f64a406a1c0afdaea746440f24efcce5c74917a940ea1054c2f285bb3928a31070ce79a353e035bc3d962bd3cb930811ee6ada

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk

MD5 1e73e07ff9e59fdffd4fe85dc1336e6b
SHA1 25553a72798076d4ee67e458a21b977313ba8125
SHA256 cf9564042890ccf65e366362bbeda590c7f6e4bba2d1e3e1e552706eeae2e2fd
SHA512 ade651695108854fedcd80b3919f2ba6b59802a0503b8fd40d246647b88e3bb89c0cb14b4a889b93899768c36abdb6018dcb19518e0cf59951b012eb037bb9a3

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk

MD5 3537608cb51d8e2e1b72047833124b40
SHA1 ec0ec100031318c4cbb27f3b487b2c4ba2b8eadf
SHA256 829b39398b72c3500bc9a40b584eaed03c5378bdd29311a43472c198791a5369
SHA512 1bc2fb951637fbdbae0185ef62d88a6f3d42776a0cbfc6b3f1e7b8a6007eeede026e8bfae66a55c98567b589db43f2c2beda23bbd3ff8ca18908e24cd1e7f65f

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk

MD5 eb1d8c626e33936a02b5aa71d74084a5
SHA1 0fb2359881e08d3e0f7886d105e539ad8201595f
SHA256 d225da1f7b50f5de4ae2569f02472b98028942605fba45599b289e5db089c80e
SHA512 5f596c624b5fa9744c7054660eae1e9ab7279c4ac9f2bc6a455a46be5c5e185f8d816f3662a9d7a7fb30721fe268abc36a2459cc4c6853dd7b71efa479b21f39

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Administrative Tools.lnk

MD5 cdbf73af833e69bd9819c1cc27088ecc
SHA1 fbc8cea19c4b38e8be53e1ac2a85e2fda536b29c
SHA256 878f2ce0023afc2e151a9d3159c9c45a0b32cda4013400c9dfd4a4572709c568
SHA512 a6f0856ab8a0983f733d328f654f7c095b975dc9261bbce28087eda61a136ba087d0158fd842643f255d3bbcac20d81ecc4c717f11f6e7c463d45be78999ee20

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk

MD5 933f20106bbe4543b6e6dc70e986a7ab
SHA1 71823a7f8ae026b2ce0199a1381e8682eac86501
SHA256 d11179d8ad452479672bd2e6b7b87f41f2a9f7f37b41ba9b36c1fa09561c85da
SHA512 0f61924cc18e3779a0767b12e0274bb1d115dd7bfe5d4195a318d4299f7951cc31e7bfab9da813663d788450c27548470c079b6de236249768da0a4634ef19c3

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk

MD5 0b13b489f8d22f1e7189a73be3dcdbcb
SHA1 05d5d0552167a8cd9d5a47823f019bf69edeaf3a
SHA256 a015a2d1a68ce81efb1122eae218256589268338a765a6b825cbf452112aa79b
SHA512 ceaee17cce4e9daf73d729f75c0990994d23e9664d564187c1a56de340f886681bb7dbf86b9c41889a64480aae551fd31f1ac0c5917b46d7872d89d236d297e4

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk

MD5 af905c24f9c851449dd732c2d1858eaf
SHA1 f0400a21b82d7f845f224d9ee7989b20dbf3f013
SHA256 474e25420b573c94ed3836ffb86f9f68b4ddca908beab3058a525dfa18dcdf5e
SHA512 f0a49c2b005352feb17b7743d19e614e05e80d4b60ad598b51e4399a9402182e68601c7c2d77a5e387b2eb3cad42feef5ccd7fe3ea8279ae00b0ac5b37d09ffc

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk

MD5 50b85ddebf34846f336b13e22751d3a4
SHA1 5b375618d2b9007c3109d4b67746c3bfbde73240
SHA256 fd6e7933cee49df754c4131007a61f42322a3fdc6df79b45348663d323bb3c13
SHA512 ceba0f5c40bf65fdc7d108d096bc9268284236936abd32ff05529848644bc282105b62c970ac924a9442f6112e1d8de8043d285a7173774fcaf0fa1aada5daaa

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk

MD5 66785a2349a57312e1da99ccab94bf69
SHA1 a1ecb3fce7e1223ef1a33b679b502859ac260e4d
SHA256 9ba9e1e13664a680e2596298f6c1f760e99fafa632d732c5af4fbd5b11cc49f7
SHA512 eda6f81fa2b64421e82537966ed076ae35d79f8a4fdb20a12136fec97aca1dd26b015a9fb37cdec89479426551e503c77cf8e36ead0dce0a17057ffbae6a2429

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk

MD5 5d18b066c9a311be3c66138724367457
SHA1 b887da1d93e7c8839a881bd1f6d09e7d35f22cc3
SHA256 85c0c39de0deb4470b2509b756eafe9035dc2c2325066a5be974b7b72e644afc
SHA512 b59d1417aa28d05f81e032a6c516475ce696424b459babbe06ae0b923cbae862ffcbcc1f6750c8394240c5217d2595844c1203298fbb98258c889be981e99284

memory/4544-3959-0x0000000000400000-0x000000000040C000-memory.dmp

memory/4544-3960-0x0000000000400000-0x000000000040C000-memory.dmp

memory/4544-4111-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.153_none_90dc0b923cd83016\Square44x44Logo.targetsize-44_altform-unplated_contrast-black.png

MD5 39a873526a113643033b8c9034cd7a4b
SHA1 7723f16bb8cb659413e6f06ae654b1da6d5f554c
SHA256 75ff7af528ec9d61b53845cbf09e3cc01f1502b03284a492fc03800f4eb57d3b
SHA512 3e215a8df942d777c1daed26604a7bd932b9a1a25696803afa919653099a9622806fb3b12b7fa07a235e34ff0284ae1de8277ca887c9d9d257c384530b40d84e

C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.153_none_90dc0b923cd83016\Square44x44Logo.targetsize-44_contrast-white.png

MD5 a7d5480f6666f37b0980623155588769
SHA1 cfdad27c31555e6276bbdd8316868e19334a17e5
SHA256 4559aeef91de69d15d1e3dbe849f023c26bacb130b0bcd46f0c728549624c06d
SHA512 67c83c201d994fa320a37044ca41a586855188da2c179df947b004d9845d6f4da0714c74ff55e7fedbc9f3703079a0d497b171ebfadd290aaaa54dcc6b3c8d07

C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\Square44x44Logo.targetsize-44_contrast-white.png

MD5 29ca247722ab88587975f7496ed9b177
SHA1 40dd402971a1c9e2e34de409832bc505ad61aab6
SHA256 eada01e9bf373e966c3d8494b5788ee7dea2b4266267422b45713e6821adfa7f
SHA512 99f201dbab7d2bb1091ee80a841efe1bd0e6aa40839b1b9dcf8f85b62160ef229e4f12fe3d42704590206ebf276b55b3a883044aabe8f80a707959e9b87fc8a0

C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\Square44x44Logo.targetsize-44_altform-unplated_contrast-black.png

MD5 e97a9425f2fbcd4cd6a4a8b48e369a7d
SHA1 a907adc6fc17b5faecbd2fec532274d6c5a578c8
SHA256 82ba73a9ea2cf887e0838ebd13c43952a79fbc3ad0896daf573a2fb9084c8d1d
SHA512 69b214530398af309e195743cf1b69fa71f9c17f660e76e515821cbf13cc1fcd2a39d3c65d727224c27f95e9a782e86e624cfa6b3210bc3177fd4e995ee8df94

memory/4544-4388-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\WinSxS\wow64_microsoft-windows-onedrive-setup_31bf3856ad364e35_10.0.19041.1_none_e585f901f9ce93e6\OneDrive.lnk

MD5 9faed832428d9ba120f4987ebe4b93fa
SHA1 8c3baabec67d24979e839340024c4ba0982479e8
SHA256 9e5e57db1fb38e41e86dd6ab11c87f5c5738a8f88181a6e943278692c9897b1d
SHA512 6497e3b5561e88c39317650b035e7f697ff3e60db8138307a03e4d4ddb81efdd13e3765b0b9f76eab619699b1f5d711136ca2e0c594746c66daf1ae0baa3de78

memory/4544-4393-0x0000000000400000-0x000000000040C000-memory.dmp