Analysis
-
max time kernel
1161s -
max time network
1166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
15-02-2024 03:42
Static task
static1
Behavioral task
behavioral1
Sample
ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe
Resource
win10v2004-20231215-en
General
-
Target
ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe
-
Size
80KB
-
MD5
612a58fd67717e45d091ed3c353c3263
-
SHA1
f6e8feb1eb645e122de8bded0360ee9ecdafc823
-
SHA256
ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d
-
SHA512
c4fef7e172c49c4fb37c03aee9a28db90071a9532355b3b93496d3c171a6497096572e56573df81145813c49c967c0f0453a804358712dab2b49e978134001af
-
SSDEEP
1536:YhzcsRv1OJU/auBBqXju+4ed8sbVNUmbLZBMqqU+hV2Vt0mPjc:O/N1OezQa+lqsB+mb/MqqD/8Pj
Malware Config
Extracted
C:\Program Files\Common Files\DESIGNER\Restore-My-Files.txt
lockbit
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 12 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exepid Process 5192 bcdedit.exe 5652 bcdedit.exe 5620 bcdedit.exe 2192 bcdedit.exe 9804 bcdedit.exe 9848 bcdedit.exe 8840 bcdedit.exe 9224 bcdedit.exe 8948 bcdedit.exe 7068 bcdedit.exe 9180 bcdedit.exe 2272 bcdedit.exe -
Renames multiple (6432) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exepid Process 5548 wbadmin.exe 6860 wbadmin.exe 9924 wbadmin.exe 7852 wbadmin.exe 7732 wbadmin.exe 6316 wbadmin.exe 6212 wbadmin.exe 9884 wbadmin.exe 8356 wbadmin.exe 8116 wbadmin.exe -
Processes:
wbadmin.exepid Process 4772 wbadmin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C\"" ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exedescription ioc Process File opened (read-only) \??\F: ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exedescription ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fr-fr\ui-strings.js.abcd ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-125_contrast-white.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-150.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\Blog.dotx.abcd ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\ui-strings.js.abcd ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-150_contrast-black.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Snooze.scale-80.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\networkmanifest.xml ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms.abcd ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\LargeTile.scale-125.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-64_contrast-white.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-16.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\rename.svg.abcd ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sr-Latn-RS.pak.abcd ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\Restore-My-Files.txt ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ja-jp\Restore-My-Files.txt ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.abcd ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-256_altform-unplated.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\ruleset_en-US_TTS.lua ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\UnifiedShare.aapp.abcd ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\View3d\3DViewerProductDescription-universal.xml ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleWideTile.scale-125.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_unselected_18.svg.abcd ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_gridview-hover.svg.abcd ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\Microsoft.NETCore.App.deps.json ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\mixer_logo.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\sendforcomments.svg ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner.png.abcd ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\Restore-My-Files.txt ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-400_contrast-black.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-48_altform-unplated.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\Restore-My-Files.txt ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js.abcd ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\Restore-My-Files.txt ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms.abcd ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js.abcd ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\Java\jdk-1.8\lib\orb.idl ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ppd.xrm-ms ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_contrast-black.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\ui-strings.js.abcd ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\ui-strings.js.abcd ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\Restore-My-Files.txt ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-140.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-30_altform-colorize.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-unplated_contrast-white.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\logging.properties.abcd ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-100.png.abcd ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxSignature.p7x ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Call_Ringing_Long.m4a ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderStoreLogo.contrast-white_scale-100.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-right.png ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\ui-strings.js ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sk-sk\ui-strings.js.abcd ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe -
Drops file in Windows directory 27 IoCs
Processes:
wbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exedescription ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid Process 8096 vssadmin.exe 8288 vssadmin.exe 2968 vssadmin.exe 2080 vssadmin.exe 3172 vssadmin.exe 8576 vssadmin.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exepid Process 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exeWMIC.exewbengine.exewmic.exedescription pid Process Token: SeBackupPrivilege 3940 vssvc.exe Token: SeRestorePrivilege 3940 vssvc.exe Token: SeAuditPrivilege 3940 vssvc.exe Token: SeDebugPrivilege 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe Token: SeIncreaseQuotaPrivilege 3264 WMIC.exe Token: SeSecurityPrivilege 3264 WMIC.exe Token: SeTakeOwnershipPrivilege 3264 WMIC.exe Token: SeLoadDriverPrivilege 3264 WMIC.exe Token: SeSystemProfilePrivilege 3264 WMIC.exe Token: SeSystemtimePrivilege 3264 WMIC.exe Token: SeProfSingleProcessPrivilege 3264 WMIC.exe Token: SeIncBasePriorityPrivilege 3264 WMIC.exe Token: SeCreatePagefilePrivilege 3264 WMIC.exe Token: SeBackupPrivilege 3264 WMIC.exe Token: SeRestorePrivilege 3264 WMIC.exe Token: SeShutdownPrivilege 3264 WMIC.exe Token: SeDebugPrivilege 3264 WMIC.exe Token: SeSystemEnvironmentPrivilege 3264 WMIC.exe Token: SeRemoteShutdownPrivilege 3264 WMIC.exe Token: SeUndockPrivilege 3264 WMIC.exe Token: SeManageVolumePrivilege 3264 WMIC.exe Token: 33 3264 WMIC.exe Token: 34 3264 WMIC.exe Token: 35 3264 WMIC.exe Token: 36 3264 WMIC.exe Token: SeIncreaseQuotaPrivilege 3264 WMIC.exe Token: SeSecurityPrivilege 3264 WMIC.exe Token: SeTakeOwnershipPrivilege 3264 WMIC.exe Token: SeLoadDriverPrivilege 3264 WMIC.exe Token: SeSystemProfilePrivilege 3264 WMIC.exe Token: SeSystemtimePrivilege 3264 WMIC.exe Token: SeProfSingleProcessPrivilege 3264 WMIC.exe Token: SeIncBasePriorityPrivilege 3264 WMIC.exe Token: SeCreatePagefilePrivilege 3264 WMIC.exe Token: SeBackupPrivilege 3264 WMIC.exe Token: SeRestorePrivilege 3264 WMIC.exe Token: SeShutdownPrivilege 3264 WMIC.exe Token: SeDebugPrivilege 3264 WMIC.exe Token: SeSystemEnvironmentPrivilege 3264 WMIC.exe Token: SeRemoteShutdownPrivilege 3264 WMIC.exe Token: SeUndockPrivilege 3264 WMIC.exe Token: SeManageVolumePrivilege 3264 WMIC.exe Token: 33 3264 WMIC.exe Token: 34 3264 WMIC.exe Token: 35 3264 WMIC.exe Token: 36 3264 WMIC.exe Token: SeBackupPrivilege 5904 wbengine.exe Token: SeRestorePrivilege 5904 wbengine.exe Token: SeSecurityPrivilege 5904 wbengine.exe Token: SeIncreaseQuotaPrivilege 5500 wmic.exe Token: SeSecurityPrivilege 5500 wmic.exe Token: SeTakeOwnershipPrivilege 5500 wmic.exe Token: SeLoadDriverPrivilege 5500 wmic.exe Token: SeSystemProfilePrivilege 5500 wmic.exe Token: SeSystemtimePrivilege 5500 wmic.exe Token: SeProfSingleProcessPrivilege 5500 wmic.exe Token: SeIncBasePriorityPrivilege 5500 wmic.exe Token: SeCreatePagefilePrivilege 5500 wmic.exe Token: SeBackupPrivilege 5500 wmic.exe Token: SeRestorePrivilege 5500 wmic.exe Token: SeShutdownPrivilege 5500 wmic.exe Token: SeDebugPrivilege 5500 wmic.exe Token: SeSystemEnvironmentPrivilege 5500 wmic.exe Token: SeRemoteShutdownPrivilege 5500 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.execmd.exedescription pid Process procid_target PID 2164 wrote to memory of 3776 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 84 PID 2164 wrote to memory of 3776 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 84 PID 3776 wrote to memory of 2968 3776 cmd.exe 86 PID 3776 wrote to memory of 2968 3776 cmd.exe 86 PID 3776 wrote to memory of 3264 3776 cmd.exe 89 PID 3776 wrote to memory of 3264 3776 cmd.exe 89 PID 2164 wrote to memory of 2080 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 90 PID 2164 wrote to memory of 2080 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 90 PID 3776 wrote to memory of 5192 3776 cmd.exe 93 PID 3776 wrote to memory of 5192 3776 cmd.exe 93 PID 2164 wrote to memory of 5620 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 97 PID 2164 wrote to memory of 5620 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 97 PID 3776 wrote to memory of 5652 3776 cmd.exe 94 PID 3776 wrote to memory of 5652 3776 cmd.exe 94 PID 3776 wrote to memory of 4772 3776 cmd.exe 98 PID 3776 wrote to memory of 4772 3776 cmd.exe 98 PID 2164 wrote to memory of 2192 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 100 PID 2164 wrote to memory of 2192 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 100 PID 2164 wrote to memory of 5548 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 103 PID 2164 wrote to memory of 5548 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 103 PID 2164 wrote to memory of 6860 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 106 PID 2164 wrote to memory of 6860 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 106 PID 2164 wrote to memory of 5500 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 108 PID 2164 wrote to memory of 5500 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 108 PID 2164 wrote to memory of 3172 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 110 PID 2164 wrote to memory of 3172 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 110 PID 2164 wrote to memory of 9804 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 112 PID 2164 wrote to memory of 9804 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 112 PID 2164 wrote to memory of 9848 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 114 PID 2164 wrote to memory of 9848 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 114 PID 2164 wrote to memory of 9924 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 116 PID 2164 wrote to memory of 9924 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 116 PID 2164 wrote to memory of 7852 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 118 PID 2164 wrote to memory of 7852 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 118 PID 2164 wrote to memory of 8952 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 120 PID 2164 wrote to memory of 8952 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 120 PID 2164 wrote to memory of 8576 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 122 PID 2164 wrote to memory of 8576 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 122 PID 2164 wrote to memory of 8840 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 124 PID 2164 wrote to memory of 8840 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 124 PID 2164 wrote to memory of 9224 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 126 PID 2164 wrote to memory of 9224 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 126 PID 2164 wrote to memory of 7732 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 128 PID 2164 wrote to memory of 7732 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 128 PID 2164 wrote to memory of 6316 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 130 PID 2164 wrote to memory of 6316 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 130 PID 2164 wrote to memory of 9380 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 132 PID 2164 wrote to memory of 9380 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 132 PID 2164 wrote to memory of 8096 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 134 PID 2164 wrote to memory of 8096 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 134 PID 2164 wrote to memory of 8948 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 136 PID 2164 wrote to memory of 8948 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 136 PID 2164 wrote to memory of 7068 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 138 PID 2164 wrote to memory of 7068 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 138 PID 2164 wrote to memory of 6212 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 140 PID 2164 wrote to memory of 6212 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 140 PID 2164 wrote to memory of 9884 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 142 PID 2164 wrote to memory of 9884 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 142 PID 2164 wrote to memory of 4296 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 144 PID 2164 wrote to memory of 4296 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 144 PID 2164 wrote to memory of 8288 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 146 PID 2164 wrote to memory of 8288 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 146 PID 2164 wrote to memory of 9180 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 148 PID 2164 wrote to memory of 9180 2164 ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe 148 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe"C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2968
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3264
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:5192
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:5652
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:4772
-
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:2080
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:5620
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2192
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Deletes System State backups
PID:5548
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:6860
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5500
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:3172
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:9804
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:9848
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:9924
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:7852
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵PID:8952
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:8576
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:8840
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:9224
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:7732
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:6316
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵PID:9380
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:8096
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:8948
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:7068
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:6212
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:9884
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵PID:4296
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:8288
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:9180
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2272
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:8356
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:8116
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵PID:7960
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 20 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe"2⤵PID:7176
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 203⤵
- Runs ping.exe
PID:10192
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5904
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:6028
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:5244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD585b284f91f6c75f1d486b3aeca58aa8b
SHA1f34f526438498a9b8b428f301a43ff1c0aa9aba0
SHA2566073a259152cf1e1c12e9fb779c935ac7d83f4d42fd9baf7dabdf580f18b4c71
SHA5125f37c6518233905f8ed96bb441808ce96cc6a7f6d1779a0baca5187035b1106f9632e8ea8cf6081774944a281847d222b11750b30d731f6f52d627c1ac8fcd63
-
Filesize
3KB
MD51a2fca5dc7bee8b223fea16afe40e3b1
SHA14ba5adf745e8db2933d8aa3d5cd7c8bbe0b261f3
SHA256d24e4a088fb998a3990c1da2d82bfcbd6b4014a9f41eb9a8cbbeeab356e53af0
SHA512dd974419089bb42e61a824566c2d3134819325cf1872740cce3e128b5bce2ce69d0998c3471b2281ce70953f0e4d380abe95d70ba7b532657bb5cbed4d0f7ec5
-
Filesize
2KB
MD5080b952f64c0a1427e3cc50d8fef1b04
SHA11fd5d803e324647992153877b5c445d5e2ed2f85
SHA256b4687e80f24e29357d83edb597cffaeebb533c7c94d4a1f0599c34bfaf8c4541
SHA512f11e6cc464873df042f16724d3d4a1b99a7a890b569b5ef8693233f1f0d647fe8bd190c66b0ebfae4575394bfe12c3d718659058e914808997688c66205d055e
-
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml.abcd
Filesize2KB
MD5ad998501207bb25b5d03db21489754b6
SHA13314afccdb176fa2cce2a7d89c89cf0166819004
SHA256a6fb792103d99b41a8db065b629b95e0dad1b528c58d5aee45422b3f6b3189ca
SHA5122a00b123dd09dd9ce8dee3dc8d7d5cb0169a24643c4d6dc477bdd066b3d2f1be5d8ca43e8725424278403c5d9439da44cc3bd7b5604e98e331d0fa5c166b003e
-
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml
Filesize3.3MB
MD5c3903fcbbb55d1e6512bfe2dad23b1f8
SHA1dfa08eaa2acfbfff3c95edc424859b5314cd570e
SHA256a55e2712416afc3afc95dbfa7ea28eaf5c0bdf35f76acb66e0cc2b42edf3f86b
SHA512bbf6ee4470e1ffff364a1d4e68ca693f124e5d8ffa58386342791f35fef1f0720e7b3b46b0a1e187a8328eb12fea70afab271ae8b445daa653e33a9dd3d7c97c
-
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml.abcd
Filesize2KB
MD5d3a8c77a330bd7016edad78fda91da6e
SHA1dc338d2a1c5c7cb871d2e1d9dfe537a8f29be7f4
SHA256e78aecac62a6a72e1cd3c27cf7dd8d86c60cf93ead987bb03b430ba7a31b06f4
SHA5129451cef9164adb8c1e785d19be1217e5640b2b884911f9d20d3a17294c5336cd1dd7a1948faaa9e6d800831decdbbb8ae81d6ca7b52206bd3b958c490cac9176
-
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml.abcd
Filesize2.1MB
MD51cd6eded9a4240ca6e4f03a2534e85fd
SHA1e0375ca2b53aa33615d650071974825b00922c5e
SHA2569c837f781aae7c7d14a4ba49878019c7e33bdce082cc31ac85199e8c11d112a3
SHA5123347c085d4f2276240dbe507b2adc2b236d959d953b3b8b6e13ec5dd1ac9b9ab4b695ea3dd601fb937a72cd2023540db191276975296f5d8ee855a641232cc4d
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\en-us.16\MasterDescriptor.en-us.xml.abcd
Filesize29KB
MD52bcd48124549aa34632b389fcf392c11
SHA1677acdce8d5c0369a7bf94b47d8ad9e82a054968
SHA25618a907adb344faedfc197a4ff6d72b33dafd6db77c27be93a8999e3bc07a1b7e
SHA5120ef87cc6d2c670e4b0340c6cb2d31ee1f6a11b99906c73b332837655e41b46a005323d9f30478ca9422be2f7bbdece4308aadf945a134ec76dbed624b81d8749
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\en-us.16\s641033.hash.abcd
Filesize1KB
MD5debafec90ce6ac130666bb5047c76313
SHA1f8107e63d280d783cb9ff7fdcf567bba5c5563ca
SHA2568a08479e82d7f6295582f9fe353ce9754007d6d907f0e796fa42873ffcfcb793
SHA51227c5268aa523b4ba61810b9382035e6535fc4658dcdbafef4a97d8727a1c483801dcde0881e12551a13398a41d08614b5d0b43c0e5dd28100e3576d0a9b684c6
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\en-us.16\stream.x64.en-us.dat.cat.abcd
Filesize111KB
MD5d992eb8b120d4f3b51554b1c27422fec
SHA1101de2aaba28e4ae1b9aa25f718d87069aa20918
SHA2562c4679cc0198a02198a428b7a534b9d72d5d065af049c24a671eb493fdd05cb8
SHA5123a28524470aff945de0a38d8716c98d4307584cc60862086c0304ff7605de99cd3e2e18f0dde009274ecaf5ad1c6a474087222e8da90c099766f64393d86ad3f
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\en-us.16\stream.x64.en-us.db.abcd
Filesize439KB
MD5a7673c2d2b9284037c813f64cfc51971
SHA1725d2a25c05b550acc39ce9d93f99487c2e05a5b
SHA256abcafd55130134b20271a81a57ac99605b24ef5e95e7a2dbaee145d018788530
SHA5123af44e489e75fe9eb1d5bcab341c1c2b82bcc16f9d8d32ba8d25cdd5b4e28f4ee415b0bb3481ba82a8da9e8ae715cabffa5f2edff33baddccee1d34a89ace550
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\en-us.16\stream.x64.en-us.hash.abcd
Filesize1KB
MD5782310d741f4488e0355f039db6fc00f
SHA14413e5333db1f0ef1c84888097692787d4103346
SHA256a69088af5f2e94ae3bc866f5cbbdacc2c5688d5c9feffe0fe6ab764b9043b5e3
SHA512bda6a4dfd2c7ef517e38c832ac516c5b937b749b23c893246d3c4567a73604aa3a88f24002458f09906e29091caaac5a84ae995e8ab28df0b755da747516adaf
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\en-us.16\stream.x64.en-us.man.dat.abcd
Filesize624KB
MD5bf943cd87e958f13c86defbcd2863d22
SHA11c782283d66c27922372cc6767739236526d036d
SHA256fa2790d050b04e70f13068b6eb40dcf2d05a700d92725e3bf5b5a15f28b00710
SHA5126c6eaf5234838ef4c09885546a60d62176eb8ae99214b79a36a541a82f47c099d1446a872540d33d018b0340122e4ba0e7c95691d25f14155750546fe11fcbe3
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\mergedVirtualRegistry.dat.abcd
Filesize5.9MB
MD57dcbb11cb865f9d386cf5d8b2b3fc9fb
SHA15db53abc289d824eab852c0c0fcfaed84aae4f50
SHA256e17f99d2e631ccf3f90735249568ba4b092ac3103667919c71c272a021d8305a
SHA51205948515bf74ad2d42c226ced297ede074f99e0b0041f6e48613e580fa020adc0f851bceb5a0270c37782a8a893241d6b1f7ba3322e01e385a30ccc4724fe53b
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\x-none.16\MasterDescriptor.x-none.xml.abcd
Filesize28KB
MD5dd26f7dcc88ee8a40882e16b2fd99fff
SHA19a79332a0342382a27da6c2503f5478eab5aee98
SHA2560d43a7d89166e3f73cfb80d22ce19957669d5a2e28a333b7a8c0498b33d42edc
SHA512bfeac8b282b3f0a8b0cac6efd7a6d4cf4802b985149530eef795ca739c379bb7b4e5408428848c4a04b9aadb36069b91b5162f26506d44abe69b63ca4bcc5a24
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\x-none.16\s640.hash.abcd
Filesize1KB
MD51144a3037d4e181eff5cc98c9535dc20
SHA1016ab8fa47b6c13465864849cf9107c55fb8aab5
SHA2567ba9f6cc4abadaef7e82e41cfa7d59f03e3138cad913129b5e306c3b4bd6ed58
SHA512b2a3b7176fe4cb5763a681a4f6d507530d466d484fa2f001efa91815660ef0bdc4386b72d25bcacc46a6ec3ffa768ad479fa3ab33fe4041d08cd95ad12006a83
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\x-none.16\stream.x64.x-none.dat.cat.abcd
Filesize575KB
MD52e6cab780dcb219a9c43086708ed798a
SHA1f4450179b89565f41a40537b63d5d385d0bfb233
SHA25689351fbdfdb9666eb83403ca4bbf535addf312aa9cf2084bae0ecf239e935105
SHA5127abf3ec6ba0c5590f37b2fd24e226c59002c617641e3deab4aa9b7654ccd4506ed3e18c38ecd7c69c1e3c745d6501976f9e65dbe47400533c92a57caaeebdabc
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\x-none.16\stream.x64.x-none.db.abcd
Filesize1.8MB
MD5597358e330202a8aea3004697e8d404c
SHA1c19fee1caa9954e79bf56108133dbb68c2b7687e
SHA256dafdac663f797c3408e662255a4ba11610755c70f756ef4eb7c1b4512d125a15
SHA51227f680250e229126bca216c6c1eede217fd314ba4a8682cd934711544cff3cd96b009a612bad0c283d496ecdf073f0180e24937485de7a093044759f1bbc2081
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\x-none.16\stream.x64.x-none.hash.abcd
Filesize1KB
MD59124e11719b5e61adcce56450fce4a81
SHA11fa6e2cded41ae0fb63edab5d798cd1c795e48b6
SHA256e091f174eee693adb3c04da25cd086ff8c44dfe294978e0ff2ae999048bd986a
SHA512ea8b3126328e6ba4d1defe59c925fdbc9f098bd48aff17c316e4415dcc2d75a11677b60a8ddd87cc42039aa4ee77577e5caaf615b3bee83539e711c14e94c0e4
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\x-none.16\stream.x64.x-none.man.dat.abcd
Filesize2.6MB
MD574ee780e7fc92e061f2cce44e902760a
SHA136d56ff1e13827e484fbff00e104d718f7ef2511
SHA256cbe3f7035307939fcc05886799236c14f1d4e4bf80a59403b2244e0f43edae2d
SHA512ed7b81e9788d6490e7fd9289a442a64a4fd9fb2d3edae9215dfd0817777d48c14257433f2a75ce16636e900ae373de2a6fd1b72478131f28b4cdf52c8faf0b2b
-
Filesize
413KB
MD59bfaf88116d5cf53ce26385ab33e8b62
SHA1834f4bbd571f9785cb7d03770d6d532998b8c4fc
SHA256656efdbcedfe42ef0f1c6e643c91c0b8fad20b416bf2ad66476b7abcf5162343
SHA512a3cfb7d599a427b957a07eff0fc565768334134cb099fd42192467509b15778a9bda1213b941f97c7d957d368bc3370ab6e4a3e9408016effe13def0f2dbbf91
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.abcd
Filesize17KB
MD5c89a0eb5813708644e55d26b98185e69
SHA1de78c1b9c72ac2a6535f1a798d6de06eb39f7387
SHA2562930b98bb93afb270b1c592ac6848680efebbe0b788f06156a75ace0177389b4
SHA512bd440e949d7ca5028e3615aff82b6a5deedac0e877edf58c6a6cef21a858e52ca8190a8e0642ab7b9bc0012afa172b57a73159456d2b5995207e998696d7acf8
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.abcd
Filesize151KB
MD54a90a36488a55692d51eccadb4003344
SHA133f05928a17e040b4819ea6350a19cbd3bce5469
SHA256696b2e82e83c402c1d4934b7e2e47cc4b76bd3dd603b4c94fc255736d1288974
SHA512e0f3b430e3c41b8b5875289e82a37720f9ba2d8b89cc3f2fe9522a4c947a47015b92fb02c66407511f654d54c0e846cac6ed1f2b24c7ae4e2dd101e9a4964387
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.abcd
Filesize3KB
MD5c3b14fbc04a7f6400e3a52447cc40715
SHA17a9c1565be1c18b4dd3d9004ae83e2aa3dc4c613
SHA2565f4f34693576af148a6a0cf74df6ee72e95e52905113668f93c0094227edab6b
SHA512b2b5e23e1e8f9ab7eacb4a5fb41b07d6d17ee1ce2cd744f7e313d0e6f24eb2fd33b3754b9cff5b86550dee0a9e5467e9af84d7ae78115edd420383db8ec5b289
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.abcd
Filesize3KB
MD56350f856a35e7e07175899906044fe0e
SHA18168870652547a1cbe52360671c042564a662a79
SHA2563918b15708e32d84f49a683874cab9f08bb9a3d6a0e4416e8484e87a7b92b644
SHA512d576dbd091882e297f134b7f48c281993e255a4b886c7ee0062141076a908d14bda94787cb56cbec1a3f742edba430849db64b8dc39e87b139de4fbd5e82284a
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.abcd
Filesize99KB
MD55cd1cd9cb5db292790c39cee6828e7f2
SHA10e0032f50ade8bc7ff14f3adf53223c3be53c438
SHA2567935c87320efb02607efc3a67447a4b009d95b051451c4515b7b6f180df58a69
SHA5128392aa414df3c4f5f8db0f730a304c5839284c2e331b86240354d9a1e804e64ab76a13ba27b5d67254e65b7268033d96a29d8ac634443a89c13cac6765bd1cfe
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.abcd
Filesize32KB
MD55b0f0a5497cb872eded34a51e7338dcc
SHA1cd48a729dccdab2e1b92661134c1e3127edf4629
SHA256d2de7bc358d666e3c932adbc31df8d5ce82ed9ac6996e34359622bdd930ce7a8
SHA51243867918d9aeab7b5b7a5a6f5169f5bc863d0273653520fc538beff4355fb76657cb3837ff74a2db36c158cf78a866bc5540b03f1b269c3f61d55d534491db1a
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.abcd
Filesize110KB
MD531c301a61529ac0bb7a72d16e914ab38
SHA1fe50a449589f454b881aaff49caadf069d154ace
SHA2568b68f87a25700f2a7b50082b91055eca493e10402686d0522c5a6e6aee9fb82b
SHA51287ac4a4bfeb7c360273f1a05ab9c7bea656a713474924e6137adf79e3c802fa8e9e7aa4220a843f2d7993636939633a68174aef6bf8074c7882074d0d07f7d50
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.abcd
Filesize16KB
MD593e58230bc56725699dcee3679e244cc
SHA157cfbe1f38a95e52f83c5a40acb809582c78c601
SHA256784627bef48cbbd078c54e74a603ebe33089f60b8d94154ae70d3df829b5ba9f
SHA5121f3d417e7f72a125e4489034c4642fb362af6e1e094a6d3a38e13c765cdf515dc61267b4b2a2f647470f97c17d4ba3c154afd81734f88deced8cce8537294de9
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml.abcd
Filesize27KB
MD57b8cd501316968a74d98b14437154ea8
SHA1441c4a491daf174688c092864c018c8312e4a82f
SHA2561bf5bb0d2a684135ce2fd5c9d90a660d3a3ab0b4fe9b3daa8227cea561010b3b
SHA512982e14b68dbc3e3f7c1ff2a6715dd7251db2340bf4cc44089276f9c4e8b4006533fb597560d263e13c3bf6203875fc402d319748c49c4bb573b5a13c592debee
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml.abcd
Filesize25KB
MD5f177bcc12dac3cdd02d0e6878ac6710f
SHA1d14de0ff53666962bcabf07a66d22c9394108299
SHA2568d7a0988bee2108a90b2546e6d314231ce37598c52786694e11a310918141576
SHA5121e99361ce4c566df69e1b53497b5c9bda0bccff25d643317dc051a55bb42fa6aeff516a5e9a5f3584287159b5f7150374895800104027b26967f8265f40cd443
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.abcd
Filesize25KB
MD5e0c4a155c19ee3e1d2b03305d7f17215
SHA13a809d0cfa73a3e8aed6a64e3c33a73c67bcded2
SHA256ff79d9841fc2290195ceb6e7a3fc96ef74704061530610acd2a2b027240e10bd
SHA512688a76b6c2ea9ead991ed534e1c86a41cfbf8477764179c3b73affd483d3a38cd7fb5a7c0a8673fd663a46c69605ecf3cfd7b28aa24d53f072e8755972f80294
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.abcd
Filesize94KB
MD54bf2a810ab0148e025c1eb1886712afd
SHA13324bd4b09d9d061708e8066eddec3a44d0b8065
SHA256ee79a68367f45f447c320fe96babc50d8091ce46e71293b27c1b4a26f6ba733b
SHA512e124c455ba4d7cf2a10abfddcdfb7359e0ae1fc25b1281db21c38e0760fc04af74c16199466dd1b55f4d6c6380d21f59d91fdee8c7726cd339fcc64fc72f3b25
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml.abcd
Filesize11KB
MD5d3bc04c76c86feb9f81507435da069f7
SHA10fa90ca144c4ca318d083b00b3da295c326d602f
SHA2560676e92271f618a81f81c19b9dee222cf9789e6cf162128c8773517e7cade166
SHA5123d4dad0403ad3849c7b50b842f0ef0fb42aa40c785600354b25bb63a1a7bd69100284a78162290822ae3c37590e68bfcb2785b7fbfa9651fdb7ae56cb36348cd
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml.abcd
Filesize40KB
MD53077d3295e5dbc3c25303f30aa26d766
SHA1fb42c93fd2f14823a46e5d04b4339607260d364f
SHA256a0ed9f49757806dda2dbc3f7cc485ee6b816b92b930dfaf72ff452ef20e0e2dd
SHA5126a33ec82d3fcc907a72d2d68e8fd3dc0542421da91e943478bb475f1eaae9a8da911d95637616d5024cf7b1ec021a962180d3bfc788937a3eb1ba10f7d98f104
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32mui.msi.16.en-us.xml.abcd
Filesize18KB
MD5367753e7071bcf757abce861c1fa9837
SHA1149be7d8a73732f618f8f3a6b9b5a277e68a4879
SHA256ed4bedb6b094d53024a891c01db8750382a6d2f90ae4b8463967cb0a0a33c35f
SHA512dd35f28d9c10619dc25a9943b872396eb4a2f3d14e571c55f69d665410631b37fcaaf298cba1ad4c55fdd0360d862bc06524e2b99c9e61e7445c2b9add553e01
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32ww.msi.16.x-none.xml.abcd
Filesize332KB
MD55c785777cd0f91e97cfa116ab4f8dc5a
SHA144828f9971f27b65b19c4df0296ceef3e7283a56
SHA2563670a5ff0d77677c27271f555c70ab37e5deea155ca20e7b9d5fe225bec5c3f2
SHA51294f87df335ef65a62495519d253d19732a97b75455f2f0b03eab00c1ecf09b759a432f72e50eec978267242f9d18ecfaa125deda6ad7c34aea852c7d1cfa1649
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml.abcd
Filesize124KB
MD5065b7c2982ed38888057ebc043303c77
SHA1399df11fdc0e1009d65bcbb96222314e4cd49859
SHA256557e0824fb5ea81351d6723229f18329a17b2899e5de66c0e11c51300e37db0c
SHA5125f33c9d3a2442fa7c81d0bcbe4b2de2d94cf58b45fbe75cfaf0187c8edf10a0d4d28d611e11db88fef754dc58a4d27ed4a401f66dff5437c7f61275a4c21a1d7
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemuiset.msi.16.en-us.xml.abcd
Filesize3KB
MD5ee4610ff1b3f8ed535a4cd9ddd992cf6
SHA135235b2b1c410cc9b7c8564d2c726f5562491c88
SHA256720a4344725ea5ad02e085f45f5484fe889cd07a3726a3cae4b590edb9710149
SHA512c71928a6b9042d6581d405808facfd98e2fa2408376438762ede6e6ee323ed8546ed803a258a2a3d5d4ba37516f5c355d6b4cbeafbd7fdd1efe7b5a53796b0fa
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml.abcd
Filesize19KB
MD50e99bc07616c813fa0c35a25d8661b0b
SHA16ab260804eb716a761b0533a5c16e9689265279d
SHA25609307816777e99a49a107ee04f74e444aadfe1825e0f2d8bd142c34a5bd28b8c
SHA512fd505585f999747eea74609e097a1b1d45b5bae2a6f90604953e8b22c064134dfd4f71ae924073e07b023190be3f7a47ecb99db25c9e8c9c5a255394751e355a
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml.abcd
Filesize12KB
MD56f81f581ddd367b40c45a10df7ab5796
SHA10714b0b805a36b1a01b97850adc7f4fec1639f03
SHA2563b14b464bd3100c1fcb990064e8d3ece53054a2d26f41452ec6da36f183c9331
SHA51292deae4e7b842f578357f4530268b06deb0b4c33c245ac9dc8c2c8e78d865c0e435d3fec979a9d94f6ca6fbcb283971607145c1d2f5c1ce7ed54422bd48dee92
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml.abcd
Filesize12KB
MD51a336541b8086151cc0657afb3317b09
SHA1deaa7e468275a5a600ddc42fdfe9b50aebd90cde
SHA2568e64bcabde8c6318cb3263ee38eef7703593ebd5610a53d8502dfaf19ca88be4
SHA5120e7826086db76311c77786938c1c108f908ad9082a2ea222ec362c93811784e044cd4d7960607367f157b392c46bc7a12fd5e9897c885bb2a3bc8387a1149b02
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml.abcd
Filesize29KB
MD531424dc427a7108bccbb067156e6fd63
SHA168eb31bba4935d880fc1989109d57faa770eacc1
SHA256ce6091b3a48b79f3348a2495f82b8d528897fcb9c7652e322f81fe467d4c0866
SHA5124b336de9eb9b13fb6631ba9b89357b77cb7aa6e470a292747eea7eed7d2cb89950c9669caf461bbc24cf6eb463d4e8879938df502e6450cbce7cda71a8c3d768
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.proofing.msi.16.en-us.xml.abcd
Filesize3KB
MD54b059f3bd0e13c9e2ca365f3b71622f7
SHA198fdc61612e8fce9908404beae6d0752a6cac03f
SHA2565b7a3fbf79694a2e3cf03fdb3a6c2140086b3994ac57b100b3467d7db518eddc
SHA5126644c0b1fc270f57ddd1a408bcab9d33e0c4147f191af046fe7134f38e7e4495e6b80c237841ac83631aa985d5cc6d762a3d3554e1e62b9125b88d3e52994633
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.abcd
Filesize720KB
MD5afe8a7f6b3e9dad53b67c8f15fa6e5c9
SHA132e14104fca5a16f188d67cedf762f95852119ef
SHA256c8cca10c470e2b83a6b8771f5e75a1abd87debb091c710367bd4f39ad9a68c8d
SHA512dbd18c89f0278f730b7490b45d12220abeb06b37626439f6f0ec383e4363944b1c96d78ec60a071ff3bae69e9018fea9540817422ee1e08b8af7f1c931acb723
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml.abcd
Filesize79KB
MD5fd5f12e3f1c09a678240dd4f50a00a8a
SHA13f88d8736e723a91e2487c6be4846fe0fae01e39
SHA25665e7a6b2773fad00c8a356ceefd945f2b8b95276522d52bb047d09717e1dfcd2
SHA512918f5f8529362aa7247b0a6f2869ace3bf98b8bd6d23dd32997df676cd5139584a623722f14d9cfbc641e970a3847fba35a5bab9fe974d2ede8d5fc7ca335f93
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml.abcd
Filesize5KB
MD5c1c143caff40e3f04b3b1aff47da922b
SHA1690add0a197f965281f18ba9a8f231bb9ba83490
SHA2566ae1b12cae7481a6d735622cbc04e4a3b54d15bcbac20bc2815e2292661002cf
SHA512b49915aad1d8eb33027e175ed2a1e0ff689e69c76af3ec8b487902592268aea7a80722943e2cb4ad0d7de86cf79f717785a48d51589d3ec2e06219d141da743c
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml.abcd
Filesize8KB
MD54fcdc66ba7c3949bb3f5a9b24867d611
SHA1ef2181765709a2faa84dda5e04c24108b14e093d
SHA25670b0634d556859750c551e6c93bddd9dfe957b7879b132fc9876a6838155507b
SHA512988602a9bf326cfd1f64e74238aabb55e8fd302fa321d0c57e2029f3ae0593a884f3d35225270c5e230ccecdd6528d5973c1ef8f28b2f7482b81236c3efca500
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml.abcd
Filesize4KB
MD5ca120819a524cc34c683469f7d84037f
SHA12679e866cc81bfa3deadef733c3ab47297a42f9d
SHA2568a1127f53bf794cb242fccdc67b6efb71ed688c0f91fcc97a612324f2f1069b5
SHA512cc4cd912e5a54e3fbeaa07da925a78ab50dbcc7ad2164a43397e78c7d34ff72ce7e4f05e124066a8a0bb703b135ce852c6736b1e5ee8f7199c5c67e3bf5f6201
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml.abcd
Filesize4KB
MD5a0a8e9cd42d222f26faa37ae63a7cc34
SHA186f72401ec1c3bc7c674e4d565fd49ce7c8dd7a0
SHA256fb061301ec1507f21e163db14134d78ab75bbdcc7c40fa1873c1635833df1bb4
SHA51212a1d97bf1006b082ac9c32ab720519b776eb3f9ce691716e4e8683635db4ec0a4c72b6b40fd2f24a58c3ca0c4564a5a98b1d44d927beb1e0d81ad03fa98a8a6
-
Filesize
112KB
MD550aad5b83b9f9a213d9c2055bbc0179a
SHA1fac2f64d7236767fd1e08c6e81b3d36a78354dc2
SHA25631f25b615f665a6e37063efa67fae76ab64a10ad3e7b3314940f05c6471f0b08
SHA512f1694e2fc5821a1f8408d73a620e8a33a923e9dda6ff78209efeab2ef493b83a887a28964ff434450cf01a4bf7e684d3077fe0d462aba82ec2fa69a98d934466
-
Filesize
192KB
MD55e428d2a954d3d1a439d2c7135e2013f
SHA132beacbddfd289474ec6b887f7bfac8bbbab243e
SHA256f9790994367b671b3e63a67ef74a1f55cf43dcfbdc7839d99a9d2e6202f5a6dd
SHA512de6becfbe09ca080222845af2142fb444408874ff32f3640c4dde71f246d5173e0e0beb4d635c5c540ca07f053140661236bac10c0718141fa93acb0ff8b6681
-
Filesize
1KB
MD5b5abf7dd045851767b9081d51fed7d9d
SHA1bd37653c72d1d220b2fe978fdab0342732dae2e7
SHA25642bb6cc4bdb31cb7e0e91611b7343d61602c04a30974966d0c5a39ff79080ebf
SHA512914ccd3e2cdccb8ca49d207bbb3cadfad33d3e09ad50786bc20c6e142162d9440dbf2b332da5c4ac3a133fe0e2b691731857df3ec6181fe99e184d5b958f87fe
-
Filesize
168KB
MD52403aa5bfe4529146d37c4d890f59a30
SHA12952e12da43c4e95017bdc6d7917970f5cea0c3e
SHA25692c6cfd0a9ab72df66fff75be81c6391638a692e489024465c0bb0e00a8b98a5
SHA512413d304172e6187b41f650d713a8c82984d6d06057d65168cb7bf9312748833a07a9b016cb17f4fe246a15ef752213d22ff67496a4b10f4343bd4b3a7f76bf50
-
Filesize
168KB
MD53209d5f6da219e891ccc611c8164fbbf
SHA1f9182935f8f1a31c37c167a71070d251735238a7
SHA256afb64ac3fd22b36acbc6307dfbed03f313c241b4d5a9f727111b91559636f79f
SHA512c0f005e4a879c7788dde4dff05d28ad752f9ef77d93b004d7a88fa25273f6ebea5e050b275360ef494093867e3940bf7d839675ecbda0fd42e261d5aaf4a0884
-
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.json.abcd
Filesize1KB
MD56d68780f5eae197b7e4b0fc608e819a3
SHA1cd27ba3f3410133514476eb0e3449d4bb68d9810
SHA256884f3085bc6d821165a451866e57e690cf61ae847364b40adac63d6e62f9c001
SHA512f69b86d0ee467776cedfd7c356416be4470f40693966f069dc05b151fcccfa6a4bbe97f551d0eb93573131b29a5e454425ff6c45fd36c97e7a85213469a5bbf4
-
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json.abcd
Filesize1KB
MD58f10ec790696215f88d1582f835792a2
SHA18ed8cc3d39a6d40d8c9594b679a20192585bed3f
SHA2567528e8b4bb37d28d51ba225ea6af2b3d612114d7da79066e53176ce1b242d642
SHA5129a8d8612ec67526a86128b65d45f4fdc6a4eb7c36800e6342dc0daeb313ce77d3ad9f751cdc73c38244f177fffd5cb103cac167ab86fd9453490a2abd6c2bff9
-
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-d5a8f02229be41efb047bd8f883ba799-59258264-451c-4459-8c09-75d7d721219a-7112.json.abcd
Filesize1KB
MD5aa2000f1e9d13573ea490402ebc6cebe
SHA1f2b702786b470a5359a890f18c99ad7a144e33d5
SHA2566028c653014d0876a960f82d72bb943d3a18c158ea667974f0098ae06758158f
SHA5128b3e100442714218ddce371a68f88d6bb49265f352bce981ee4dca2d912a4f5add9a82cc67b894e45d3ea11d7a236a2635c936671d293172400489f3e90a93a0
-
Filesize
1KB
MD5e9b388fc62a8a1e22d4b77ea5cf5a43e
SHA161245734740bbceab25b5faf8ce891705803f65a
SHA256b3419c74a7c4cb229b0e4f2c386433d82e7c7d8789e3b1a15635ee9047b25d23
SHA512df797802ce17b323de4de9d18b71f597320e41af36b547ef8a970bbd3d49364556f6a00bb1c311b8cbe06dfb6c169bee3e79f299bf8ade9c84232745e87c1ec4
-
Filesize
1.9MB
MD50ad5101812890aa44c4d8637eb5a9ff7
SHA1bbd586a407c5536b7e4a7c6d1ad69d18ca953224
SHA256df667262ccb03f57f82824cfeeccbc2a9518da39f5f9abc819ae45eb730b73b8
SHA512caec40a548162317f8914eb55e221e80e233cf809d36faed5346e92dc56025d10cd5b45367cfc6b7f28fd8373ffac98e164eff06f78de72dfde7cb49ae3ff502
-
Filesize
118KB
MD5ee481d894d66e429753710a877559cce
SHA1f4e0719c847ee5a3d8e3be43c63591c2399a8434
SHA256d25912f03f79ae05bad486be7998a360768d814b9cf1e8067846e4ed541bdb01
SHA5120eaa2efd3b103526a5d68aa5c0344ee6f63a8ae2aabf79502c2dd817ec5c46476b2ea817fb772571203f2edb96f4c7e0e93d245f522554a660c6e282456b5b9c
-
Filesize
118KB
MD53c1db890003e89cc3d4f0cd9de6e9cf3
SHA1ca5085dc575114c81f954b422281779989b7ff55
SHA256db134ed173e59c4a4a9ec2f11e0a3a8c4b07aa47f8500f8920ac79e32bc4a8b6
SHA512161b7745f4f9e14a301e20d07621c2e599274d52da9003713b14e26fbb8147a08bdc328150d32f0296e32d161e1f0225ca6311abf1eb3b2d8f85b9386f18ccea
-
Filesize
4KB
MD57aa62c8e5969a83de8dc5d7ec9d60311
SHA14b75156b1f26b5c55459468a4b46b98630f41425
SHA2560f4f4f914e5c63e0498a1477b5c835fbe6e244d116b6a77e3f76713a596bc19f
SHA512d8c7ebb9955fa6b73c8da5c95407e05c1824e8270ea96693aba7e632f01b9689a5c7aeada6f2b61238d4a9be9cb187aa5f823dd4896ce1738ee6408a83e77a2c
-
Filesize
2.1MB
MD5a3da7b5f84229fc1b9dbfb92e4b12170
SHA16a99536f8b4469a9d46da34cc30fb43bcb62c48e
SHA256d6d2f39fc23fd1ab09ba2d4f5fbdb02f3cc2ef4d55714483e12e06f96f1a8ac0
SHA512b39cc7dfee71d20c0d14e0050c3e8ccf9c991a6fdece89bc991f06a87548d5cdc61bf6891de221484a1700e3af771080bc5591da748624c5b2fbf08cd027ae1c
-
Filesize
1KB
MD50993eae6d42d368fe29b8e9e9939160e
SHA13a81c68b0712221328d99874be1b05081f811bcb
SHA25695e75ede27e3682108c2577df7bba20589d0b8c4de75bb677addf800ecc35145
SHA5122c4409d1876a2d994ce886704b4e295b75601e4dd9037b1f08302fc802765ba123b30fb641a2a85e199e00fa2da6c3896cbb7d37ec109ab663870183a1bd0922
-
Filesize
1KB
MD5ef50c66f6b9c68be653d1d1d3a60868c
SHA136ea9dd6a067e02ee21f5fc5e89b04ca66fdb02b
SHA256eccdfe1a35d3e5a1a69bbb418ae27a0e987114d870cde17eed07f960d13e3d9e
SHA512d0e5ba0d0ef18a6d17741c1bd4050d053682ed82076dbeb9445e0e19732a007cefaa6bea78876877f205bb6718fbbf4b0ba43a2e30940f90a038ba36d2dd822a
-
Filesize
193KB
MD5a62e118f16ebf21793fc9bca59c1efb9
SHA1398440c27a1f32ba6f4dacbbaea6939ab1fba837
SHA256b1d4fec300b7e4bc8cf56fb22a9b29b6273b13aa42b3937d9d45d21babab9902
SHA5122f8942f58aac94a49516b393eac8b7176e4e0819f03b5aaf80369ec46abfbf7d1b0c6adb22b8da58ef240f81a8952adb1a133b5079d8034b214e41f1b6ecfb40
-
Filesize
61KB
MD531f4a2e3733a2a672336f0df0c91ec8c
SHA1ac54d3dd04e347dfff386ad4b955e38e2699a5b1
SHA256c1c271adde1bc872f231ba96ef9c30482ab7b8b1aa293d577ce3956dac88a4a6
SHA5124c4489c644028ad800db2fa0b9d7d53bb7a01d00f457baecb2c41d70a6fc636cbabcef0ef765cf8c1757ad5b379d79f14784b5111a7b7762a36548fe7f37d8da
-
Filesize
33KB
MD544d227da316c18a3c8846812f47d0cfc
SHA1199a1fad5eecfb0c16f1559573c7a5064bef59c9
SHA256b2088dc7aea048849a2f427cffcf89ba5719fdf35e07e778945d6f0e7c526042
SHA51263efc335f3692529e33c6a2ed842295cb237e54220ef9fe59778a9d78c0f5b63e66264fe42837c2c000610695b9a8879e1612e71db4d9da1cc4cde0a765393bb
-
Filesize
21KB
MD5c26c5f7d236c751058f80e223d1971f0
SHA1c0293e3ace15d9127ae867021a88856e856fdb3c
SHA2564a44f91f397b130f065a6337a470752521d72bc6c13a62b9e793ff0e37b27b7d
SHA512be77ae8cb6cc5671237badf7b3cee9cdcde7d334b4a0dda12805c46328b7d8036d4af5c7e10dde10bc79648a808a6d31887e7113930e38cfd642b2db1c86349d
-
C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_12_15_12_54_12.etl.abcd
Filesize257KB
MD5e41519d9c49379e0472275e45e09a0bb
SHA1400dc92207ecc063f91a1f0fe865b451a8cd3275
SHA2560f2775bb66bdcf2aee4c02ca253bb7be3948e0ec288ca7cf3d0501a67d844d6a
SHA512705a2912923240a6ea166af6158d3db7ab24c5ed16230add07622c09088172f16d574a041c1b866942c02e84261b5e39768cfb64a3a8053fb3242042bc31c472
-
C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_12_15_12_54_43.etl.abcd
Filesize257KB
MD58c6675d80a6cc356d2288cf3cd62a86c
SHA1c7988feb4afd3b22dc8107edb8a617308457009d
SHA256e31f0df26130a4db7cab73b7c00ecb3b6c609baebad8825989a2a27b998ef932
SHA512ed57a50b3abec789938ecf4b2b9bff08e92e94a071af426957ded39cae34b7e34f5cd5a88166070b18bedb91521ee3abef1402c06e4b483c57cc1ff9bb2bfd6f
-
Filesize
49KB
MD563f16ecda6a33a36eecaea14d04856de
SHA16964871b5ae9bf27bd633662746d9a75d759de44
SHA25695a0600e09fe143f6e597dd2c0da0140c3ac4b03c80c590466151940187958df
SHA5129e84a4442a7c6747910beaf776219607ab4e20345580375f7f2cad52c704b09a9057708b634d2eb45173cc105f691afec70d93cb1d643f809a18d6d8a5698204
-
Filesize
14KB
MD5ec743cb97e7fafdb8ae6b5090502ca6b
SHA17fbc5ed78d6db5dee35a8cf87c28929bc796b2ed
SHA256d59d9be5be399659dc65315a068045a2e344cbd3c8704255499d688ed12c6471
SHA512a8d09239cb7a608cb9ae7fa82bd49d9598b22b9007931d25da39d34a6caa1a9df6f47b7cadf6c58aba446113b568ac3cc077ea6b8528f4c092b670a04198f3fd
-
Filesize
15KB
MD59547cb0f6de5e3cac4b72dbb74eae361
SHA132876b92d7d63fe3fb5e68e85f5f8d166dc77619
SHA25614d72553a7e7e4ad8eace311dc14fde829f087dec07902fe6c7b36c96e1b967e
SHA5121b4823470b56716f57ae37f052909b68e668af22989d8a5c2c7540416a5296b13d8a8271e4c37b9e6ac6f17a61fcdaba2fef10aac4591d69eecf0ffd1f286777
-
Filesize
16KB
MD57701be7461fa88da2209905194871592
SHA18f73522f3f7445e450c4fd9e654b2ad845c9cd53
SHA256a247ccf1f1c3e10854e660deca5e9d0449a550a965ca13accceb10f25e7a95e4
SHA512bb948f219eb2d74b7cc3f93cf347f543ab91a16a2c26a2c7c0e2faf6562abe2d9e7174c1679adfd2dfceb73c374572fdd7dedbabc1a1032ce0d0782decaa4c1d
-
Filesize
16KB
MD54c73a384a2bf3389321b87a916bbdb12
SHA10f5d2974fe4311b2c11852dff707902c7e6aefbc
SHA25635104b41bd7ce7d85689e4f851110b5454e5e50e72aea6433ee75cbb2922c368
SHA512e92bbdeef45fc2ab4e96bf43fda51e5b733f86addbbe25440129c538d4ae562c1fff6195a8bb7d0562cab384ec6dc799efcaaad32ab2740cfc149235f1ddfe27
-
Filesize
9KB
MD5816ce0dd310c3afc5766c42891a9680f
SHA1e45971c9a0c40cb379232045f37aff9b2e07ae65
SHA256fb612d33cb4ed71455785288b1fc554dcbb540b28116609259b1fef33ae160f6
SHA512bd1539ebb82e4a1b48415d9b0f2092c009de6cf386d305b4fd0f4935b6d88be320d8c4f51407c0376ccb40905e1fbb1f2b52e9d2e1af1475c8df75f5e45e29eb
-
Filesize
1.3MB
MD5c65234c2ddcd410ddad0c077b2dc1c74
SHA1b1af5acfa4f974d31011657de40b49928024f15d
SHA256117902c443c2aecad3a50e9916c4d2a0a3ee612dbabbe0b7c9c95de3305ba642
SHA51226efcab8484b7411ea7ab56a7069db78995dda0e72d072ff5eb693a99fbe38a47683179be55973a8770ce1fd807c03955805c48d679f12d54b798d0e9f4ce69f
-
Filesize
1.3MB
MD5675f8301a13356af6455f6eae5249d48
SHA15a70eda266686ef60fbf3790e435bc2cffb069d7
SHA25665fa23d75a38a2ab4a9e656a7469e866507d749f17f6dbdaf5b54693b1beb31e
SHA5129fefd97770c629fa7d96f6cfbb7640defad51c4409d1eece56a5179a6521af1e1dc7b1d69deea228f09156d825c5828ad576ef73e80f20ad6e08bcb1f872dc90
-
Filesize
1.3MB
MD5dd061fc6c39c6434010ce0af14951460
SHA1db705395585b24b849a22149c0a9248caa7e8cb4
SHA25647c1a60b3b32d4ee8b8134ea3a5a694ca0ce3c144bea57c4e53ba7131532a2a7
SHA512d2bf133d9e594e90e33b519652ed51a60b5f45660f95f7842e1a5bdf943d8e7d598ac5244549a1ff69dde24c926b6ace7e0aefa33173256c81035c099c54af9a
-
Filesize
1.3MB
MD5bc9c4d3e2423afb9fd86e2f3862cd8f3
SHA127d0347b8a4665e2ba0986d7b604647271117417
SHA256d79514f416ea362231ea50a95c77f0b4f18d1305de501ae02c3a53f2ec8363da
SHA51208551fdbfe2b9baa812235172bb0bec842b005309b96441e96bb4218ea77c0e0afe6e4235469bac9f6475413751bbb701ef7eeabdad935189db2076504963b0f
-
Filesize
769KB
MD5e464a6ef9555702f914c9c9e348c103f
SHA188c2b71fa6ea47f25434b11e6af0b7f09d6d6cb7
SHA25634e865281e55a16fc6da6e7ccd2a6ea2f3a3d8feb621e91efdb7e2fd86e9f833
SHA512c044e619e3386e07ae4adae38bd30d9d5c0197979a24cf825d9367e03c92bc365f79b6e4a481aa934c3467e671706224b17ee7f261c8fb633cd87419d99922dc
-
Filesize
17KB
MD56ebf35c29510f9d12d89a8538500a447
SHA1bddb733869a798433f00826832c8dd711342e7e9
SHA256c7d0541a88cff7ef171ea843f929060ca8cb6a9f805c3c0bd3fec05059380b23
SHA512d1275250d944f36d8e47c4593ec39bb953d16d50ed0aabdaf15a1e83d0e3a8b17b4097ae6d380be56edf2e3f4af69fd09f7c848c985014e960d8d694d18dceb3
-
Filesize
193KB
MD51c888d38b7e4c6c8abf5c1e11dbe76e5
SHA1929b6f6807b243a0eae393d68ab1d34bbda04e4b
SHA256d021c7df614185174f964ca2db786d12b2b4e0459a2c64d551a4f5c7c3edfdea
SHA512d86e7036a02ad0d433c2d4ebf177a6f7e3409c09b333723b1682005d53ad4e059e44f7919b8544ebf0e7336905d2d09709fac243708eba829ef7c0f3b008d66c
-
Filesize
17KB
MD58ee736bd2b1b957e53c5336daf2be377
SHA1aacb621012449d0723787dcec05d42cf4778f137
SHA256350af938a1301e4807d030288a1152f4c387ce5295bdb629afc7f22f47ab7cae
SHA512bb3f2cb3d6b438ecb752d82dc842c133340ceb8abbec30948b133187d33616dbe187126212eb988be4df4933e55791aebef9422006d87f7dfc852dbf8090335c
-
Filesize
9KB
MD5ce81d95c5973fa4e99c4cf9ada0f79d8
SHA1b94340e5948604aa3a39edd8a8e77662750f5897
SHA256b111bde5dd914d9e2c0cc9512318fea34bca4808d5029a020eb1c731ee65911b
SHA512a4d418237e4c78edf2998476b21ec3061ec5cd5ca088f27d3da0ad1510d35337b0c8f931526ef6ba9446f933709dadf5a947d9066d659bd7fbfa737230e92a9a
-
Filesize
65KB
MD5d2c022a701934bff726eb1344b79c97f
SHA10628c28e14bdeadc4f0ae2d8911abdc5c0dd935e
SHA256df8106aed0a28bbda97b36a2d2302b9c7d1206dedc4d95aa9dc6b730e92f631d
SHA5129567c584a18d05f927ce995d8f0d9b0596c898e81add6620cd7da401507d072400028bc24f54bee476f983f4fbd9bdd40c1e429094ae8ac4afc7bd0eafda3ca0
-
Filesize
65KB
MD5896e64038938d75656e9342da6a52c66
SHA139bea5135c710165d2907fcd0ae67f3e9627d6f5
SHA25691f6a0487a64cd2350bddf2b0a178afd18ea9ffaa4d541b5656d55632ea81569
SHA51226fed70e7cfbcfc5ac4a6675957ab38e375b4cf8fc2ec7645d371e2928b29c1ec72bebcbe936c20043b6af3779eb3a8b6b308e133ce41f9e955be69aa3b0e7a2
-
Filesize
65KB
MD5e12dad2740ee32dee6368aeff5aafdd2
SHA12cf94f42a37c4016043d8549a9fa756e230707c4
SHA2565125f5fdca06bc3c86b2861aec9f980f50ba375f1cb4345ed752a2de34bbb44a
SHA512be8da391852c65b76883008bd29189ad6e676799ec1425225bb539c1b3305f65e49bbe3795a176b9992872bc28932c951107a35ca9b55172d8d3331691d102f3
-
Filesize
65KB
MD586d795351704a1b2700a126a7e280fd7
SHA14e1373baa4c1e4be79ec4985da669bc69b7d4e4a
SHA256848f2de7be6780cad5d9833aec197244e1f67c7886f0e4146d1fba297536597d
SHA512cb32a9fee4b4825740f12fda54b021b2536d6527070fca642ff62e8ed22c7f4e2261f3168119f6a969093e423f653081747c0f21413d80d5563c2e11d80f45c7
-
Filesize
65KB
MD5d7e502d8068a7c8160ab3146792e1578
SHA1cb46e9b47425ae16658f0cbb4fd7c54bda71794f
SHA25646b44b3678ba68aa90e9f44a78d42108b7d7fc82d6e395da167a05f430e9d7ab
SHA512e0a0e2b10ee4d1093b6fa6cb138ca3b0ad0b25a000940c6444839ecd242a19b34e86a5081a79fab2c5ae4599f5bca6226f5fa6d83b7762ad715f94771546ea7d
-
Filesize
589KB
MD5bb1f58f506fb09764306f78d9f7a2954
SHA147eef87f0fb4891c372d0fed9ec7d27a98d89cf2
SHA256b89c1265f1feddefe31ef2dd8b207172b7531f6dbf323383f3513625dd7bf9d3
SHA5126aecf45a63b1ad5ed082486183c4ec3fed74f3bc7694b48c6f6159b87cd2a7516e8897a845968d718d25da16083ac3d258a8676e442073f9e12fc3e6f90b80e4
-
Filesize
7KB
MD55cedfd8fc3bf3ca2c5be9a3baaa294e2
SHA1ef07cd11dd45b066900c658a12db8e80ee051807
SHA2568da009b2030bcd06bdae2d272a09d48ab1097bb9f2015946544c4a545cf59367
SHA512208d0f5333230a74c0fc5145e995e0f328b83d90893f449e1d751455454e5565284b921766278065fc70370d2f68ee98d8dcf87723e46554c50ebf08f7820707
-
Filesize
3KB
MD510044f82710efce1dca8c2be51f557c8
SHA1f72ddf1c5cd7e7d5e1c2143e4f3efdefacfcba91
SHA256afe7d5371e33c84cfc3474801cd3d425fa27ccfba3efb9a77f73d9d501aff80d
SHA5124578f6656a8aca4873de548b0b7067de2c3bf709c9ec1c936397404bc7ed9615e2061bd350866c256f4bb00e30be5848bcf5ba5b3ea591a4562bd6ed5a462c48
-
Filesize
1KB
MD56889b649173ac209eeb2fa55debbfa61
SHA10614a34cb85f83889e7eeccf732aedcffc6909fb
SHA256916f39957de0c0069754af05dac170e449530524646b1540e2247be2d19acdd5
SHA51268d4e649536e9d6c7db9de0991c36f72b983fe0d4f35382a8efbdccda619036279db054fc0c136c9200398fd49415016f34549717ece96deed18da1adf4737cf
-
Filesize
2KB
MD5f227e2648934ea5f15e35182ff43d711
SHA170c66cfa8c171f732f8b7f6f165fdac3ef65a63b
SHA256365a553dc61fab0db7d179a6e9978a8ec9ad6f9f3018732f22ad53d2e4b2304f
SHA5124780a60b329a76c62091ea78a556c2ae562d849d088c148c515ba1cf1a13f8a8f998b7975107450176bba8784800384531e4b8213e0ceb730dd227485155e87c
-
Filesize
2KB
MD5d390c05411ef2661ac4f8e07a5d05548
SHA11233c8e1be80fb6a5997c3f0dcf20aed15ee36a6
SHA2565e6c029fb6bc39a69c9349f99b82826217b69afcd7d40f7bf7243c4b46cb25d8
SHA51297e3f1781095a7f5a6e8d2b9267215997e3366219f19fbcd3f11ac112ef255ed9bbd45d947cc3c9852a694863eeb9c7923be7b7883825f3b099d70a1e37be069
-
Filesize
589KB
MD53628127658d78839911554a7f0068f05
SHA17c41a08a3d068ea0914a6dcb17f96366e9b4c76b
SHA25682f59a0137485d7d590b845ce5bd0f8de37411c6628c9f5d7ea86ed4cfbb5582
SHA5120f566a537052cabb7c51d615f82cdc216c307aa33524b5b71d85b231ffe03e0f8b56de8b60ac42fa4b43686e6b81f90948563f85e40c53f71af4d39e7375a0d0
-
Filesize
7KB
MD5812b3f8d56f3fcb2c396da6fb59d9cc8
SHA1fa23bc26f2b8cc069b7bae67b6712b432f3e75cc
SHA256d90bb38e30f03c93f5c37b3f42bfafa73a03c1c3da611726e7757dfa2f3e4895
SHA512123e132721755a1f3f987814f8a8826662dba9841266d77b512dc31ca86ca2c972ef48f3e27305d5c408796ecf6a4b0c3a02fffb76a88dc52bc4351f947c9e64
-
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch.abcd
Filesize1KB
MD537e3990654aa063bb48af3b6ed346651
SHA134317dc7ebd92d9046564e9b2b2c7a45509c933e
SHA256628d6881e5f41d888a0b3fb64445b028961c82fbd341183e1e2c927c5e36ae59
SHA512790c65594bdf0c52359f56966f5c07702e06b384597f934cf455536a1afdccde51578ee8e8d65a5796d7fcea7bbf64b3af5f46ad5981cebea6f5581f941ab773
-
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch.abcd
Filesize1KB
MD5a49486f0a1d1924e3e61d440b38acb6b
SHA1d854bc711e73f4aba379788b054e5ca575e476f8
SHA256db00103e2c6172cf08ba0bd990007306261c2df6ef5d070f4c8a8ddd4fc86999
SHA512ea30f937c5fd50dda4a7525dad413e116be735ce12998c0d713ab1d33a7d1af3a4ed8aa40820482ceee5b361f1462b204dce9e3376178a01db6ae7e37de82557
-
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch.abcd
Filesize1KB
MD561d51a75d446b5d0fecb08a3fde1fc99
SHA14a38100a6c4eee4330e10e793f5375d8ac03aee8
SHA2569b4ec83891acd69fae4d39702d46fcb2b29a44c5a19386345e714b6fe0bbd675
SHA5126d9f41211af66cec80381a78084c75d5bb4c64eb3be029620934414ffca8da542d083b09560fb478806d2d55d6ebc964ebffacea2c4fe273c39fe313e96c988c
-
Filesize
1KB
MD5911a8581177dd3452a4b18d733088c33
SHA1484d7526e3b1cf16bfc8abd968a03dbad44df7bc
SHA256ebdc6de2021ec6851380570f7eb588cf223bd5dd4a39910bb774cc3334a26003
SHA51243b2ab66e5e30df7069400f6969dc3f2312307560f0664a0391095cf2faa30704014c27b618a3119c2a53a93a5c5bcbf538b6359ffffdfdce85379a4b7d70137
-
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.abcd
Filesize1KB
MD539d7acb876e8fa4fc90ffe9dbe37fd22
SHA1431d29adc48fa52175be5a21be044c360af70ca5
SHA256ddca18d07241aa642e69c2c1c0f27dce1391580b6403ec6063c26f311ed5c88e
SHA51248770a67684ac847c3c240bddbbfe73f8b3b1b965b7384024d8835a0265b114b550049812e1921ee2f187820edca4f035435caedb7ed54f38c36b3b2b7f010bf
-
Filesize
2KB
MD56135570474a58729f89f029304212b27
SHA12dfd80e2668c622a885a11d00d6fbefb89159ea7
SHA2560f8d7564959788a0cac5d4413265bbdd8a2ce5d86cf0effd563557a3c32695c6
SHA512e0393cabb7eb1cac6312fd91f100b37fc2ddf24e475e38f028fad270d93fb596aedc4f53539e07cd7f3400efe77f2fef98ead3dd0a8749cf445a4cba40271887
-
Filesize
2KB
MD57a825922cff186f57ddd5a2f77f307ce
SHA165cc8c7970ca34aad7bba0d87187195796e59cc3
SHA256568659c45fb95cb97363243dd1ad2664986c08ff612a6d05f77e7ef81029a91d
SHA512c462f9363f30b825d9547b2b7d3713c574b25f6e9e90549c08ee1451eca112a41f2689473b8a03aba1cdf83d807809b9580cd51fd7bdd4d29c924287c5e4edf9
-
Filesize
2KB
MD57cc0f3bf6099ef5ff6ceb1e503d93411
SHA15ea4d8187a7111e01c4a16dd27c485eee97d241e
SHA256cf180178c6e97823fb2d6b5241a673f346263816c55b98189e32826f8e33e1eb
SHA512f5285510ce5ab359ea7126c16c85b37918bb82b1329cf9baaf22b296d1561124361b68021e869c8067e26c5170e2e6aa1f056955d6219e5a0b14ef84ad264f8f
-
Filesize
2KB
MD59ee0eae9059aab217910d36603ab9b49
SHA1e755a3653232026e3d629438f51088657fda932e
SHA2560b99b2958e9b4fff335a502b04692cbcac70e56e5263790193f5969193f25e3a
SHA512bb2bef050324cfae699fa8bf0363b83ca3a1ee6cf33faec908493dcc2c2a850661a8b737c4419e91bec736ffb9afed1aae91ffa4d1b6e26b78a879caab6a849b
-
Filesize
2KB
MD55493c4967969eae9d8ff01606a048465
SHA12ade4f719e52730267b6915593f196fbf65e61fb
SHA25621c992aae4106885ace0962565d55946a67fb46588c667a077821eda03f8165f
SHA5124e8adc17b0b3b0e3948503afb866b3b790273960759af172c6134afaff376ef751754443aabf49a3415de2c834c0bc07325a6976c6228b4641ba89812891ffb5
-
Filesize
2KB
MD54b0c827d3834a6e0002e77e4ca5943ff
SHA1497a64856d8b7a980cd56be28cb9f31282453a4b
SHA256656226433ca32b5beb6c9c3ce31c119953373f2bdef63fa9a1133a63172b6868
SHA512e934841e2211ca2280217e617a9b81fcb11beade95c9727f77e17f00b3458d2fc75592a984760a93a0d6dc1c5dd6ec801f4c867e584e8fe7735af6e79668034f
-
Filesize
2KB
MD57b9bdc9cbccda4595839620754bf02dd
SHA12c8465b1de0f84e67e6e79d15c5ead8308d0614a
SHA256540b0db67eb26a7007d8e9b3ede7f7fcc7d5d9a32c6748b9536945ee07776ef9
SHA512fe006a6506055d423de4b2df41833b3dc2b93cf01ae33e9109471d5fe76c585b5fb6a2a8331129a666aed268211f15971dd156a19edf8d55bd69f5385830c4d7
-
Filesize
2KB
MD53a2669c5df9936bd0ef2ad6dde56eb7c
SHA12b786ed77fe00e30745e62fdb2da74ef57611484
SHA25641df57681de011709aef3e2fadc41b45ef87bb9f091f30983cfe3e0408997931
SHA512a8af091178fda5d69aa53d6c49263c3e64643b107904d6abde3c6909477aec494e6b2ea7f4ab2e1f9d4ffad3d0ee99d86d608dabff74c22db4c68b2792b940f6
-
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.abcd
Filesize2KB
MD55325ee15c10fd8e846ff8d111a472152
SHA11f7e8e38f4fe6dd61849e2a0483672c47291c4c3
SHA2563c0a578bb86149556bee44d7359ac06c2a5e37d82ace2861278140c2260cb03a
SHA51228c82cd801c6eb96a21093408a1f427745a4d8641547bd61db0b80b9750dc2941cf29eb542fd2d03a09e9581dab0ebe4d380709b49835ddc6c27dc36dea83fa2
-
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.abcd
Filesize2KB
MD5eca5c47da836f68564da86a1084b7c8d
SHA1a1083f7cd9104246c6c3b90a4fb083ad39bd1479
SHA256231438c42c020300d7769ba20777543f4b11ae268340a62d6f344400a00576ce
SHA512754b0f5ba3f98413561b63bcbefac30dddb7a55f9cefcbb1ef93553284404b9d47562084cd2da2415dbcf19dc4ddfbb120630263b3a046b011ecf266c59b6709
-
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.abcd
Filesize2KB
MD561446079faf97de48e6db754f5ff4131
SHA1e64c29f27df1ee3aba0615c9cb07a7d64c24094b
SHA256c83c5c90203e4a6f0c663092605420095cc1c8f9a7fa3a802f74fbd937c40fcf
SHA512050a060c583e12870d7717adf38b8c9e122418b81e6aee4c1f6501d612f14c2cd4193d9a7b399ee6b79a89cf61455edb39bf32ef9d3ddf5b4ccd6c8b26278e39
-
Filesize
2KB
MD523e95598eed0367b9aaf58deff248105
SHA10018622680132e2cd8a5a606f68796a14bab8044
SHA2562b0599d5ec119b30a6d8ff9ad6a2e3751a249ee48bf506e9dec6bd36232baf16
SHA5124f7c497a8deb1550667a4197ccb4b8ece9e75a98099763d78de1bc511ff8cf214c126a10e0be68eeac6faed2bee21b7259c6371a649ca0ec58a8a52751e34e15
-
Filesize
11KB
MD5e3def1aeb3036983338f7b3fa4ec0683
SHA140832dff31521c120445814091a199215257276c
SHA2562e3434fdc5749e3c10bba159afdaa5551611472a300d39c7f43f222077f8a631
SHA51267b125881f50fd8e0c6f5684f85bbc2b38bc4f8a143643648171d495a0aed71991320d7d8e00b206f1ee64c2f0d8c876427c9e4a613534ce8f9a588cb0632513
-
Filesize
1KB
MD5f7ca3a0229a943613048db40dd449ae0
SHA196215a094dbe5b43a5bf2cffa76f9066e64d6bf0
SHA256871349ba4f0dbd77a2f1ad4558287c099e37245cc3787ecbf9b7aa80735af781
SHA512e3dbc731cb4598a72c429d4c95c3931bb45d690980720c48430d1640f1dcbc7734b1b7b49d758045d4386722211aca14e698be71bfc480eea1cc62bcb5ef17b8