Malware Analysis Report

2024-09-11 01:52

Sample ID 230711-xm2lmaae65
Target busavelock96.bin
SHA256 aa7d8be213152f35b5bd6e74f60cf14d5b7a88909ac79b7b25e6bf5b60ffad46
Tags
evasion ransomware medusalocker persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa7d8be213152f35b5bd6e74f60cf14d5b7a88909ac79b7b25e6bf5b60ffad46

Threat Level: Known bad

The file busavelock96.bin was found to be: Known bad.

Malicious Activity Summary

evasion ransomware medusalocker persistence

MedusaLocker

Suspicious use of NtCreateUserProcessOtherParentProcess

Renames multiple (7573) files with added filename extension

Renames multiple (7605) files with added filename extension

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes System State backups

Deletes system backups

Modifies Installed Components in the registry

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

Runs net.exe

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Interacts with shadow copies

Modifies registry class

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

System policy modification

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Command-Line Interface
T1059
Persistence
TA0003
Registry Run Keys / Startup Folder
T1060
Privilege Escalation
TA0004
Defense Evasion
TA0005
File Deletion
T1107
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490

Analysis: static1

Detonation Overview

Reported

2023-07-11 18:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-11 18:59

Reported

2023-07-11 19:01

Platform

win7-20230703-en

Max time kernel

90s

Max time network

32s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2948 created 1356 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (7605) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\A:\$RECYCLE.BIN\S-1-5-21-2859459355-424593036-1984306042-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\cipher.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03453_.WMF C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185776.WMF C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14532_.GIF C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue.css C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYVERTBB.DPV C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Adjacency.xml C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPLTMPL.CFG C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00555_.WMF C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01750_.GIF C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\de.pak C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cayman C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02048_.WMF C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Luis C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\ja-JP\Hearts.exe.mui C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Windows Media Player\en-US\WMPDMC.exe.mui C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00681_.WMF C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152622.WMF C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382836.JPG C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\BUTTON.GIF C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.BR.XML C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Yakutat C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748G.GIF C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00253_.WMF C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFS.ICO C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\utilityfunctions.js C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\settings.html C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Bissau C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\gadget.xml C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00642_.WMF C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Windows Media Player\en-US\wmpnssci.dll.mui C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Taipei C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09031_.WMF C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZUSR12.ACCDU C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\flyout.css C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Fiji C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00254_.WMF C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099149.WMF C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107722.WMF C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Executive.xml C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl C:\Windows\system32\wbadmin.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2948 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 584 wrote to memory of 560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 584 wrote to memory of 560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 584 wrote to memory of 560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2948 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 828 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 828 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 828 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 828 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2228 wrote to memory of 756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2228 wrote to memory of 756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2948 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 108 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 108 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 108 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 108 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2676 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2676 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2676 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2948 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2184 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2184 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2184 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2948 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2084 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2084 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2084 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1816 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1816 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1816 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2948 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\busavelock96.exe

"C:\Users\Admin\AppData\Local\Temp\busavelock96.exe"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Users\Admin\AppData\Local\Temp\busavelock96.exe

\\?\C:\Users\Admin\AppData\Local\Temp\busavelock96.exe -network

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x510

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\C:

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\A:

Network

N/A

Files

C:\MSOCache\All Users\How_to_back_files.html

MD5 7c3f6e9a4b7280c3e4cf5162dab91a76
SHA1 713ebad2eb3dad54c852d50796ce8dcdbf5b274a
SHA256 f1fd958593b04d049aee106c36d6933b2b3ecec69997b3a95edd93426da8b20d
SHA512 642df7562ec6195e765e5b0358113097f41e99bdc6eba226e237a2dffca1dc8a243acbe6bd85594287f7b277081b61122aca10109bf03dd257575801c3a7ad17

C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

MD5 54bebe0f06877e4200ad20647c977050
SHA1 8a543423ef4b8c1218f5ed51745ebe0be6c1f53b
SHA256 ff8faed2f53cd134ccb963f859f66a420f326c62ad2c6101b186272b5e0def64
SHA512 839946b56cb69d700a427e6e782c5d5c2a46ad8cc9601a55f6929c690e5c1c5800aa37e4bcea80bad7bef694a43e73ff9135e54fb0a7d805a820af3ea94231ad

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 b7c7af33d7de1b72e505df2a20faac08
SHA1 f931884a0c731de7893fccd7943a36923f34bdbb
SHA256 3004fab8b3a07c999b19f46b63b4910ac7f076b31b2f8a83083595312cef7a11
SHA512 0a1cfc74aa3f10b692b5de2559bfe9c0bcd043aa9fed5b53614c9bc275cb1a6a1751f174147991f4e76e6ff06e47a455d3bbaf1beb0ae061dfdf50f3a3145a83

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

MD5 b19c1d7ae5ba926fdb7900d3de773117
SHA1 c57151d3d0042064fd34a2c55d8ef3022c7f1d18
SHA256 88cfcc964b7fcae71fe9f58f621b2d28b7d4b6f8b7e643e530411de5c6028b15
SHA512 3899177f9ce3e1cc17ed051a25eba646fdbf7a50b02b044c2cb6ed0a1206bec79b829109fbe3af4c234ba3516877c4e087c7f56201b0901cde61b3c1ee9c8d43

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

MD5 2db26fea8ed5f6049d8ed2040d2840c2
SHA1 46e0ba566f56734ed46f397e8c451dea0b92fea5
SHA256 06bcfe26232d77a874b738cc78ade796f3e7e04ded40d47a2fd9905ee4560d1a
SHA512 6c56bdbd1ec0edb04334d849f101b34b6884efca435712a98614c7ff6f4dcc48ef2587cc814c1c92d1c24638c1f4e490cc8a758db789d363895cefacecfda0c3

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

MD5 92e0c6339a3ed6605155c945f9da881b
SHA1 ee21711a9ed949b6d5f3a9c71fa4e48ea1c3d8d9
SHA256 85c4084494c9b8d44ae3821ca67aab9369a9965477b90c9ee728e79d295ca4ed
SHA512 9f350778b16676795265972c79a2052f5afacd45b176b39c61dd3f3eecd1b7a978abb1dad1384a5593d49b052a3ee86ad1471e1edea49f1fc94e23936b6792e2

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

MD5 3e1c20e787af329d1d84ab93a3ca68bc
SHA1 f39b086100874072f50ada5836d52088ef9187e3
SHA256 de5425c0ee539c01ef6f932a4633d089657379b784c4e8dacd5a70c0fccb2065
SHA512 7598baab78303b93430e58da70385a48ca5f10239b3e3eda2cba83e8959599bbc166a25710f6b0acc720611ac9d9c4cb61a5f9417fb6e888bec7c03b82f5b9c3

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.busavelock96

MD5 ca8d69ae257e8c2b5e19a7c388c6a182
SHA1 356855566cab78104aaabb3b3c80154e72d4dcd1
SHA256 62b1cca022941590f7c98fd8ac765a6e38f9d1f3e01cb8d19924f20438542d5c
SHA512 c4ea16070e3e861928e39e92e4f7d822742bbf63f4f243ce639e04c5e4e0864a5b3ff1a9615ad65f1d3a2736700d173645b93f794d5c5c3a82fc462078a20cd2

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html

MD5 84e1f84573eb7933379dd4af342f0125
SHA1 8b23c79d58262cd9740bb3d759a8aac2d1031c1b
SHA256 6385bd1c4d33466cb1ee1a2f3a4fb797fcfc385289b1efeb39805ce0bb7382b7
SHA512 80e4b2e299a00a7dd6398a383198653f87944cb7c37a42f31fbb61d04ec2a1d96ed415c71859945c033b510d93df94d9bf4447839fb6d5f956e97785f370dbf9

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf

MD5 f1092012897f00a398ea0345c37b23ce
SHA1 9325c73f9a29852afed407948b2aecd73b308017
SHA256 9500d6fd2c56fb71c3f3c2c357346f00242ceeb57e7468c1d8b4eb43b39b9f91
SHA512 09b21a2d89147a3f0b06421ea5275a2c3b42930e3108dbb021a46d76a1eb0e6b69c2b742707331d7063efc77531a4b51a3a8f009863b2b6c32b1ad5739ada7dd

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 152777228074ac19d728a60ea3090fda
SHA1 724671a83d23576abcdb11aac7f14cbb7e9a3c58
SHA256 86cbcfadcf34a485511bb2a22f65e35c97d3e5c5fb9ab4fa73d8e71d18e60ecc
SHA512 edc109b3a4c07b3bb57881d6ace5894814d87563300d0eb957b26ed957777c7ed36d517124e4bace8e9bdb53f7ad5d0aa74f5418864d5fa10b97941c1cc1aa72

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

MD5 3aabb1e9be385242b2e2da75734385bc
SHA1 e453520f616a0d116a39efcfad1aba890dda2268
SHA256 7cd1e0eb665b2577b4915d79bf6b620eb64b93cbd502cc5ddd1b39a9595a0872
SHA512 02384a508fc702c6181260953faebe068f7963347ecb865879d1c5875d000039cdb832158cbe51d41e9db909da072639f70a3309f9b65c864be24685c8b8cb4f

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.RSA

MD5 1b3ec4d8bd92ce2d951bf876512d2e5a
SHA1 fd5030f0868f28cde59989402f1b513e9a19510b
SHA256 2aac0a879db19ef53dcc6efeabddfa17f0160808c5f35cb3a300a6aa60a27cb0
SHA512 f5b5b256bf46cbdbf028ea239a9520f8257059700303610dc313aba81e5a625b10a1b6e07f080d9fa2307f6c3fa5b5e60a8a338d8c5c449db9c3b3e02fc43b02

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden

MD5 b2c89f54596ebba33d8ca7a5e550e323
SHA1 1227a175db55c8b7acd1615c23c74f7bb35ef7f7
SHA256 e80c6ba8d3ec52431d89d2940fdf37177c31a129a9aa197e512090baadad5286
SHA512 07495588a6c7159ebbb16ebe8ab8e12e5e52907b722a33cc85a43359b59f1a285dbc02753ce5d5ae0e6897c8534e15791f1393f5cce0f9a6d4a6f77d568f838d

C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 e556a82d4f8db15ddfc59b70c6e75c8a
SHA1 6c00287d004cc7529b5ecb9baa158bbd02093ac3
SHA256 c68240c5663d12ba42d94b85e6b7bb025af615a75a5a4e1dfaae6a3295f1f17e
SHA512 30b385deec92856a917582b33617db9686124a2f1ae284b28637310b91a85f90a828a837f999e9362a0de14d85472cdfa07094a5220ee113e2ef7ab5b2653325

C:\Program Files\Java\jre7\lib\zi\Etc\UTC

MD5 1b788a697d6a21757a303df3ead2f98c
SHA1 091abf980b192114790ad7c6e44afda61705e7ca
SHA256 bb233f465f9d92ee155847a235da5fafbf13b13e5d265eeda2834a9af17b4d79
SHA512 29463d16c8c36d4e19402be1d54bad33b70b2c92c925ba314f9dae12431282e06653f4dfbc924c6124d27fab2e45031f52c32639781f9907be667e8101c78140

C:\Program Files\Java\jre7\lib\zi\SystemV\EST5

MD5 cae78d5cbde78a99e35b4a74928d0fbd
SHA1 2164e58562fab1733408604f5016587f2c306b9d
SHA256 68d16002b561858894a684bdda893ec14a370ef4a4f7a5a15a31b844ef2de4c1
SHA512 f1213a60d2b0041ec2a2e442f9954d5d3d2ae7106a393baf27ec959ef26aa4fb48056dfdbd2262fa31e7662f21d2a70001dd8a12540b1607a1daca286ca587c8

C:\Program Files\Java\jre7\lib\zi\SystemV\HST10

MD5 0dbd0a668bec54da9bbbbc581b16c48b
SHA1 5e65432d01292e52bc78ff1168335f2044924bca
SHA256 7743cb00f63802ce1bd90b2b5c1a8d64efbc889471f718e8568388490a047e24
SHA512 c7d02c1594667d1316182321f11ae39d781eb1f6f0024b10d0ba741fb9414de6002e3febb6df2199dc66fda25ff392f3010e0b53aa5182d876399d17364d9903

C:\Program Files\Java\jre7\lib\zi\SystemV\MST7

MD5 6f8fc27311808b9e0176835703e8c39f
SHA1 a849a0924f89ef7c5f399bda1801b4657c9abecc
SHA256 5c2a34e15e616cba4956bf60a9d5bb5e0285877840d66d285770bb233299beef
SHA512 3cffd8dfb5ea37e8a74934da5436f0a39e9872156b836e5a851934194713598cb0f7b5e7c69d8b51a787af7980f9b47ba17ee89cfcc71bb524e20d6ea888a1f7

C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

MD5 9cc1f0bad3d35f6f122bcc6734ca95af
SHA1 6674c29db779dd4d12108b14ad408202cc102a8b
SHA256 caa63e3534920aa6592231a7961c728df38ec0c0884b4f619d7b2e8aa4ff39a4
SHA512 4fe159591a9959390d9b38510fee66cc28918c1925a07835941bbc4ea8e8c28e9270549423a8bf4c8636952009f2b99858c0b98c0fa0c40412dfc397dac8a548

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

MD5 95799d26aa700374bcd8a2ef03347bd2
SHA1 96ba0abbae10e184897fb5b17203673411820f07
SHA256 a5cef0e031ba39db9f366e387629e9b00a4c6a230e7fee3316991fe669b683c3
SHA512 142053dfa352f3c152da2103cdddeebb3d8dc99aca00d0712857db716cb3abd06e5e8202916b072956e6b50c8f8af28e277f09223afa9078d4db1992184d3385

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

MD5 5168a7076cc04fe5515ae007695697c9
SHA1 d3bcfff993d318a007b8f4c825a7e51c1e5b40f4
SHA256 612b7baef2fa51a226ba8fadc1b4b54324e764ee23ebd5fdb9d492f02b5cb519
SHA512 3ea1b5de8dd7cf779cf3fe6532ba358e8f2020e2a81ca03e9598d97bb583f3ba90d64326d2d7c81049e49787e2302f67fd63fda1fe33cc3633e17e528aa646ff

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

MD5 2bec8b88b647f439aac808a935c84234
SHA1 d2797a8741c6a02e93030ec6d2ae339e3d1d797a
SHA256 e3464bed0a4a84fafc637ba040c41f47bdaf1061a75bd1f569d1191af08d2d79
SHA512 f2f47029263a1f6d51a77d6acc51dcd2383674d91b74f34801c2821e62fd42f416bc806c94b92872723be482b4e048206f4386643875774396ed0f63a5f9b26b

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

MD5 f707605a38137d978df8aed71291edef
SHA1 66200270e228ae55d0cd567d5e71df6699c08ae0
SHA256 b31661b8cfee62f8921df6c6289bef7336082907932cdb3b1ce4a526aa745b32
SHA512 ab1eff43a8b5cf0e125dbf5fcab1f1ead37ba501d078fc1044d221051a116fd06e8cf0c311a28046f71fd2206544e3b93df9cb63572cfb4648c2bda2589cd15c

C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_F_COL.HXK

MD5 e0e650b33ac2d645f93e3773c36ac32e
SHA1 c469a2e0743db6c020d3f3485e2c77c7eb9a1ce0
SHA256 03ddc37f982528e0545815bafe8a78951b61289e4de12c3546caceac36a657aa
SHA512 64fe79e263e810d544c027a7be9205c749c476a59d037f50a27f0511136baee94cb1eb60a7ba837b12a2e81b2b588b6b791f369c5ebaa15b314b5e5bead9341f

C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_K_COL.HXK

MD5 22a1785fb2c670f3699d3cc00382081c
SHA1 d997a8f426b283141480fefd6807119faaa091e7
SHA256 75159df1b3448e63a0b46c0e6f577d49b8cd445bd193ffb5a9bf8f06b9a39932
SHA512 164740f3789f37a0eead2235276e1f976cb408cee8a7cf1c7cd6b9cab3f28fd718232a14d976f08a00c53b1245700223408fdeb9308f29a841756dd48cc70f47

C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK

MD5 1950219b5befbf150322c03b3ddfe543
SHA1 e62d304a8149445af4ab12ba1885b5790ff616fa
SHA256 1731047eae3e61dea74ffe43d0ff994cd70371899b034586b3b6044296d731db
SHA512 f49bc58e9290b9945f4912bc94999915b049655a30f275b351b56316d8599a64a8b20be6fab9fd887390836375fd76a73f2016b463099ee3a6e4760aa1306176

C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_K_COL.HXK

MD5 abd3a6bc67c0e00ca365f27c52b9170d
SHA1 dd522489b32796856162d7472d9a95be7fc3a110
SHA256 744e48161f3e97fe2c63c9753b02db6cddf6a1342e0148dbddbcf34803ee8146
SHA512 63fd88172de00b939069c38fdb24080380e865bc63df3935e386e51c092bb6c6312e906cff0d74062e5e9f9a3467b9fc7bfb3487e3b9ce40ba75fc2b2251930b

C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

MD5 5b6c148c3b8261352df781d27fa76726
SHA1 f32491249bcb1f9099fd9668e1a2a504605353c8
SHA256 6518cc345f9f67c1ee8e935424c6e7ca889d6d2edc3a98827dbc1283058aaef8
SHA512 31719271e772f54fd0cbbb8d545002b0eb2d5a5c8c5bcc146ee0195c4382096c5d27633d8772e5f02d560d51665540469a219f945e0af4dbf710897e44735b1f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF

MD5 f9f151ff007d3f247323afc355000f2f
SHA1 a1b771302084c9ccc90f927e1f9099e4863283c5
SHA256 8f54f3278d219d3ec950519cc3221287eb226654d5f62d4a41fa638163d0a01c
SHA512 e264afc7d5959d5931642a26bef461915eaf66f565683f45bd5be4a5b4a91c21a0c8cb76e8c3a1622623571004c31f9385844187830b8472808ce25aeb937e92

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF

MD5 9515594301a3c0466550abafb472fa10
SHA1 36e19dd6dd26747611d4feaf82fcb34f07326475
SHA256 18ed8c3c14d0d6f6543a69717ddfc8bac05ac41ad151eca5cb19608593001829
SHA512 01798df8b0195407a9c0b23787a35735b8eb1837c54d3a791e3450eddd2c1e74d43802a783b201afe85259b11e55d83300e2a2ac2d4b8ccf11c016ef6e754740

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF

MD5 c9ffbb0e91767e18cb2d53f0deec265b
SHA1 1b44151a44ebf8ca967e169925b084cbb203fda9
SHA256 9dc83041a7f507d461e6fdaff435449164a2f50052f6e7ae8ec220e2e1b6f078
SHA512 0596723ffc4902b5713ca55170d216de2ae514311edf4a646e6bf1f66f320944896e9bab6337c7bb11f2e7d0e41e195cf109dd8de8b41d6ab71865b8266f25b7

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF

MD5 e8c4ad398357001a9c1cc09627074ff5
SHA1 6784c510957fe85dd7afe1a80e3906c49970a81c
SHA256 1d9cd938b9e6d32bce0c808b7c8b8d8664470512b84f7ec9aec395291b65cc4a
SHA512 9110b6e0af1857f286e472b7f3aeef14aa0e505b63fecf9eab18af5f890e5884c18cbaf631354cd81f988fc338beb8d6d51bf846e37bd797b7c467eaf4f3ed55

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF

MD5 3ce1dcf52965694b6b7ab98b0d84d6e3
SHA1 110c74ed030d39e723b5d9fa714aa02e59f96f23
SHA256 e0434c3969256fe0769fc1bede26adc7289a46e17ab77759484d1f6591c23fd0
SHA512 6119a5f0a03395f2391e0c103279ab3037878533664576886a2ae3a3b5d5151ec28350b8bb3961140663e41bcb0f8b1b79bfa2c375737a3f0acad7833e58432a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

MD5 950aadfa27ddd5dcf40364a6e1cefea2
SHA1 da650af0212089f08df87955f5b4b1617764531c
SHA256 2db8abd9ccfcc789dcd96c3854ef8d92cf7cd45e589d5453cb0f1b166c1b457a
SHA512 c37ce8b91ce7fed0b1f00dfdeca9c0b56d9e5f14dc8d74d81d1d45d17546ae0b4f4deb4eeddfb9321ab8267f27ead3e8917d8871014035daeba5e5cfc44b3eaa

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.ICO

MD5 c46c91ac4f07cce4ab6ef90248a5a524
SHA1 d45bf066326351aed39b3600f1f42b2b4e19a61a
SHA256 333cf1b1a09989c5e435dc608a5d18b16d92426a974249e2b954abb826efd66c
SHA512 ce2d6b34915b1faa8d258b09732b2de6a781711b25437cc4ab8467b240f61457619b9253b022a689ac1042407127b9eab2f90c507007351e0fa4dffaae19cbb9

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

MD5 18679dcc4f8312cc23375bcbc6d4268f
SHA1 4c745fd990fd97a581beaf454298e04767b49443
SHA256 b1c0fa4a1cd4626d1d03ba8885f3bc5162500bcc4f02df74519ba50a9c89b7db
SHA512 a0831d11f446c7162ba47c1fd4678c948c9005699b6bcbfab63f6bc70c0e50ea4ac675de7839d2e8883643f484e496bde4aa53bb7682993d2e477492699f9222

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

MD5 3b42c157e79f74581a8ae07ca30647ce
SHA1 374bf7946bd7204afa0ceafeed7fdb745949c1cd
SHA256 807b6dff2bfefa030abd4fd865fbd8c03e6831f8f79eb3d0231ecadf2f973dfb
SHA512 bb74488346a8b54e71c7f71092d8eb9d4702b2dcbc6e71b59218fe38d2b8ca275bdb97a6a030aeeba8c2ee399b94c2769b7858e6d60395749240f051f659693e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\attention.gif

MD5 6c2e9280a6a38667a6c34509e710fbe0
SHA1 dd3c8fb55196d6540b675ba856647ce081f2b81b
SHA256 bcfdaedfd86d890525debd5efc1acb8ea9a659a46c86f85c32166cafb25dd875
SHA512 06f384ae000fcb0c2a2e4ac7bc0150b190288f9c39669b09b83b90aa2b471fbb2c842d270e37d6717ce7354a94e5d636ec5375dfe268c2c2be3f87d8332d866b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

MD5 ce8c5b7289aef46a20a77f179da8ef4d
SHA1 2fe0f02c386b0abfaa2b01c895038ca718ef697f
SHA256 a44dda94252e1082cc4475cb0145eb69d3f1a4e95c03e02c4bf8b05140251b5c
SHA512 5044a65c701d9d9d26d7ce5f098bbc13b778528104df7bf7913b5b1b6411726bf9f6bb613bd7d2c9a0bce8dcfe0feb6fb2d4feb55e50d6cd37282233507a576d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

MD5 601a427fcc76f0767a87d1c5299f09d4
SHA1 4463c5109bb4a2b7ce703066fca80813a80598b0
SHA256 fed5f731abf8170b2e977d85cc22d375e2962b9c7eede6b56007ec0370d4bb99
SHA512 2a0afb751fe0655a2078e56caa4f0ce4d86e16dfdbc32bce7d30442fdfbd39b735570b0bb8d10c64ee60c9ea10ff6b87856f46635f12faf3e592983a886112fe

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

MD5 ab431dd4a6957f3a4084bf0c5134ba15
SHA1 87b3c6b9ef967ffb5718e7a9ea794583f31d449b
SHA256 17b7fa80bf2d6c0944e6e7967a53e72efddbed104244f184bb7d1586b9f28508
SHA512 167ee6d3c47b9485dcd842ba53478561dc177c00659194431d32dffc97aacda6cafa4af65b557c273af6a8319d0cd74f866e2d9fb62733fe44df1c778c158b33

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

MD5 a01b09d27b08ace6ec8e80528a3e5b5e
SHA1 48260deeb73448c8a58b4440d6de1cc05ffd2edc
SHA256 68646f1eb6efcbf2d9f00a0b270f776454a6457138f457f124333b2199c72576
SHA512 06d207a106ee68e4940d6b84ccb74bf0fcd3bace5686e7a69c59d0136f9592bb55a562c51498f41463a8a790e0fcf51d8998b451845448c47ca49d01be07d910

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

MD5 d5514950c826790f0a7783090bbbccd4
SHA1 396c95779e8906bdc17a644314e19432da2b8856
SHA256 6842032b11ef36bd227891b075276c3da476b3bd4b252a8cbd2d051ac6e63b27
SHA512 df1b654c4ef9c7ede664da22512e50cc5bbb7bb228a8cc285c5037b8fa1fb2235d762f315be104b1921e535ffaa4fa529c5096b430bfea0b8f8dbc772dbe79fe

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

MD5 7e39ece512e84f7473e05f39a2a53655
SHA1 faad67b630016126c257fe1b996115056b0a8562
SHA256 9295ef5d885ee6836ce40a070c95c43366b815ec01393e5807f360e9009bdbdc
SHA512 bb20396b9dfd44902a27fec271290fe8f249b9faa7816bbffec1d7a143540f0216e09225662f1d464b5856e110892d30a68be9b95fdf7e73d8570bc9f566d6cb

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

MD5 2f970751dc0d3a7ff029f8f53b938dd2
SHA1 8aa11796416b49cbc488c2d9001f317faf5eff7b
SHA256 3e914faea43975367d85102aafe0348f4826167948db4bfd7123e5e787cc67c8
SHA512 06bb15e82b3e1e6de4f5badb49e90d45e7c3e4dde8241d4fe8ea7c6ea8ba93db17074a1e346df0100e6cdc8aa9526a3c0cf62d7ed6c559c273e692fd424b35ad

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

MD5 c757732317f506bff4120b5dac7dadd5
SHA1 47d9e80294b1a89debcdef5becb3884f4b382858
SHA256 6e86f0bc2feadd1b821baa02644048e97a31cee02b1f725e521ad736862f0092
SHA512 cd06d05f9f94641ce09b9ca8135c06b65f58ceb27efd7611dfe825c24efb52e98956c9f5d59b06d9ac6aae197315b5c9823d2096ddf2102d6dc1cf1dbfb17fa4

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

MD5 6f638ecfff444f4d0dd6f0b3b5cac491
SHA1 a3e875a2cf3c7056922d0a249ea1311d3add87d3
SHA256 e25c907425950c84cdd90cd8a3d0a3170311c1b87c7bc382a20828b8325ba41a
SHA512 c16079e0609470164d883386ddee6d0d69e4b969c57337a2242354f78ce18705fddcaafaa16953a222d061c05d68fc0fb1a147d2d99a084ebdfeca01e8b3af8c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

MD5 9f9407fac682cc9b47d454b61cfc02fe
SHA1 4a176280b091ef85e57c8896705241d3e724fbd9
SHA256 8b693a1bc6fd108cb2e5d513e9f0f448ebc766c0a0e7b755d3ebe39706b211ee
SHA512 afbdf79e008c8d569df38a44fadef0875c3b11c978a085264d04587350ff566b4bfe33347cdde5d0ae7f5e4a03ef858ac7677e6158646cb665263c9442c1e11e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

MD5 e15d8fb4554f2d5b74be8230a56334af
SHA1 1b06c1d0e98d961c3637e670085f5e4f30b5a2ec
SHA256 818f6dfdd1547bdd9d6204a5a12494fee028fd314702be9b6dfbe7220c3bb120
SHA512 2d1d9ab57541a73c274c031d2ee45b6dfc58fca092ae69a807bb81e49b38c4dfe7de6173e3b6fe135b8d5333335c1b44d683ba1797c3a6164a15322ede88cf34

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

MD5 9fcae72981dca576d42737c85cd15bc4
SHA1 73da6335f6ccabe6e7a3c6055d1beceb214a66fe
SHA256 9c707229ea6da53e808a7b660a605b6d002468a5415279bab611e83e333bf1d4
SHA512 fc5e3208ebd6565ef02006b5285bfc4ae4a38c6811ad96f3d5729992d430214fa2097921cf7e9ed6ea50882c96556c6af30397004f56b381135a3f0c38af1936

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

MD5 f02e3ab3df5b52fc3b76c4da93ce8a3e
SHA1 aa071277b7ac823369d5b302698f55beb0fdd449
SHA256 2a102d7ff79dc6855db4c39fe55783d4f4bf8e656c0e7e1ad657b921e4ba3782
SHA512 b4a0e98412503f17b0d2c4e0b948aeff46c3de6235aeaabb1d1b7543ce03fc33db3864b9040dd059ca56260bdb44da8286b2bd33eba40a03f4a85c10aeb00740

C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

MD5 cacf28f98a2df8a828ddbecea3876246
SHA1 de29bf5bef2995b6fbb39615b427a42f725abc29
SHA256 4ff493ebc1b384c5d6a48edbe9b74d5d2f5330f5e779b6ddcd4a8e63b243e915
SHA512 d522c5569d628c9b93adfbf071aa3230d854f0f15b06264566a475d22df11ab83fc65c80dc934d7504e56c615c4bc5327d3a1dcbc8c9515b5bf6fe5f4f2a9aeb

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

MD5 72c48a03c693d489aecb60028f86e207
SHA1 215e1362638491e3d4e528cbdf486a05da91cbd9
SHA256 5e1830497d5ae267c911162284feda89d173851bd36ffb4a953e6d67a61e7974
SHA512 1b023b5cf1dd3df4ce086d3d662fd4cee86250a7d4e70ac9a993406b2b01b59417b5b9b24a480bfdcc2f19b898f42f761878e708b8a21395651f9e42492fb250

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

MD5 07c1d4b61c0ae16fbadb63ac3221ece7
SHA1 c5e7995c1f2cd8afe76fccc776a71211efcbde43
SHA256 f46169fae379dd3e9280e7d57c2afee8f24b9c993f9200a5fb28ce0d23cd474a
SHA512 9007564cd0f14eb219e6eaeb0042d93afad0ccfae9e4a23364bf49509c79f50ed8fea34ebb80096f05e6fd63228cd29f33a97f3b49e4abfdcb7d5389c23682c0

C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

MD5 f384dcd593c823e00488c532dc73d4d9
SHA1 f77cf723b827bb13dd3d3bf51be6d391f515da3d
SHA256 8c39f26d65659390184272ce070e0fa2e830fec2387cf9dbf2447479dd56cb9e
SHA512 1a3f20079718434d5956a9aab88cfe83f75f4a09c98a2bef7daeedcc93e7467f1dfee6720a7bec77d83df653944254181c98c2ff57fa4bf08c16c127d71bd771

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

MD5 63e892ff26e99e73a47a142a0e2aaa9d
SHA1 4b349d96a405bf45bf563d62af5f7b4b288ac671
SHA256 db0561661c16d3785e3fe06de974973c29d1e9aec16e821158b75308529041e1
SHA512 f9ce70ede33fd99bd4b1a506f23c35b3c4853be7c19024e60ce34ec456aefaf9606737acb0c7d80068bddc381f02ae24d671f48fdff03d8be50290f37825b832

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

MD5 3344d5d39ed0a92da58be4d880479deb
SHA1 6d6e3c31a572315adaf1e40f1ec12c9bdd090660
SHA256 350a3ba6f08a3a31cdde24764b4531781e7fd7f8c708dfe311dce37a032b65c4
SHA512 8f4262bb9e414330e1e42b00efd1918706fa389e9ad16adcfde5b1c429d8a87fbea177debb562e2d6e614c2f0de2b4d72cec2921c4aac8dca9952ab0b3866a89

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

MD5 04a232405ab8c9ccca196530cb4215c7
SHA1 5708cc712cad39643dfecabe2dc64b3961c49ad0
SHA256 8e800d4bde61e10e5e2af6b139d7f2ef5ff595242f6cc44de54432d16fd54077
SHA512 0abba6dda8e835bc2a2b6577b8f622cbe955be0db269ba30a77afd8b8daf9e00437dd3005d403b9d5db8a2eabe60c6bcff6c7765f9032ab1b3c2ff526ffef348

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-11 18:59

Reported

2023-07-11 19:01

Platform

win10v2004-20230703-en

Max time kernel

143s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

MedusaLocker

ransomware medusalocker

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2796 created 1416 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (7573) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\A:\$RECYCLE.BIN\S-1-5-21-3011986978-2180659500-3669311805-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\A: C:\Windows\explorer.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\cipher.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\cipher.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\LoadedModelShaders\StandardLighting.hlsl C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssui.dll.mui C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Example2.Diagnostics.psd1 C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\Fonts\MemMDL2.1.85.ttf C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-lightunplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\generic-rhp-app-tool-view.js C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\ui-strings.js C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-100.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\typing\bubble\dark.gif C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\ui-strings.js C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\nl_get.svg C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ko-kr\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\nub.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_02.jpg C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\splashscreen.scale-100.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.boot.tree.dat C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\ir.idl C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\BuildInfo.xml C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\ui-strings.js C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\sat_logo_2x.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\lt.pak C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxMetadata\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-PT\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\MedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-64_contrast-white.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\LargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-options.xml C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Dismiss.scale-64.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File created C:\Program Files\Google\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\plugin.js C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Star.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl C:\Windows\system32\wbadmin.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\Explorer.EXE
N/A N/A C:\Windows\system32\WerFault.exe
N/A N/A C:\Windows\system32\WerFault.exe
N/A N/A C:\Windows\system32\WerFault.exe
N/A N/A C:\Windows\system32\WerFault.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001002000000014000000494c2006200024003c0010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004002000001002000000000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060606060a0a0a0a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060606060ffffffff60606060000000000000000030303030868686869999999999999999999999999999999999999999999999999999999999999999babababaffffffff60606060303030300a0a0a0a3c3c3c3c9e9e9e9e9999999999999999999999999999999999999999999999999999999999999999babababaffffffff606060603a3a3a3a999999996b6b6b6b464646467d7d7d7d8c8c8c8ca6a6a6a69999999999999999999999999999999999999999babababaffffffff606060603a3a3a3aa6a6a6a69b9b9b9b7d7d7d7d6666666666666666666666666c6c6c6c8c8c8c8c9b9b9b9b9b9b9b9b99999999babababaffffffff60606060404040409f9f9f9f8e8e8e8e808080808080808066666666666666666666666666666666666666666666666684848484b7b7b7b7ffffffff606060603030303097979797808080808080808080808080787878785a5a5a5a66666666666666666666666666666666666666669c9c9c9cffffffff606060602626262687878787808080808080808080808080808080802828282820202020666666666666666666666666666666669c9c9c9cffffffff606060601d1d1d1d4d4d4d4d535353536a6a6a6a6b6b6b6b40404040101010100000000000000000202020205a5a5a5a69696969a0a0a0a0ffffffff606060601d1d1d1d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d3a3a3a3a00000000000000000000000000000000000000000000000063636363ffffffff606060601d1d1d1d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d484848480e0e0e0e000000000000000000000000000000000000000060606060ffffffff606060600a0a0a0a4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d444444440e0e0e0e000000000000000000000000000000000000000000000000a0a0a0a06060606000000000000000000000000013131313131313130e0e0e0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056565678888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf4d4d4d6c33333348888888bf6f6f6f9b2b2b2b3c888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf6a6a6a953737374d888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf808080b4888888bf888888bf808080b30909090c6c6c6c97888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf787878a8111111186f6f6f9c888888bf888888bf5e5e5e831010101711111118888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf4d4d4d6c000000000909090c4d4d4d6c888888bf888888bf888888bf101010176363638b888888bf888888bf888888bf828282b65c5c5c81696969934545456000000000000000000000000011111118888888bf888888bf888888bf6f6f6f9b0808080b4242425d4f4f4f6e4c4c4c6b111111182222222f1515151e000000000000000000000000000000000000000067676790888888bf888888bf888888bf838383b96a6a6a956666668f6666668f777777a7888888bf3c3c3c5400000000000000000000000000000000000000000909090c565656786767679056565678808080b4888888bf888888bf888888bf888888bf808080b40909090c0000000000000000000000000000000000000000000000000000000000000000000000001a1a1a24787878a8888888bf888888bf676767901a1a1a240000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400200000100010000000000000900000000000000000000000000000000000000000000ffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000fff100008000000000000000000000000000000000000000000000000001000080070000e0070000c00f0000ce3f0000ffff0000ffff0000ffff0000ffff0000ffff0000ffff0000f0000000000000000000000000000000000100000003000080070000c0070000c0070000fc0f0000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000000000000000000000000000000000000000000000000100000008000000200000000a0000001401000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{B1DD180F-8344-4920-92A8-76A90C6EA00D} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133328607518844181" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010007000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fdc000000000000002000000e70707004100720067006a00620065007800200032000a005600610067007200650061007200670020006e0070007000720066006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001e00000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000a6e96ffb29b4d90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e70707004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000001f00000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000af50f6fa29b4d90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000500000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e7070700420061007200510065007600690072000a0041006200670020006600760074006100720071002000760061000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007000000000000000000000000000000000000000000000000000000000000007b52d8f1a9add90100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e70707000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e70707000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e70707000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000082ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e70707000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4852 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2796 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1620 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2784 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2784 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2796 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3188 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4988 wrote to memory of 4124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4988 wrote to memory of 4124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2796 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 4788 wrote to memory of 672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4788 wrote to memory of 672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 672 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 672 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2796 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 3584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2264 wrote to memory of 3584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2796 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1484 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1752 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1752 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2796 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2916 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3120 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3120 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2796 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 492 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 492 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2796 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 560 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4768 wrote to memory of 1976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4768 wrote to memory of 1976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2796 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\busavelock96.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\busavelock96.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\busavelock96.exe

"C:\Users\Admin\AppData\Local\Temp\busavelock96.exe"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\busavelock96.exe

\\?\C:\Users\Admin\AppData\Local\Temp\busavelock96.exe -network

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\A:

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\F:

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\C:

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 416 -p 1416 -ip 1416

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1416 -s 8312

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 464 -p 4668 -ip 4668

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4668 -s 1492

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 548 -p 3004 -ip 3004

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3004 -s 840

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 556 -p 3796 -ip 3796

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3796 -s 904

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 568 -p 3180 -ip 3180

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3180 -s 456

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
FR 2.21.35.233:443 assets.msn.com tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 233.35.21.2.in-addr.arpa udp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp

Files

C:\Program Files\How_to_back_files.html

MD5 9c20f529410a7814d8e010dcc4ebeb12
SHA1 a68faae36c4885cea9c8d8a1ce62dacf1fb6430d
SHA256 dcb2874ba03e1abaeec84177a3da8c1a5ad8fd4d73e1ca029590ecd835aadcf9
SHA512 1299e1d78d2d58384f8ce547a0057eb6f4e58fc1520046c0aa94b78f9cca2a9de7b2b099fd7c0d6e710a844544b4d4871356341161ccf00030389f7670d5bafb

C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl

MD5 978e2d840df2f258b5b4f273b69508a2
SHA1 5f8019d16794dc9fd316f60f6d4c08f016289701
SHA256 f498c408d47293a4c4d495d7813adc0006aeb296848ac2218d9e1a7ad53b4458
SHA512 59568fe5de9a52227020fb09100a795b14db7490a5947889840a4cf5db0076b2b93804f0a93d4d8d6247b5172595c6122aeaf4349172bdca486a1987a5d71491

C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 1ce994cc964e3001baa052dfcc3ffb86
SHA1 69adef823e8542651c75829eb991e7859050b071
SHA256 edc79b7300ac787eb8caf5d0e68b9ac97a870b304b823523c3ed760f34395a49
SHA512 075ab29fcd6fa9cd2cb4398488b793c2e5b7725e6914a9459611a0a96b61141e8632ef4ca7094b1cbba48a80888a1d60e103ad879e46c07771db7936b3a08462

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 472383a7fed4cc8220e28ce93e209bd8
SHA1 ed4c318b6f9d9039de8ff1897a7d88e407580fee
SHA256 98587b8be865d0a7900622724e66883e965517ee966725c998029006935b36da
SHA512 8b594c0af61644e345f9b6f9559389c9c1fb7e1fabbcc22470d58b284ddf3fc42034585551519c4dd13b564838a5a7874ab210a5c02927ca0ca2f7e12773a76e

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 16d0ecb7466143e6938287e98aaa76dd
SHA1 f5d3d81a44832d5f56360c93d3a16d700a0c9d4e
SHA256 9c5f497b2bfb0eb382d165186622fa12796311d36ca4ef022da83c5263dd29f0
SHA512 c4087dc06e4c3bc73e90891af6a181c4bee2e85fd2d5c044dc86b73d652bd891207364a290d2d94a1bab51ca1986790d454a393ce03e04854f783cb9e809bd1c

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

MD5 96674fe6ee6d0ff6210056d289485c5a
SHA1 89e7613cfa7a628846c1592a2c65fec51712926d
SHA256 7f0093c58a1caa6a0d5167978a63e3de421dcc86b4ed4bb9e24cb0a2c667bc82
SHA512 57e8f635ee39394c74d36f96aee4719963d976fc706b594c0a151dff1abc326bff1e4c8f4a0181b15b8da1b65bc3b79dabbe82cafca72ce3b994b81204debe45

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 d0c64212d36d8099b4fa1454bcdfb993
SHA1 870649a307e5a13417ea6ecfbe70d6d072e3a5ef
SHA256 aa9d4006d38a8390025f84384f1b7a7b646181f753657774d8c2ed98e3ba281a
SHA512 2ffb1a51f4863f8d67f2a6c13c5ab8be1ce67285d2db38dd70693c9b8e573191bf3243b7d94f76b8880ae804ff92ef2fdcfbdd10bf1956e00e41e1338b710134

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

MD5 4f7f46162a282cdd92c9738a6293eb83
SHA1 e025c0ebce3d120a0857105a0df6db4cab97a575
SHA256 9b606651aa19f8bcce8c3e4636c909b27d6413226a31692af08cdee923d5915b
SHA512 34cb0dcfb12e09623b13806f36f77c5bcd677858b8c3207ece50249601b8f14afb0cf8682b670e7d9892c5601d1d606e5d455e110e02ab0ce22ded60d96de3d9

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

MD5 b011ca66da4a203d6555290987df8171
SHA1 fea88f572bf9865652f2dce0db4b933864c78f68
SHA256 44d1b7011c1dbb8b8fcb8dc0dd67113d854a127f8da66c33d277423b21b07626
SHA512 d25bc30283f9daccc474f96aa59bf633cc8a481e650a0012485f9d7db1f6ffebd6cc3682f44a66967ec78c5c21c38d33b82bb1725d5d178acb28bf7f8d740c49

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

MD5 cf3b72c440cff7e54038843c1db15066
SHA1 fc8bb97df5a81ca417f3a7a7ae9807514bb7ee38
SHA256 881dafbff88b14ddf767b3ca62ac8ea1efc563b444e0d9b24d88cd0fcc85d659
SHA512 9a915a4325327a9f2d46f0ce3999b7bcb529a4ccc44aec5d8e1f4d6239936f8a1e77459c899478e56ebfce7bd4f18208326762ee834fd41fd2ad3e54bfa4c43e

C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden

MD5 725f33527897aa9505fb81e05d61751a
SHA1 f04b84317e84b6fb9182d2484fb248fb5fdee75c
SHA256 9f526a3e6844d76f30c4a1ab27a30cd478a6fb2cd872e9454a2e5078b995df4e
SHA512 2ea776dd8184ed5be1f6a8761a355fc0d9ad63131c5e57e9c87211974c1ff10cff1bd086daa327f6a2a3152ddb93fe212e666f8a539ce58696419a352d6a1d96

C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 ee93d7a9b378c658dc092117186230fc
SHA1 f0911add992f3584ccb4dee31e29b56f48660cef
SHA256 ba62fc00c2f9e25e366b74f158abb1e8937ccc80f40c2ed3e785009ff17583ab
SHA512 d536c732aba4605f69ae100afdbed7e0340cee968abc25cf8681e602dfeae69a8784cbbe33265013a544dd811353ec93718f258e37b1936a9eb87cd556a8a6d6

C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

MD5 7ebdd061b0ab2fe7c27c720836c6755d
SHA1 be102798f5679c5b975e5f4bbef93af3f5fb4630
SHA256 4c490545a4ca167f553b7719a7b04a1c82f5960e8abb3deb1483a928a885e992
SHA512 654aa002791f480f65397d3e3906b7f6916cb0893b546d492b35dc7dec14b1389145a1acb573f6df7fc613e2faacc2022376ef42daf042b9f0af7f94b1d3c318

C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK

MD5 5757644816f0ecba56965f98131e657c
SHA1 97d9cfd496496122c4efb228d1c884ff343b67a3
SHA256 de7e4696ef8635c74f033a9a3b61a1f8498882fc909dd4fe1535c4dc1a440e67
SHA512 8084d930e2ecd57252eb7cf3798448d54959cca4bc1fdf4fe1f294c82a2a235a660c1bf9761e6d494b0cef2e03ba05e18d27ce1d3a57d2e96579ddbd5f50ed41

C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_K_COL.HXK

MD5 59ba8e0361a20a320180c899f495c81e
SHA1 cec5e11f89b3f78b0b9bf89c2cc541d5962450fd
SHA256 d9a5c4e2d4d42a6756856402163bdcaea9ce387c83de9d5a737963c32f79e6ad
SHA512 976db081c334d7fdbe22cf6e29b7a80b30a28dac17a6ad0eb0a0b28a6ba526e0c38da3308758afaf8ec839176a47734145c808fa959588c0e01c61bf648a3276

C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config

MD5 b60f884a09fb83a4ef146f04ffc0f753
SHA1 18d8b6fa9b7c3b32b004b0be99900296eff536df
SHA256 df8dd4e46399aebfcbdf27a904fb3e7cbe0383eae05c07f5e94b356c9c95f729
SHA512 cc8ef83f2c7fc813eb238651405653a9219cf1e60e8a7de0a2c7222ab8ac08f39679aa7d9c7d5f2d0b0c31b5cb2536165c0b65b6e49948a83da30bee2d5bc5c7

C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL

MD5 52e6975cda01af2a5bfdd1c29838ecce
SHA1 fa42538c5b503733668f327cea740ed92e44f418
SHA256 4717bc5db563f91a54807eb67f8329e9e01fcf3b14110f979b1a7837cf872dad
SHA512 dea46abe2361b7c3f493c0b77e9f1e26a6aaec88c80eeff7b88dc14f3443b62e0d43a9cb7b0d0108d23472b7cf9f3af0827a4b15d4eaebc2d3fe5cf4491de1a3

C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub

MD5 01bc5ae38503bb551b9d6c6ce07249c8
SHA1 f5c83c437404c36bbab37328a78eb1ff4a7e0c8b
SHA256 46a6abd20f881d23a9fb4a6cee3986c8b9c18b04848d0f7acac62e096585b0d2
SHA512 ac9af47b3c78bad6ef41540e2cb1402919de70bf37689c4bd01a4a8a5ce6436f95cfcdb4f0cb1970274705a238a66ea0daa52c92a163f0949da8ae816bb89bc6

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi

MD5 0038833f5f4b65395e84c536ceb295ab
SHA1 e520c0670b4fe40ba68c97c02bb7fe477b14e698
SHA256 84f430e7f1317985238f4f9e0f877695edc3ec2a9ff401b41bd2254a1bf82696
SHA512 6b636643611b97c979423e02f2044f7095750041fa6ffd9578813411cdc7de04ce2d85a76f70476de0f86c7092cfbd2f2af96f6fed8641a565e1699865bfdc63

C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo

MD5 0aaa60852ba4457ebaa92c0645d86ae3
SHA1 753ba274a86c91a44a666df3441fe131a3c8e7e5
SHA256 9319c3e785a207473e00424b4c533e280224cbfd888505719a952edfcfa0d786
SHA512 a18fefdc15c0ba61d127c202a66898679df233925c660d3fea79a156fb4caec63f97e9c359646a2212ac637a9d4f2b89b2df4b0e05b6c4364eca1e15b391d38c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak

MD5 28b36caa09f44cdbb7742f4b29b95481
SHA1 1da4481c5d4d0d2556152dfdf816f9d8b1b24990
SHA256 16f5322bb89b9e247b508fae5908df4592dd0866e4dd490bb03af2a36a3545ed
SHA512 650e61d85566e7702328967d2fa37bcb09e7aced6181b59e7b88c862f01af27c2ede4d1a10cbe2e7d2042452e0fc7162e7a09ac96bc8bb19f8655182fe7e25f2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

MD5 7733cf47a9e4ad2d8b61fccf2767c42e
SHA1 29f8a2ed80d5aba17d7b4547b0e248123d04714c
SHA256 f0cdcb47ba8c63ebaeba7b5d1b3710eb1bb07f7a96a343b9819778a4b89855cb
SHA512 55c57ff1a9a6ea9ee38d764fe61433ed193192ae9c937f9c35906a8beaa4f1d919f9466a34ca2b8f7ac7ba465a53820e70c0c3bb4deb27519755ca611af9ac80

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png

MD5 a8996afe04a608282456eb122c568333
SHA1 977ae0b4ed84ca96b1c6a6696cba8f5585928019
SHA256 513e9bc80edc0372b0eacd3179eba0ce76db9a354928445d75c090fdbb93cd65
SHA512 e11d2e3989e2f7768154dc2b11428e06f37003c9f4eec5c126fa7961413b2940b9a28f4b539a8bcc808f2d2972dc817e8dbbea2dcfa00d0fa0f7a9cb2cc8fe8f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png

MD5 3dce64544a836d7339ecc5bdc589a2f0
SHA1 18cefdb8578e5fb2499a6138c3d6d50a52b14d35
SHA256 e14cf320469f68e10a9f1835f2cf8ee066aebacf496a15a829c3782e1b79d495
SHA512 965ee7e1bcda20c1545c0673c7efbcad2260d7bd8f81f9799496cf20556a8356e6ed53912b0ac18a97509e9c7f8ab81354f893f998fb366ea805171adf534cc2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_remove_18.svg

MD5 cf55b959edb1cc14459f2e1fc701bcdd
SHA1 ccfeec223a188f844b08ed1d46b16f1310b43ada
SHA256 5982f74377d3d6b3a1bd38ca94cee0045397003de917a04e095d90e3afa4aa2a
SHA512 205003329f40e4afd0d7dd4d356198f52298391e34bca834258e6370265b773b427af556d22717338f71a9ecfafcb8fb11b1659744b5728f854f804589ae76d9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-default_32.svg

MD5 f7a97b9058423356532fe82270123912
SHA1 a7f4f351f3e9cb0e5635e78d425506c72437ea4e
SHA256 38adde7e50c698a9a7bd67c90acf8bf2a455ae8a3c47f687d358a04cbb4338cd
SHA512 473125d86887ae98e02ebc55d9a2b619f11b06af5507f9731198373106e48230492a530808c99db01d6d511ae9ea000c20a7521c1e15fdaf75ad9aafa764b2ed

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js

MD5 8741ce084c9c0ac849b6adac44990978
SHA1 cb8bb7494e4fa4da030541ec2369007de72fc976
SHA256 cd27910e6985797c0af2dc82f90d6206c22ed86810936ea31098baf51127eb2b
SHA512 7cd4a79caf1c7a72d33fcac7ff612b570c457667387e727cc6fdd62c5b4372d2034df2c4ebd2910357c5d810c8b5abe584aba9351b6ad2ffb99784d514b18d4e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js

MD5 b66e3a41fad5246d4f1897d20bb00ebd
SHA1 7393b33de1786b58fe3eff647631a7850d46b4bf
SHA256 e4128f689d72962a6e7c48bf0646e62b09a8288fee8bd5dffe2d2a96d3ca6e7a
SHA512 4e6023e3c506cdd5b51ad74fe2472e51e43b47771f9717a42d7cea32f58cfed1c842da98e00876f2c568b4604e19059a1cbd63546a99654e955041163d4558bc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.js

MD5 165ee03b4c82df4b9958d803add3192c
SHA1 6527be7d849d01f4ee66d29adde55ec99a0487eb
SHA256 11bcc778f51d95323fb100a311820241c0ad2d2f8c8f4b677b22aa473246a788
SHA512 fe37f10aa60de720e3aa1c25b98ddae79318c89acafe36e8eb91617d6ae20b28a02189779ac04a0fc1066da87b0954540026818b2192330fd8a5b2e9ec330627

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\ui-strings.js

MD5 bf36cd9d3975037061fcefc980e76503
SHA1 de0dcd184d9e37604ffbe3410a4a9e32cd2cb939
SHA256 1d624cc3ee6d5c79f9761eb054d8bcdb515c60e60c80ac1fc571978d404d70eb
SHA512 39ec613f0ae8a85f9d2ab226808bd3443fb07496d9a2965c0fb78ff56c0f5243a1c09ee620f30440e1107186c2fb7a8aab297a6b0a1706b6280c5dd801fb72dc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\ui-strings.js

MD5 26356939a86fcdf57217449c92b2a234
SHA1 2b833168f9ad7618e2728d5c63901fa6b8828091
SHA256 d4b0359d863719a506a055ff0d502882cbf570e02f557cde8dcacdaec9c30c02
SHA512 ca971d99bd03170f745d93aaa7da55fe5fc4447cee1921e36808198ab51354ee7a09ef3092f85c2345a238f65f5e4516606bc10116226afde43594c76e623345

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js

MD5 d85b8f2d500e83fa8d5d72167f16289f
SHA1 8c6af23bea01fc0cf5ed850cd06296da541363d9
SHA256 0e074600b0f1ed5b563e93909489db20fd9032ac312e3baeea480be5b3b742d8
SHA512 66010f58cb52ffd8b0f837d86e0c23fa9e39cc36673b5069141019134e9e947e530d5d288d0747acb4ba789c54f792424060b4ffe6c5a5f58e657e0e2e07b162

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js

MD5 f59db4b588d7ca6a19b730ce0b67530d
SHA1 6d0220b6192c9d9554315f5b705a0c704ced0e67
SHA256 2174e2152b1a4ad60f8c0c604a66d78a880215a9696cee31b944df0e268ecccf
SHA512 62c71a71ac5d1fb3ed6af945c1e8a65c93a24eb73a6bcece7cc44cb7d360ccfb0c9f0c515dbbb2a63c4161e3dd7349369936254c14ea91376963f4a717862cf2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js

MD5 d21eee077cdffd3c632ad438c24b5a21
SHA1 b4d4968bdb59e25a71f64cadbfcd8ad0b00bb596
SHA256 c09f542b4bfb8015e9264f6fa5670b1b51cdb7a9c8033babbf416a9704031ea0
SHA512 b412961e12e65e84674c91c41cf46e0c2b3e7279877614d18643bdeb69f15660e1aef69a5b99a69ce19e0b0e0769ecc1fc685e1fcc0ecb54747f604db46efcde

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js

MD5 8ead7b01ebed30bd8f639740022e12a0
SHA1 c6ffff6451f7784b00761a8c910771f4adbb3fe1
SHA256 3aac6103045753125021f64c4b43368f567c5a783d2c3d95c36b72a850a429f7
SHA512 b307541324247029a67e7942aeacb055d1dafae0708dc8dbdd3566b0ee94a1e44350aab055895332d5030684c3b670dd1cbed6ef6c527541769e2aeb66363298

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js

MD5 481a78da55e5df98bb48323844b8b666
SHA1 39387016016ff66006f5a5a77854157affb2834f
SHA256 4705dadebf85a9652161bc61db2751d360d0d29e59f54469d688e810d4314828
SHA512 7ced18e19ea679897c8ff455b10ddbb639d300f24a643c0392ff986de4f98701dc7fb59d9070df4fc20e167f79c7e5caaf6c15955bdc6662bf7396af75959a16

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

MD5 9fb39323fdeb3dee21a70f40623f1427
SHA1 f79c9f65269d8f613c054525e554fc606ff290d5
SHA256 c78caaa36b4c3bb9958369eb076e1cff5938f7e3773a5115c340756eacd2d67e
SHA512 fd5e69f14d399412b5048087a1ff5bf3c9e272862076e2d44b70b61034115c682bef436ded1c55db2df9ccbb270ff9572f89c8bf5cc58b3c235e9875fceb43ce

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png

MD5 e4cdcf78a19cc4d3ac849d208121ea03
SHA1 8580324a645507de9c9fa47ddfe018ff26589974
SHA256 e48585d0223b65c02c57e3cd6d3216674ab3a1b2a444e85d82dc2d7326b7e5ea
SHA512 22e7b64d4a4c0e4cbb50946e9aa9e47a1ffa78f7b20dbcea03a6ad9947b4085c19d813c94bc424dbde971bf6b5f0affcb59a3b296cd8cb2a5b82424947582f10

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js

MD5 d82a6ad0a2d6a72f158759af65153c40
SHA1 2c682b6235b3f2fe1bd47e40c6b547a1caf9b83f
SHA256 ff7585a320345f8d8330af977c83bd68f6dc47b93a6283a1695ab43f8def71d2
SHA512 5b94165e6c20a37e56fac69acd721f823815d1c08cdfb45d4c186c1d22e117b0d6fb2ee895f0ad3c294683df636fd72d2d66da60a5fc3133e6fa24d83a677643

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js

MD5 bccb32c6331d04b51c74007fc0ea428b
SHA1 d8f0a1054cea9cfe657143b3f9d8cebb4ec94264
SHA256 d4d1c4418d03a5b47966d8e32f27f9ee4d20d90fae176c394e9519f22cbdbe3e
SHA512 702dac7320349ae7a64536bc0f453a46727889bb8577a331fde552661979793fbabf5d2e87a7e6ee67a01d293a962c4f40d9e1a4547be23ddb47b6dedfbea104

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js

MD5 f4e0d51abf4f39d7e16fceb95b6ee39c
SHA1 3bb967f37bfd5873c176bb66adb54f96b21501b7
SHA256 6c3c77eaac16e0e6b21ec790e46eb21452acefa3b128ecaef291fbf2a908c87a
SHA512 a30ce89d9a1b0d30769044af7dd3c77f05e54d0b5fdf428616a40de512c6ae414dad428fad57fa1879bea71fda2ca186fea5ae3d6cd9182bfda62f16542ff4f6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\ui-strings.js

MD5 cba7c3f93713a24cd61d8e6e299956b1
SHA1 8141238058ca754a682c7d5c0fd079516f3e6e8e
SHA256 1f42aee0483ad3892cc12d842d02d2c2a2d81a2d860b7268de7bfcac499b8964
SHA512 923e214d0ad626b7b919110fa8d69889f0051cf38909cb04e0b69d3ba1bd4c8f81a3789c9dc7a91927175f5743f131759a419a3b4e6f99379d8b99f707e9c52f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons.png

MD5 662baa52cd9f2121b2d8b10ba6e5c9ff
SHA1 c3990480489be9e843af7a3956fcb5a22bc474f7
SHA256 8eebc50cb5229c21dec876dac82302060602925e50e56ce54fab6bf653d2ddcb
SHA512 bf9a5a68bef906b1bcc7c8e651a34d46fcb246a5094d50436222f313ef9620edcf64fded308bda0201e418b21af23884e5770d95028cca211992c42272451bab

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons2x.png

MD5 0d5c2d285d83ed8ca121fffad1c4e6c5
SHA1 8ca07b20b95eb2b06411471d9b0f4f6e0af7198d
SHA256 7469bb229c6618112166ad5592f55aa6a7ec34398b58bd84cc45a5a392813b1b
SHA512 4760f61c0575fda0b3823d9b24e0a8bde15a26f4864b5137f15349f91793f559daac39b270ca424182a73c14c6bea551a0160cadd3e741bc972ce82ecc604433

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js

MD5 72be0e35ff11dc5b18df78ff50fb3b08
SHA1 b1781a27afa71fd4e9c7e24c572eefd9ba331236
SHA256 c434e089cf58c079bffae56d54fd53ef6d402536c80aac6cc11a5c0fe2eb7b9d
SHA512 299c379b519737bbfbe74c63ea8ac2c7a26e481888f396bf6cd6884549ae15570b6fd2acbac8bb889a3e7683c48206be11409fab36370f5b067e53028f693b27

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png

MD5 acb7e7435d698819e3cc7379fc1d6d61
SHA1 50bfdb3d1d05cb7aa184c24fa67c29f613955ef9
SHA256 3a2d98e09c307b6799438c0fb559057263f1d91c85edb6254358955939d447d2
SHA512 86ae37ae05cfa5c5a122750d58a3188094b807feafde7241e5072d41ec2a2b3c38ab15270415acadac8febd2f2201586acafcb670b802d4b74a89588ef1ebf93

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif

MD5 30a7f3ac5b5d4be239c2d8325be50742
SHA1 4cc3b837378aae1360f42668a0d8dd08e5346092
SHA256 ca3f819443e6838bfca5831dabdee78371f3df8fc10e978a1239e215376f33ed
SHA512 67cf4950a0e482143899b1d2e8b58e3a3145447929d6726de83a9e53cc2996a6a0fcf907212c661b3856711ef5f0366258cd34268ffde9fc63abc026f44f41c3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png

MD5 eae2e7edcf7fbc2d6782796420c192e4
SHA1 2699dc2cd6d4050462940da396c28fe0d68edc33
SHA256 21bc26c2297e3cfbabd7e3df5af8edbd0a70a8f96c7e37b507f9796c317eb3fa
SHA512 74d262778f25adfd07f9fa74f63adb5dfe480e0f60f2925410a281cd10c1d0d9b28d9c713490d77a6f813c8d091f591aece2e840dfe83811530f064dfcbd2a50

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png

MD5 5875fdf3ce5ce84f95dd2b3a7276ff09
SHA1 0c0e9035ccdab097c449f72af61a489245884d90
SHA256 f4eb3299a7f4ac1bdb05967ce6f1d5304157089c3e26816dffd09dc6d6b7ea0e
SHA512 50add64233016509816a3f1cea43d647ac73f01b78aef26f8e5540890b30bb93d49a85734dd6868309a9134125b0339f007c33ee60f3cbf79edb35bde52c600f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png

MD5 6279ccaf5c5cfb73335f00d91f701a5d
SHA1 fc32dfaa3eff1cf4c119085b5eba1fa2d571c9b9
SHA256 8ea3810ee153eaaac861ae958473c197fda9c77c0d7b3931ec30c7cd9f6377ea
SHA512 bf9dd67dbf3e4a4fcccb4fbd12c8180dc9d4c0c33cedc0f9c79b791ae830229588621631e86f3798592f69a1933ad3ce5ecab31ad1c130afb7e80ad3ccbeb04e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\ui-strings.js

MD5 825b7b2e42b74615f5afa7089316268f
SHA1 d92116398a612239ef5b9c5e61ac4b6a32c15752
SHA256 602bea53646ca3492477493f2a85efc2a9c98f322058989cd933ad2ff13a43b5
SHA512 1fa683112b40ab9736a996ee069a90b31fe18c4e31e272dc48b719ab9c7901569c93917cc2e43bd697c06e646cce831fd4023fbb1914545dfcbb5e9964808a3d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\ui-strings.js

MD5 3ba4325ab8f63038403fb6af0ef3ce46
SHA1 3b96b76201ff6d2af99c8e8f921e5b1d4a3dbfb8
SHA256 49111d0d5d3b14f8b88d3fdf7ddc75fab4647ac3b1bdeebec83b959ebedd87c4
SHA512 c3f637937b4ae5b7b1b26d7a8e5ce1e9395752faaf20299833432df0e794d4ac1dbba80a323269d591036b002740141d22f3bd3736834d32a4428a2979987bb9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\main.css

MD5 aa07223d1b4fb81ad5483c2e11663e32
SHA1 14ceca208de5e2bb30e2011ae41c28402f34bce6
SHA256 4aaa7648360e3615eafe398cbfea205467c332482614925612b110bd617d0fe9
SHA512 9aa38aa8b75108b0212fb7ad44e3631b1d45c56e9a3149910fe8c47f30d491e870a62defa1e5f844b6cc0defef8ab49c9ee2af0cee404477833e9f4b8e825e2f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\ui-strings.js

MD5 a331b4946593f95bb25021bb02046a0f
SHA1 911296c10d30c205c5721cc6c835ca9545a4f2d0
SHA256 0eb04541d12487d63bcbb0b1242e8576a5b2101bb448b8f497806865f6a4c283
SHA512 3a9d42f08496b8f597eeee4138e57b0881b14c033133e8e0b67586d9cc76b2bb08fc79cfc6a3dc958baf1d882bf0c80435835f2639ac608a69275e8fd60c0d9c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\ui-strings.js

MD5 8a8d626e05935a8f1424397744251bcd
SHA1 c2145f6a8ee12c25e5bcf440e400efa4edf7bb4b
SHA256 7799a12cdbcc453d1240bbf3dc0fd811c2d93c66bfae766045cb17fbb2c91013
SHA512 45c246b69af758cd23175589f6ae925b945566d8bec49cd8a00a1a9c498dcfc4ad7bd50761715403c3cf75b9bdc3f0cc11f7aeef993bc4787c88521189e02bbf

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ui-strings.js

MD5 f2f8e441493b5172a4b2632f8de28657
SHA1 83a2900d465dd8aee63b1136797585f652f87088
SHA256 a4a53aa69e64d8d6018bf29b24947968e324707411a5e9e988f336eea2f6d3bf
SHA512 43a50c0b98e0e041a6b7ab267f7464d0abe43feb9b831effd5392a9f7b04b05382d6c9d035768d1081f6165d4dd40df92b13073d621050d5d666781da06f1ef3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js

MD5 36b861ebadb902b83ac13e77d9453e34
SHA1 3b69efb7e5ef826cfb1869854d824efb088672f8
SHA256 9b705e01d353b5afe8c3c3d18dc0793fe62aea5e8e589d17783e7b7aa2d3fa34
SHA512 e07e916b82de90f58d009537c41ec04b7b7e7285e25bf92717f3dd4d2894d6eb7488e4a56b2b0b2d6bfcb2651b3009a5dc2ee385a0b7a5e407cc43e65372e615

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js

MD5 d2a0b0af0b23f60e4c3ddbb818b1b38f
SHA1 0837bcd7b93e1a7605b83baeb02146b60fa83213
SHA256 1e4a135e368e40cd842529450581cdb01dc28e1d37b8005d5cebf697bdfb066f
SHA512 d87b2cacbc69e9631f7496e665863bcef5c7117a83c0e7fa5ee6687f5c73fa118ca3351fac44fab748fd8162bf5eb360c4195319c50af8d86bfd648187901df5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\PlayStore_icon.svg

MD5 f8c6c0b5de40b7b9f74916b4a32f3d03
SHA1 ff0cad1bfa4a064902a8ba3bad51e678bcf66c59
SHA256 217150b187c98a13232916a497ce8710e591b23daf7a4a5115b0e946ac37c39f
SHA512 f09e978d1e32e8851b7c01b51ee77299468ab2b124c98c0937c066c4f7184697330669be35ff1ae9c538489dde64185752f6294eccfa970fe5624bc7be928c32

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js

MD5 be070ac3086bad4492555551cb2ebf33
SHA1 8b09da4495d7e82d24e345302be7d1cadf21515f
SHA256 75bc5466e3a3feee53662ae58146ef2b08d21ccc0619336bdf725633ee7a4ee4
SHA512 a1d4cd47027a755af01e7b9b781471756720792a65fd1e3a8cc14a8c9218f1e4393551029837d4191693abb4eb87c83872bf9ca05989dc62661ce6575a035ce5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\ui-strings.js

MD5 9315b785c709e9a4f633fcc4cdb5e4eb
SHA1 302b36ccaa6b39c0329d5d06bf5bd935233bc75f
SHA256 208c0c72cee0e4a7b31b5d0a53533441e84525b79187c0bb9be524da7a068916
SHA512 d9d772d735db137514f97ef582a68d6a83f0908248413925ea430e2688b1f763add248f5dde27deb68846a4de8606efeb2830bbf9ad5a70f7d0cc75d87cbc759

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js

MD5 d7de5c8ce3de72cae0267d417a0928be
SHA1 30f4503dae328faacffa37d3dc324156d0d3bf4b
SHA256 83630c68f3811793284befcab58f42fe6b87b7650b414d831e95e920c6003195
SHA512 2edb0811a9d7ec763672d3769a9b4061ba9ac4eb3fb2eebce73feb765e64d3eb7d10884d62d1c0fd3942ad149170c950766fc0f9b7d57cba84b761ba9e7fb301

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\ui-strings.js

MD5 0166cc7fd49c577592295e65095afb17
SHA1 e5a277c2f9070d32ee3ecedc16239a42bda97e0b
SHA256 573cae7d2ab2c3ccb13c01b99195398f4a0a10a6204ff8fd9aaf3257db2e34ec
SHA512 950099e933bb3aba400eb0172e3258a1886af11c49f267bb9bf36426b6fc9e41b89bea040ca0a22e6c4de8a6007e44542b10bd20c6ba5ad011ca42e45725939b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js

MD5 ade3c04c5db6e819b2166be62226c8d4
SHA1 ca724d182ad13ba86f8b21adc1d5c84239b93e5d
SHA256 928d789639ab302529120bc0d396eb14dbc7a705123fcf28f8fc036511afac6e
SHA512 45f0b2a5908e92a6fcd92310625ffe6e61d553599ee8ca5e051b88b2c1997e81d7837efb92f3f2392208e70de37ef2ae0978b3990f089d4442a1dc5a1bbf6595

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\ui-strings.js

MD5 63243eab093a71d66485058361b6778b
SHA1 a401efcb94d23a5bc09ca4f3393d181003407d04
SHA256 961c5ea99bf27e6f2938ada06be26ba10e9e28a4090db84e6d655faa1e24c51f
SHA512 b6fb1814062ed9822c1a2d2ac287078fa57ff185d090fc7a56634975d0417d237667929cc8e331e6d55159976324d3416b982c8d5315805aa3ad7e70fecf61ac

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\ui-strings.js

MD5 5b27ed2afa5347f37edcde8280ff94c6
SHA1 8bc77fa5488cb96278b2679dc735bbf968479fc6
SHA256 0f30c3d55ff8d418db9ed5547b013fe24950c9122fe260a16b234343cb559928
SHA512 ddb024e903209affef0fe3a275a62fd1368c48ad37c9418765167febf1394b17720bd71b1bbb986e848353dcc1e07f95e8fb57a9b243bd6fac44266bfda6d80f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js

MD5 66abf1ffb66cd4c82b6aaafbb57f8326
SHA1 48feadaac3a521bfe6cad200c92e5e7f4bcadc6a
SHA256 5caddabb7c2d8fbdb5210479d670e62451bf61b0c33ef8fbcaf9ea33c3bcd334
SHA512 3bc4a892e92cc211dbb2ec98367277278705eba588eb34aa32534f6441c78cbd87ce9f93089198949231e2285eba1e4889e223673e7328d250818f397963bb91

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js

MD5 67b832cdce36f010082c1df93298cd33
SHA1 3fc74828710d946da018d62471fba2be1a7ba411
SHA256 246e78b98193d0ec7f6da1110e64dbb0cace24b8263b7a56ebafe2f8438d7692
SHA512 64da2802d4893ec8177706e0d1b4d7f7b8f80b138bedf51c87cbf4740d4281736b27670bb5206c5cf8ef78536a038bd7d03ec21238e7974f7aed0522cf1f5cc1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js

MD5 9e0ebe3f0d4b25ee6a8dbb09dff724ba
SHA1 1c3d574cdd236dfd9c157dd90433210d6605c5d6
SHA256 572f8dca0af20d890a38aa16e75a1cd002c6d0a6b812bbcea3e3f15701614ecb
SHA512 bf0161c2e24d49835ccbd8a75b80f10422404f6fd049a663316281163de40734da0b97be883050c47460d7e6d38a15e2ca2432483b2879d27e0b0cae7ba88974

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\ui-strings.js

MD5 cae228178a5d871f4dcad2b76d33b385
SHA1 8d4901464024960d1334db86d9286ff62c6619b6
SHA256 e4a327d25addd4fb8b938809373266c13190ff039a48b3c266e7dd0c9ceb12de
SHA512 1403172270a7fa21eda6b8e7796fedf7e3c298dd557b0d963a940b471f70df4070a0e37163c10f69096cb94191967451e8577036de2174e3ad035436f97db188

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\ui-strings.js

MD5 d56329dbbe402ff1c3ea59c5679bfd12
SHA1 218c55468ada3c1fde22763a5b39903012c098d4
SHA256 c3bfd37b600fe2a1345e0581408d920702c59d181efb7f7356cbeb2f74667eb0
SHA512 cf05f25efb3da50f17cee08dcb944cd64bd07359804c24d472732c1d22e37db1e3b6e80eed843da29fbdaeb12cb293e5b3553fa90c0fd37e5f981bc4437e7092

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js

MD5 8f783960075b2163b2136d04fd02277e
SHA1 730215aea2ba4958d8aa99e826fbbea4c4a1107f
SHA256 681911851f8d33ffff1182397b20498941143b9e2794e111089bdaf1ea7f9a7f
SHA512 66c132e9430b7a60137f9c855090b2dce5a38c0523e44d05205e9a214b9b0dfeb532281f03837a661d1c20206e554501d816aa0cfa01acf487511d34d4b0b946

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js

MD5 8c99c493dccb320645b673b741a1330d
SHA1 2f9ee01f63991910bea62db17657229f7e21a6d6
SHA256 4e25acba14195bddf7fbbed81e584238b0c7e32eaae6af4dc7ef28ac25530353
SHA512 6234e262b2eecb3f3bcfbf3bff03017aa486f5585a2dcbd29f3bdefc11922a01a7d8d53f2c2b28e4b541ee09f52c244fd9be7cadfbc6a04aa8be8368df460b5c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js

MD5 d31bfcde8aed36ae6adb9c9421ea78fd
SHA1 380849c7e2659d4410b77de620299cb614ab84f5
SHA256 db235f5cd7a7288bbb159a98acef66953ebb712e3c8612e21097177d5f2e55f4
SHA512 62aa10ddec14f24991deb1d6778de0700a1ca784e69b3d9d9a0563c0371922ca8c7318c6ae35d41e11b5e0b62b646f1ea02703c768754dc207d209ed31a8557d

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

MD5 ec7cbabdc95fd452fe69774482da84a7
SHA1 bf256a25f8c70be399fb6a1878d1daae57355418
SHA256 988050962b73501c1155652f6ed523af76689cf1ce2ea0a341401f9ad7679eb0
SHA512 487524e507773696eda7e587b9f5ae2f3dc7b41f149b5c54667451c37e60b0ec7f61722c3ef4e5fc46ded511356f4db9341fe540ca823ba4fedd1fb46addab1e

C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOCK

MD5 0f9fbcdda5b7ff87c4b02e4bad4bdca5
SHA1 4eab1b4c9288186da18870c09030e37e1567d9ed
SHA256 2a14e1260d2d629b25e62f00edb6736e3773979019688b377e2e56693f493f2c
SHA512 f7a3dc6a3bba45e2b974895a683c7a617a9b75e78e4cecd29f0a565ec17b833a03b7740a7c3b8fee0f2f74d447bf2babbc2c7bd27609f5519b7bbb9244b5b154

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

MD5 15587b9b775f2a91c9ea08762e878c0f
SHA1 74c0808177a7df7be498381c1effd26d5b89f936
SHA256 f8432e37542410552a7b840c3095d8aa76a5985491bbe3b207609a099392f3fe
SHA512 bbe30ca98470334621d6b299bf951c6585e1b66529ab04ad20133b59a771a3eb190f73b5a9ed491b5200ac8fdb39568af7d98c604621d77a19ebd499c5daff0a

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

MD5 ecd3efecb2aaad7160eb0ec17db502a1
SHA1 cfb7f3add66b8c547acbe8cc2ab06f7124925612
SHA256 1fd59af26776de079405e0c3fbb1919578ba40fcdb5c9abc20f82d6dc4ae9df2
SHA512 deeb3b15b0ab29f3b5e87b21b117326d5a95be81bf7f4844374221b81a73c7c08f1bcbe0ce5b7df78d2a10bf81288b31ee5ad4bfde17e7c860d7f42ea8e3a77f

C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db.busavelock96

MD5 983ec391469e7b71690c7e06879d27bd
SHA1 d395bb499b864688f02dcb2691697e12645f106e
SHA256 4eeeed0ac9dd5aa7648dd3b908af569d785e598a133188e83448b329e0736179
SHA512 467a934d8f55f7f3b7ec9f2b204e783149a60bfb265b7f7b846b4a32851d26e057a01c3a6e10d5bbe1933bba9c5b7865b6e2bd6a99708704ead5dbc9ca1680ef

C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.busavelock96

MD5 d12b1ab6f4869717ac1076575c2729a1
SHA1 67e6254e4df716f6abc0919ffa7b3b3825371aa7
SHA256 8bb8caaaf28adc2ef628c3d907fd2ddc4325292f3a912f8e276e56165d815843
SHA512 73d97ea0471989ea6ab3d7355757f052359fbe970b0691345f0f456ce14e0a810271a4a508bc3b003d5ca59a7572f4c09ac40fbdf211911c868cd1dbe1be51e7

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.busavelock96

MD5 64b9f2daa37ae95bf8390a595fa78a94
SHA1 e15657d61e5a4c546b4b2ec30572173368037ff6
SHA256 900d17affbb61c52876b3c5865728a906eba1fc34f102a9bffa4af05828969e9
SHA512 d5bef5c758f97b0365c5cc6ac25a54261bbc5e96e46014e867b79c40eebb353995703b2ebbcee86d22f366df0dc7069bcb5a252bc7260e8b52eb8819708bea10

C:\USERS\ADMIN\DESKTOP\TESTCOMPLETE.AU.BUSAVELOCK96

MD5 d0df2488f6f3f3286187bd386f6a8809
SHA1 40fc0747d4b2cdc7aeda3f55f00684cb73643796
SHA256 6b8401c680b24418887feec851241113cc1e9a28410556a431f1fb2b912d9a64
SHA512 7f31c7284f4c0feb24f749c609109f214bd1d1063926315bc468e84eb08d0f5bc5c9fa53624bf9b7a7d91539b993779fb0f1c7b558b9432640607c070094ad5f

C:\USERS\ADMIN\DESKTOP\WRITEADD.DOCX.BUSAVELOCK96

MD5 feae8a505741803f15d801b61b4c1d2e
SHA1 52e76ff3a3ed4ec22792af55d900a9bac6039c70
SHA256 ee1ad0204f60a75f1fd99c7a4e83ef0d6d7fe6742ba36112c2550ef6701c453e
SHA512 da2eed9852a195866d5af20d7dee8279ad348e616526cff6df57e915f4c10c6066a79473c027496642178daf74de9a44d02c79f989c8dafe27665bbd40b088eb

C:\USERS\ADMIN\DESKTOP\INVOKEUNPROTECT.DWFX.BUSAVELOCK96

MD5 5f053c0f50d418bfdcd80c0dbaa0cb3a
SHA1 70011135581ffc8355adbd806d76e30018c7aba4
SHA256 52b14e8036b95a22658d9f02a371b5d6aa608e3cb16b43b7c643dc47a26ddb66
SHA512 2e4b770c13f51b749b463cf7bbc65a7917ce886f3c714f4f3b5a8c26fd9cb4da24f711bfe1b835c224a96397b02aad5736b005810a03fdac2399ac415b8ddac0

C:\USERS\ADMIN\DESKTOP\TESTDISABLE.HTM.BUSAVELOCK96

MD5 65ee62e91eff21f1bca2cf10f91ad767
SHA1 626e7138a45367702184e897a071a69d3bf46b4a
SHA256 90f95425f4be45b4b0d687167c52785e3edaf5ad853189949c54ce0ac2af5748
SHA512 be8f670e0bdb1985dd8d962a2f865d620710b92e0949fd2b422952b5b8c6511299aa74552fa016c596bf98adbf2a9a71356c08ec91acf052320e571f3edcd25c

C:\USERS\ADMIN\DESKTOP\SWITCHDISABLE.WAX.BUSAVELOCK96

MD5 d38ca06514765ad3ac70370145d81f99
SHA1 751ee63cb0755887e7abd779776e334ece9b0476
SHA256 3fa3d61db25fee18137c52caec9eab309f5fb825bf268c27fce5e5880b1b5d01
SHA512 896ca176192183ab3c449e77551e72080d9cfef2fca51dca01dafe1a70c1fb2876b5072f7e4c1a973d56645debacd8aaec79bf2d5e28cb7835c307c4f146913f

C:\USERS\ADMIN\DESKTOP\SETUNDO.SEARCH-MS.BUSAVELOCK96

MD5 0b3aefe86009492a788cb327232c3e2f
SHA1 c6a7044446e261bfccaa76686d1dc5ed7a5d2daa
SHA256 b7a1cf519057248135b7bb54b82b0f71e7f49f9d1349a1b05bfc8fc024af61bf
SHA512 58d092c728c51baa70d38f43da1d10e10a487de73f12d3e19d036cee064ba95fdd3979b1f72662c741c98e0bfc1a562860a9c8d9086fa7096769a033b06f4855

C:\USERS\ADMIN\DESKTOP\SENDRESTORE.HTA.BUSAVELOCK96

MD5 2ddb47c787dfd640a5a394d1097ff0d5
SHA1 d78977674b22952ddafc1c78acf93b7276188f7e
SHA256 01f41a37423aebc70d303c46bddf09ab0ecb1d5fa1ed6e96dea80db7e80361cf
SHA512 9150ea9846f87e108d4a607712bf25b74d0a50fca05f1c735480f4cea195ca1459b5f3e255384ae829385eb70c85a672c74a74fffc9e4a44e58d04549aef367d

C:\USERS\ADMIN\DESKTOP\RESUMEBLOCK.RMI.BUSAVELOCK96

MD5 e315522e8bac2456abcd2ac802a58103
SHA1 e4d9bb3505615e533de84f7fe7b1181abedd41f9
SHA256 8c2281af24de540fe094623797a3732b0af64da3a011861ddf1c256ad1a6ea9f
SHA512 3580dd356c23d3c1b579042b718856cf1d8f354fc5656343db5777b83c0de97ce16a39d5338e258c00e5cc3d78d728eb095ab678084b70d8f91efd3b163e1359

C:\USERS\ADMIN\DESKTOP\REPAIRRESTORE.MP3.BUSAVELOCK96

MD5 47baf8363cf2e296d2247c28113ba0d6
SHA1 4890e8d5d7089598f4e8126cf4052e61d0274cae
SHA256 956886452c5ca4e428a158a19688c913feb73e26ab247ec002d329a8bbd1409f
SHA512 f66e8bacbcab31c90f43687a537008b2987df9f3b8d964e152d96bbd203ed78a1689c8f8b3f3383c6771befe1fc043da63bb7f81646284eec70906d527ef377b

C:\USERS\ADMIN\DESKTOP\READDISCONNECT.XPS.BUSAVELOCK96

MD5 d915a125340775de97cb4a84eae3cd41
SHA1 4c5b9e07c00ff3e3f5224cc1bba2dd5cabeb0837
SHA256 a372ba59b171e3f6cd167aa9d39355be29430422e9e12c4bbec3e7f434dab9b0
SHA512 fda56ec47e32a647e5f4b02d5ecce2c1e8e66a1562f1877ef0567d9369cfd7f9f0adce29a75c15b1a508b2b6c8865a00db47ff83da6702f68bb4f1d3ca0b4ced

C:\USERS\ADMIN\DESKTOP\MOUNTCLEAR.CFG.BUSAVELOCK96

MD5 876e251541a8f4621de9b673c7c4d947
SHA1 e08fd582c1658830b0cae2cac78074fc746f6dd1
SHA256 0eab5edbdc79e705c1fcc1e058b1c2fd4264fbac87eeeeb7c47b853449a15c55
SHA512 774a84bccf1d205714eec47bcd2188df761039b0fc700aa76d6267a680a463be077298778e19f40790c271371bfbff8c2958fa3dc0d2861add3d17b1bd7de28f

C:\USERS\ADMIN\DESKTOP\MERGEUNPUBLISH.M2V.BUSAVELOCK96

MD5 203ccecc2ea30483f2eabe88547ea0b8
SHA1 ffff36b52baebad0cae897164ddf17e45c0ef024
SHA256 140a13f8dd4916f29b7263c6e988519c5c49c339d58f2d0d90a74a1c322588df
SHA512 2123de13355e24f40db890ef696435ce09998d0f520ba078aea4762e4d6e323b63ba04a50c0ae7ab62df85e06108760f35942371b9f27e8d97788dc041864e57

C:\USERS\ADMIN\DESKTOP\MERGECLEAR.MP4.BUSAVELOCK96

MD5 4d4eb06dfbf00201fbd10fa0605d939a
SHA1 9bb31c3ad69984841054027de81e91b458cf54d7
SHA256 5fb7018031e3de88e0d15c0e57c005ea3ac8aa628ea0b3c7e720fb8d8ad123b5
SHA512 78128ca1a00a6e609d894714e39496b4656a4f30a9b43edf2f97f7abd5c46e904a6999f471690ab2ab16ac53db4030a71b0f72c270331f319cc16cd3a89c02dc

C:\USERS\ADMIN\DESKTOP\MEASURESEND.I64.BUSAVELOCK96

MD5 a0aa547e84a6cc301fed7c7d1fdf0c0c
SHA1 20c1201baa5b30e294f14ed6646b565d5e263eb6
SHA256 f546e3090af1fd6dfed81fc8e9734d4c89c7b3589d2366724587d7c5338e2b91
SHA512 84efffd24debd4fe58e9134513027165c3498058214a28bd2545eab247480b564e2fff7d6d73f77e791e04695b25bc25b71e00f39a0b65e3c4a4a1a8acf3ffb2

C:\USERS\ADMIN\DESKTOP\MEASURECOMPARE.SEARCH-MS.BUSAVELOCK96

MD5 dcf51a8eec0221dc420049609ee70c68
SHA1 ad8ddb6353e73f5af9b338de3ddc34e508233505
SHA256 9982febdc2a49f38f16d4ea09aebac27fdc4105cbeb63d0be26c4adcd88b8fa5
SHA512 944c54acf2d27535f7ed4da84afaa6319ebbc96329689adace8c7ea0373786544cce971d3c47960c5ab6c1b24f5ec785174e9cd9b148c5984cd0153beb46a767

C:\USERS\ADMIN\DESKTOP\LOCKGET.WMF.BUSAVELOCK96

MD5 5027015b70d8b667aaca1c8a83f67601
SHA1 a69aa7933cecce36a7ee028809458bed910220f3
SHA256 ce6698e59cb62a92577fb5c7214d21874cba833998edbf2ec6349a2f27088af6
SHA512 55a97a9af1ea3386b2935958447c1ae40698429b03ee139f6ad4a3d9d0388ab998517f8537b92a78d956c3fa0d941dc8b2cf2293ffe31741d41e0a532164f1af

C:\USERS\ADMIN\DESKTOP\HOW_TO_BACK_FILES.HTML

MD5 9c20f529410a7814d8e010dcc4ebeb12
SHA1 a68faae36c4885cea9c8d8a1ce62dacf1fb6430d
SHA256 dcb2874ba03e1abaeec84177a3da8c1a5ad8fd4d73e1ca029590ecd835aadcf9
SHA512 1299e1d78d2d58384f8ce547a0057eb6f4e58fc1520046c0aa94b78f9cca2a9de7b2b099fd7c0d6e710a844544b4d4871356341161ccf00030389f7670d5bafb

C:\USERS\ADMIN\DESKTOP\HIDEUNREGISTER.KIX.BUSAVELOCK96

MD5 2229d619fccccfa70111e40f68d1aadd
SHA1 4e424dd8e13217d8895aa50ac2202b7110c1213a
SHA256 867e0186c556bf605201779eb8f35debdcfd6a760697e1d2236a3948d70a3dcf
SHA512 fd92abec23f96a22e6ce01f713516e4d856ae16882aa10714f4a3dd013ee3224424dd59c62b6d789710a9aca679bf19e617af58b7a48f3d7bbe100c7b205db3f

C:\USERS\ADMIN\DESKTOP\GRANTSUBMIT.AIF.BUSAVELOCK96

MD5 f89f54d89c3422e759b5c0c99b5a4db3
SHA1 5f917328b764e8d9d2a02ec82bd58622a2fe202d
SHA256 081011625b0f42bb56f36ff407cf5f3b94fcf8bf5f447b489f2223cf34a425a5
SHA512 7cc5bc003547d812b2f4304b84ccbd370a1bcbd94e8054908e664170149c0b900252d3f4f1c97ab5567655caf144f841795a87933ef93325c1704441d7443de0

C:\USERS\ADMIN\DESKTOP\GRANTSHOW.M4V.BUSAVELOCK96

MD5 5e92f4faa5368cf60d9baac0f8be26ec
SHA1 2c7780a79a26a46080609568718dc60f0963ef6c
SHA256 22280813a4abe50e1a11c0ad1aa5ba783f8c3f5fb150f5e138c16d0332a86e2b
SHA512 11bbdeff3a24eb88c9cde76d9a9cec6432aac6d1db20a2aa1fff3ff71c3a724ea01ebff771200ff4ad704bf11ff6b772b13e9fbce426a31b870cde700858fcc6

C:\USERS\ADMIN\DESKTOP\FINDWAIT.POT.BUSAVELOCK96

MD5 617423547ad79f3837f2f0942f9d61b8
SHA1 48524ef6dd99deaaf5bd1e4dd284f08825a9c231
SHA256 2178b7f5808a384fd733dc7f251df388f2803c87d099b94cf52bc1c216336e49
SHA512 5c615f09630c7d7f63497cba15fce1f341630a77407a3f88e5cbdc0d29639bbbfa6b7da87c13d84f36723c28a1523c714fc42f94b89c8698d30cca2d0c5ae32e

C:\USERS\ADMIN\DESKTOP\FINDBLOCK.PDF.BUSAVELOCK96

MD5 fd9b8e44d3c8ea4e0fa8ed8a71bf285e
SHA1 a39eb626d4bce8e7a8b3e9f938a32879f1e12cd9
SHA256 3a0b4498e47be9a2cd95c5c1806dc76d7be68a9718a5fe1a5541cad286f6f4b2
SHA512 dcc0cb6f6ea2e0a00458eb5a54868493c51d403be539bd06cdbb02896f24255713d6c0d5dc7a433aa63ab3a3fc6f5f7de89571c25afa12953e38ddfa6d45da48

C:\USERS\ADMIN\DESKTOP\EXPANDEDIT.CSS.BUSAVELOCK96

MD5 406d168d54f03b34cec609c733801d5d
SHA1 539ade83f6f4b90a90c06139e172b216df6abebe
SHA256 ef1c57af0b610fcdb490d633cfd10bb256a133444b1084ba6dee4444ceae4b61
SHA512 e8b6a9bd9c33026839eb9035306d967810952b0c59b391567bf888d6668e8340bf15fa426fb751ccd4b59c89290345d8188c99112bf75d8ef5691479309d5837

C:\USERS\ADMIN\DESKTOP\EXITSELECT.XPS.BUSAVELOCK96

MD5 3535b3d3a3ee767078d962f8eb534bc8
SHA1 585287e71763839a47b14c5df0ab56a356050712
SHA256 ea2206e822987476faa197efe5a52509eb4fda9ed0af68efe1bd630b70f1538c
SHA512 dde332ff5d2513866320a3640831d35e2dbc151c2d7bbdefd7b716b64d52e7ae4aa4846909181ec0ff133bb38ab68929a0186b5913a3cbc5460ed298383d9bbe

C:\USERS\ADMIN\DESKTOP\DENYDISMOUNT.MOD.BUSAVELOCK96

MD5 12df2c1c6cfebfcd4aefcc390fd8efdb
SHA1 4526d08f46bb039784ed0c6b07a35268036ed642
SHA256 95ba2a8c455a772c09f5627d2b8210b6d363bd08989031ac0aaf5465664d34b4
SHA512 54afa45fd34347e85d15cf222b205c486a137e565701dfa824fcb367f9f84797493eca4aea98baa1341b60666471d5a7e93e68cb714fbf532de49441d2f25af4

C:\USERS\ADMIN\DESKTOP\CONFIRMWATCH.ADT.BUSAVELOCK96

MD5 5a64aab4ab5d09231495aa1750bcb8bb
SHA1 0bd96bf1ef606190da364b962115b8f2add38a35
SHA256 0e337d5565103d16c594fd64589c718b5015db3ddc2ee713bdd9ca0dcd0af214
SHA512 0cc3348fe24e08a6c21b14a68592dbcf3297d0165a90b33045ef8dc99c8ba3764deec74c6f3c0af5005dac3fe2ae66a317f5aafaf94c0ec53ffd82663a3d9c85

C:\USERS\ADMIN\DESKTOP\COMPLETEMEASURE.7Z.BUSAVELOCK96

MD5 77263e745f846664b987d6268de59771
SHA1 924a226ef41384fa1e255573c0f653eeae9a816a
SHA256 6640fce46f4e17f4ba35e595b3e2e281078add0b392e4c3a7a264759729921a4
SHA512 900d2de09fdb61c420a70cc0d1ecf5d57e8a11f33b12fe0c0f7119de7dcf71cd6227280c89277bcd07ffdcdf5d7bd8a4d7bbcb7ac443ea7f575ead854dfa9648

C:\USERS\ADMIN\DESKTOP\BACKUPWAIT.M1V.BUSAVELOCK96

MD5 cf170bd0922a0d584249f2eea5ec8bcb
SHA1 8aa8028a49803d9f88ea98dee9b90cfadbe80bc7
SHA256 16e445e330d9d872d59a675196d845dd5d9de4c4589f48098cd528c58175b9ea
SHA512 4c7faf26a0817ac9a2f6820eef54d720d5ac94f694225a7c29b771fc08f26d2eb119cf5a64ffa4a2230e550f241fe1eeef40c6b33ffd61a4f127a824c363f682

memory/820-19148-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

\??\A:\$RECYCLE.BIN\S-1-5-21-3011986978-2180659500-3669311805-1000\desktop.ini

MD5 a526b9e7c716b3489d8cc062fbce4005
SHA1 2df502a944ff721241be20a9e449d2acd07e0312
SHA256 e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512 d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

memory/2508-19155-0x0000014CFECB0000-0x0000014CFECD0000-memory.dmp

memory/2508-19157-0x0000014CFEC70000-0x0000014CFEC90000-memory.dmp

memory/2508-19161-0x0000014CFF280000-0x0000014CFF2A0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133335756383387647.txt

MD5 d67d5656a71ca8d9194da26954938919
SHA1 4a9e3897b022ac796f82995e53f711fe0b117716
SHA256 89e3bdeffac5bf420d7ef3b78353d7ad50ed451d88c2caacddfc9fbd4d9c9338
SHA512 748f454eb63f5e4b9277575831a8f8ab0ac3b2f1fe05c0fa6c5ccea840fb0455a028067eda4076714a1fedd2ca0044f281a8c4573546eb60e9ada790153e96a5

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133335756431393985.txt

MD5 34e5b2678035f0c95d7ea097dec10d57
SHA1 5033f0db3b197dfa00fcb243a16694b96a494eed
SHA256 9934c296384269ae4074cb7d6cc324f4fb6911f4ea3563f88c49967fd8044594
SHA512 02f1ad4654e84ed06ac54024407b1c0e9a1deb923fd32483c8d2f73eef91a0cba6401ca332aa95a847f4b2607dea2e89b96d15fdec2a3947aab1a47e5ce32e09