Analysis Overview
SHA256
63b9637406042b4a9ab162e581c935e7f2c20b64ca504c4ae4e947aa43565b52
Threat Level: Known bad
The file ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.7z was found to be: Known bad.
Malicious Activity Summary
Lockbit
Renames multiple (6430) files with added filename extension
Modifies boot configuration data using bcdedit
Renames multiple (7475) files with added filename extension
Deletes shadow copies
Deletes backup catalog
Deletes System State backups
Checks computer location settings
Deletes itself
Adds Run key to start application
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Uses Volume Shadow Copy service COM API
Uses Task Scheduler COM API
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Interacts with shadow copies
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-15 04:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-15 04:36
Reported
2024-02-15 04:56
Platform
win7-20231129-en
Max time kernel
835s
Max time network
835s
Command Line
Signatures
Lockbit
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Renames multiple (7475) files with added filename extension
Deletes System State backups
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C\"" | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Darwin | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Amsterdam | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\en-US\Sidebar.exe.mui | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Composite.xml | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21316_.GIF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00453_.WMF | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02058U.BMP | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0295069.WMF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304405.WMF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Journal\Templates\Genko_2.jtp | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\library.js | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\MSB1ENFR.ITS | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\highDpiImageSwap.js | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115855.GIF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Monticello | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\THEMES.INF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00448_.WMF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ACCSBAR.POC | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\de-DE\setup_wm.exe.mui | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152590.WMF | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FOLDPROJ.DPV | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR41F.GIF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\LASER.WAV.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipBand.dll.mui | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105974.WMF | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00157_.WMF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14565_.GIF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\background.gif.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00917_.WMF | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_COL.HXC | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02431_.WMF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_F_COL.HXK | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18209_.WMF | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Right.accdt | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00049_.WMF | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\PREVIEW.GIF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099159.WMF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187839.WMF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01253_.GIF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.HXS.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00610_.WMF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pyongyang.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ms.txt | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Istanbul | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Concourse.xml | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate.css | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.LEX | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\gadget.xml | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPUNCT.DPV.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107446.WMF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | C:\Windows\system32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | C:\Windows\system32\wbadmin.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe
"C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 20 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 20
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | iplo.ru | udp |
Files
C:\Users\Admin\Desktop\resultlog7.reg
| MD5 | c181a1926358ab253fdde10805535a9e |
| SHA1 | 9d20ee558454274db8813968d18631a28c44da0e |
| SHA256 | 3264f1334b621f1061e63aff566347260ede7d279e405f059b3571d7da846ff8 |
| SHA512 | 9f05502bdb31240fc7f2f1422f9c33d86b4b2d68d06c66a06e2c5246c76040acee2a209b715b04879f0682ab8b17a1520b49333188066557c4823d35bd145857 |
C:\Users\Admin\Desktop\resultlog7.reg
| MD5 | caf7f7356f8068edb6f8b193b7a926ee |
| SHA1 | 147c7990bd613356053300f0ae2a679a34869b19 |
| SHA256 | a322ba5d1f2abb088a77455713a82eeb24b88bb2bba506d9447b06b05e8e869c |
| SHA512 | 72f92961e4fcd4438be22950b38fb72ecd4e214ee95f8bed8f4ce4ea4046c066101c4cea37c997e6a91e166563ca6cd73cef150ca63efe58887b19ff94f0e9c3 |
C:\Users\Admin\Desktop\resultlog7.reg
| MD5 | 3596ae5429559305bef052a3ca8766f5 |
| SHA1 | 2ab00d544ba2c3b75684a67b5657c41d107011e6 |
| SHA256 | 8e38abc5329644e5a4b3722b3a1bb5bc968b58e054be880e0fad09416454b2ec |
| SHA512 | 5445d7a3c8c4e40bdaeec10da03493abae89684a65812327edb08dd70b3cc42e0fadcceb704c5f961d0085e9ac573c73abda3dcb29c4638d3099d184d2997014 |
C:\Program Files\Restore-My-Files.txt
| MD5 | 405b37f585fcc38ac19c3e395d985150 |
| SHA1 | 67430dc530e001564ce58ab9a1a8abbc664dfc7a |
| SHA256 | bd393607ca449820c214a44105fc03476d3238c4441dbe59664ec802a49effa2 |
| SHA512 | 6601cd0a7df9077818c66c3b72fde97f54c41ab99aa6071c44e9d2566fa659a33f9af61f592262ec23ef50e3111068a84c6bb67b023174a4e4bdd77b2c94539d |
C:\ProgramData\Adobe\Updater6\AdobeESDGlobalApps.xml.abcd
| MD5 | 83e85f4b8803ec436a1a66fce1c058a9 |
| SHA1 | 7b89bb60522a7cf710b68bc1ed9981bbeac6e2cd |
| SHA256 | e9cb3b1fffcdb274d6545442cfde7e4462c4c0f4363536bb2722b8d7e4e14eef |
| SHA512 | ff8699f30fea66b4b48b930e02cfc0a94dbbd6422bc42b25e9d4626a3c72e2a09f1ee235b06664250388f03e520e9662d592614667d3ba545af9996e3208fada |
C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata.abcd
| MD5 | 9d755fd2dc6ac9b9f0a96bbbfefea049 |
| SHA1 | 09caf3231e938cc31c45f88557ba387365a1b116 |
| SHA256 | 9e6175d1173d61f58a07289f07f4882fdbd9907d62fa1c7e4bf8d4b403f7e6bc |
| SHA512 | 01bd733443ae694bfd880ed4d302d6fc18861f3c8a1b36a7519574fef9e640947385532d90165bc27e6fdae0dc0c48571ce35b8284c6212a5da43aba4618980f |
C:\ProgramData\Microsoft\MF\Active.GRL.abcd
| MD5 | 1e796a9dc87b0987d079a626633b995e |
| SHA1 | a27f974d7cb60693afc75936dae0908575f030bd |
| SHA256 | aa04b17ab7e3f95857341c989e9404bfe68739501fd627d03bf98b48752bf1a4 |
| SHA512 | 1d8d38d507d2b5a1fa3988fc0fd58fb42c2eb74c39e8500d1d7a98d2f3cc165bd173ee12484f23e951bd3a77eb7a4bed1252b17d30bc4214cc8cba940602a45a |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\MSOINTL.DLL.trx_dll.abcd
| MD5 | b45e29e9b1f25f690e38ea0241676c95 |
| SHA1 | 3080261239512fbde5de708701638393a3959e2d |
| SHA256 | a7e870d61bc2f042ae5b00812a15454021a951444ec67d20fdef3a41edb097d0 |
| SHA512 | 74190cc7f713289194fbc70fd452a9ddce9dc1565907942e8cbb9c6c0be2e0a56f04bdc92b8f4dd8a3a7a1a3ec18a8c3144544e6fd16b2fe9d9bed955c490ea7 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\MAPIR.DLL.trx_dll.abcd
| MD5 | e213928db05a94b0f2a68c0b99e331df |
| SHA1 | da9e4bf2c6c2035fd11b2c13a807b23fb0ac388c |
| SHA256 | 0af8f644cd6d4c51863a3531269ec731d5671f3347483a1d4d3ea648018cdf4b |
| SHA512 | 6154255239a6780f125d8467b16eeec062c30831f150119e18d8bf76d39126c3e9f8c025e14519ba9c2f4fc573120149fc49be3e92a03aa73c0e47f313ef9fe0 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\GRINTL32.REST.trx_dll.abcd
| MD5 | d00e45b6973d5419c65a85c4ea1294b3 |
| SHA1 | e842a43dbfe6efdcd9ab1bb5776d283fbe438cbb |
| SHA256 | 888612d31a31452182772efa1231897f8fdf829e2a8c50488116fcebf9872900 |
| SHA512 | 60c5ecb35c067037fbd4a2c0d537cd70e0663b2d2f507d94da480967c9b72a1702329b17876b4ee311d0f268917f2cb156bfdde66c73f01b894f9726a5abaa60 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\GRINTL32.DLL.trx_dll.abcd
| MD5 | ea985a315a1a041faa9dea1b0a4c5062 |
| SHA1 | 88587567a6e2410403a5111c01f500b165d3ee15 |
| SHA256 | 6086c27e37ddceac648c02da6f1a2ad6a000d818920dd03f6a88e6346307434a |
| SHA512 | f89d1a9f45bba6edcac9a509a256ac86f130ee0da01849c2e5545ee79bd9c75dc0695cd3a01cab60bafc4a1c556b28519f3679076e33a6cf1d3fb7c8daf26224 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\ENVELOPR.DLL.trx_dll.abcd
| MD5 | 0b7741e38456b1c76181a79afcfdad26 |
| SHA1 | 0feb719d0508b82bf43cba332adce09c6fbb0679 |
| SHA256 | c8989cfbe6a0cb0e8d6a4b63d9c2aea83e11d64fd49983374ec6ab35af824653 |
| SHA512 | 5ae8f27e3e6c13a4dc859b0253180d4c667a5adf00179391916668e2feff1b184bd5324ba49b9a4d9813d206d5386ba18187e97d6c6369025cd29e242ca9ce4d |
C:\ProgramData\Microsoft\MF\Pending.GRL.abcd
| MD5 | 703f569bb3a7f71ebdd4e0c226344461 |
| SHA1 | 7e9a55ed45c5dd0740095c626d058806655cee3d |
| SHA256 | f23e3c83abea50e45fac3fd48669dc008f816b8f0a3d593f063406b10df1c8c0 |
| SHA512 | 5548d87dfd242974716fffb7447a6bbcb9707fa75e523e9e04db669624f0dd770157cfa759ccc1761adcbfe453901ccc1ded00b44d06e22196418150d00b0208 |
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat.abcd
| MD5 | cfd58ff40b545fcfcc3dac329a380899 |
| SHA1 | 4e7cc974c1e96f719a5e29c672655b0198f47be5 |
| SHA256 | fd96206165ff6448b0b383232c2e7ab93cd1b98e310776c38412659bd69f46fc |
| SHA512 | dfbf2ed0acd892eecb78baab9f51992c320c419c38631def1bbc3c39c8949e59ed05c34ccb229498c7fefdc600d66c14be8b296c4d27c03f058ffdcc3de44901 |
C:\ProgramData\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn.abcd
| MD5 | eda29d1917e3e347708b7203113802cf |
| SHA1 | b77a5c309ad4c225c02b66497dfddf15489de0b7 |
| SHA256 | 936a2916486df46509593753092502e6ed1e398e507bece63c839db6ac50b82c |
| SHA512 | faed46cb1f3e235bcd8e96c77b2a8bff1f236edff521802bfd01069636d3704e9540971fe4c9c842d4d22e19b08434021eb0eafd99eb567218b4c668337f25ec |
C:\ProgramData\Microsoft Help\MS.INFOPATH.14.1033.hxn.abcd
| MD5 | 9531fdcf17d10cc940a20558d89f0adb |
| SHA1 | 531d806a3fce33952bfc1d859ceadfc0e54bb014 |
| SHA256 | 9c1cccb6824f6deb82e14c3a907fe458d3e306c002404606bcf81bf68bdab387 |
| SHA512 | 75c585c1290438ec46326786848ab80f7d00eb8d9afb8a9658bc02a9728a39b7163aa112293aaa715d470426fcac8763fcb84ba572d8ccf23c019d6830c84a7c |
C:\ProgramData\Microsoft Help\MS.GROOVE.14.1033.hxn.abcd
| MD5 | 37142527e9a93a7260bda9c8d0b3eefd |
| SHA1 | 1aa0c0c24caa9e21ec7880ab459756cb025133b6 |
| SHA256 | 5587f2cb85161b9e52c9ea070c0e209c9c963b17240bc8f11983958f92eee1d8 |
| SHA512 | a6dc8155af50153ce8c2845097d867e34bc1d4145e6059ec92b7b723339afb65704abe866676d236dd35e510e833a46e8eb2fc8c79351d3983ad9ed762434476 |
C:\ProgramData\Microsoft Help\MS.GRAPH.14.1033.hxn.abcd
| MD5 | 98815f2a3cfaaae9cd75fb270c8b202b |
| SHA1 | f58c4181b17a66d824fb84230f6cf73940d42034 |
| SHA256 | ccae3665da2117ce62166b9c8088f0d87f730f172c9619557db1c9743270c2fd |
| SHA512 | 38289314ff59365a67557450b58ae82d661ca7dc24a611f74bfe262251adf9fc9e7165dd854c3536112b3a08e8ee4024dcd9b90664a5951fbe526f8307307955 |
C:\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn.abcd
| MD5 | 1e6c05f1df5ea0e6f3749e1d9adbf2c2 |
| SHA1 | 6b2ec0eb019c0fe4ca4db5da8a33218e38163a4c |
| SHA256 | 63f3dae5283042b15d03b8e3135c976564fe9f2b0c38d91cd71df06c02424420 |
| SHA512 | 5029f60d2f1d88e434ea86ccc738d08af49bf2df489de766172fcc1e9b397a8027e79dd9776dbdfb8beb7a4185f02b831fefdded323513e8dde8b48fb7f7b059 |
C:\ProgramData\Microsoft Help\MS.EXCEL.14.1033.hxn.abcd
| MD5 | c2e3bb8d5338d4a81c34fab0bdee8ac7 |
| SHA1 | 5b69ac08fb1038ae5ac643e1cc101bb0b27a4da4 |
| SHA256 | e1d20cb48bd1ff79b49456d6a67d3681d952659f69bee82e05898893b9c93bb9 |
| SHA512 | cc06afd1fb548ae92d3a9ecc602f23f8361ccafe4403730359ee432b700b9b4432a7a29c7f437ca1edfdad36a3d6d1faa2cf3d2efb9de1ec792fbbe5db89249b |
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.abcd
| MD5 | deb9369c6a5fa95fb61d666b067ae47c |
| SHA1 | af2feed3e100ea2d5d37970c790ec01a71d92a25 |
| SHA256 | 2a130f32d641cda5928a4f0a479949a75cc25596045ebecd170b33822fd6191f |
| SHA512 | 3b4ac8306eb2498e9d60e914ea118ef8ddef7e4d7aee1362c2b4f9f6e6a8e5e227aec2e577ac53d3639cbdbf6f34e7beb8b24c65aa619912b41ca675cb720532 |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.abcd
| MD5 | 3f15ac73ca776ff51c22cd2206e1ca53 |
| SHA1 | 350bf3c89d54d143e671f6395280d12fee7892ce |
| SHA256 | 7c61b0e8e595833cd447169f788d86da4ac6535491f70894233512a91e528e7b |
| SHA512 | 7b03659563f0913291aec23ca81ada35b7b1153572c56669ab2025bc6110fea6da6fe887fd93dbc8ee66213ebbab40f4d27f84c8882e46ea4503cd8d7ddf5ba6 |
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.abcd
| MD5 | 0e04bd7bbb589ed8f4367f88898a2783 |
| SHA1 | 79898baa8dcb06d69222a08d25050840c4608cf6 |
| SHA256 | 1de7c80696c420c6d04f6fa2f1df8535fa98cdbc979bb78098c4bf228b728313 |
| SHA512 | 8013fb460b3d6c60cc5f083d9e92cc7cc6e448032a136f9d4598c57ac72ca9bdbf1d603be1e1d8078f148f87c6e66ec288fa604f93546717ae87fac9f506cbec |
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.abcd
| MD5 | cf67fd6bc1299d21a2ed6733e66f8380 |
| SHA1 | 7e8d85b7b94f858df35076e127aa544ded5b16a2 |
| SHA256 | d33ad740e4023b5f41b677c30fb5a507e9a7eab6d1141ded5c9e19c093d2d73c |
| SHA512 | 4dd48524f6843018d7a569005589309fa3f67ca31332704c1c9c1b946e2357895ec3609e5cdd41ea2067e8d23dfbbf8df6b17219c25967ea77b694479e6f0130 |
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.abcd
| MD5 | 548cc2e99d1bb0cad29fc0e6841e6414 |
| SHA1 | 1bccfe97ecae4f3316721e77f6bd21a1762e1da3 |
| SHA256 | 045fc8795b604979434b3c0f34349dd61fd9534e38d04a401b47b63caff29843 |
| SHA512 | 6b145aea9b07ec084f8fa03349fe2405ebafebcc6cebf6d5e1e505cb5b1055fea7c9043721ba65856ed911312345d1cae6788e2ae7fa0ae7c40f9b7ec6fff7ff |
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.abcd
| MD5 | 7ed678a9c5a7e4841d682fc09450784f |
| SHA1 | c40a27f55325569f0f53fe597d277f55442bb347 |
| SHA256 | abb1e133281bf50aefa9422dfccd38fd3346894ef85c8929fbded509646bc7c4 |
| SHA512 | a8973f74f8d12af4616d3b2eccb8d1a276dedaf0e2d8e8a76bee00d1b5b298567b4a40449fdf353237d747c08b5fc65fbfba0b8cf476f8bf2e5fbbbfe87fb5a8 |
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.abcd
| MD5 | 250b4a0819ee8e4f7cd0cdf2d2d80b96 |
| SHA1 | d58423b6712a994221323107569f9d11941f119b |
| SHA256 | be24f3cc04cc6addcfca326c416d88597eb59a18accbfd2147551fa5962df1a8 |
| SHA512 | bcfe544ff68ff78e56bb6ed12eacc295af3aa175980518f0fb256db6e183aa79e33bf150d11cc65d966d42acbc5a46e16017504b098a78d09e331c20845f79c5 |
C:\ProgramData\Microsoft Help\nslist.hxl.abcd
| MD5 | 0a3643b8f20c7772a07530f6a6eaceb5 |
| SHA1 | eb21f4a08897c8cb9e000a849450ab5f79aa2de1 |
| SHA256 | 457e2974e72cb8e4d06796a6321b9e32be1f025572e7c39c398dcf611a3e6271 |
| SHA512 | 65795a5ae64d630bee0474313fd58537cd49d963c0329c6294979cfbc79be259c86d1474f0149884ab6f5198cc9c578f7e9edafa67d94ff1ad64280a6065a68e |
C:\ProgramData\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn.abcd
| MD5 | 11f9159de66059afb6396cd6b749c70b |
| SHA1 | a49dea84df9eae6a8d627b9f281790c6758e37c7 |
| SHA256 | f3f372b7c6e6499c2fd24e1641f01f564df56d3db8d480558a13aed59451f084 |
| SHA512 | a0722ef60211bfac15c6abdb41f6ff34386049d9a7ba7359168f898d4a53a242f9c591bbcf657d3b4e2487af360ada4aeda9b9ff64506a0b18d7eb8139a3ee22 |
C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn.abcd
| MD5 | 7b2eabdc67a694a9f59e600f5eb88147 |
| SHA1 | 1f6b8fe4f977bdd0aca0609f46ccc35abbe93780 |
| SHA256 | 9baecac0737ae2c2e662fd999f1fc66d7491da427c696e8018e347fe34a2cba2 |
| SHA512 | e62373f4a4ae613b866416e3972df336d84295252dc428e2a8b31d0ae925221a300e78af97adfbb80556c797a275e3d41cce48d6ef53a7101ff284b28398c1e4 |
C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn.abcd
| MD5 | 2384fc1b8325156f5cf5f7b59be86d74 |
| SHA1 | cbcc52280591d95f54b834f3cdb7c0b3bf1d9afd |
| SHA256 | 57220a8ed000efe1a95710c5eec21fb3ed00fe1b61aec433f1f713f6bbcc48a2 |
| SHA512 | beb3bc08185642a37124362cbabcce757beec878c67741e6a0910bcab0ccd9086d5c83f98f5dc7dbef32203ff329f9d19bbb93ad6c5ca248362ebf789985117d |
C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn.abcd
| MD5 | 638fe10f36c8343d35faad6e0ffd6c82 |
| SHA1 | 75e0c9d66e4e3f0a3b9d2898a7888fe5d4dddea3 |
| SHA256 | 3cc44a8fc280c50d8c33725d9c9c4762f5ad2c11ec395abc111cb6f793db2618 |
| SHA512 | 221f30ab5646ce993ed22619253598c69c47a1161ebc9ce96502bd03ff436ac2fce7810403ffe31a72126d9183d68bfb57a0cb1b942f1425e158d4dcadcef761 |
C:\ProgramData\Microsoft Help\MS.POWERPNT.14.1033.hxn.abcd
| MD5 | aa11a5ed4d202614f70138fbb8cbcdfe |
| SHA1 | f82190ff0c97e577eab1383b77620390ed5da280 |
| SHA256 | 7c19731e5f3663907df96b0d2e05e28df646fb5b3b2bdebdd0be8f3fa451eeca |
| SHA512 | cd198be62495e960381d75fb1449d92a2eecfbd4ec4c1897b823cd4ae98b86187512afa2cebc492abf406b3366e834154141acba6266ea0b464215d1e9fbc345 |
C:\ProgramData\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn.abcd
| MD5 | 59474bd193c80b7a422cb11fdeee8e33 |
| SHA1 | b91584a3d5c95fd73fce062187fe9757475df43c |
| SHA256 | 89f5c87443a898e706d7574f2574d46692125f7416d8a220e4f549cfb50bf034 |
| SHA512 | 226719bc91900f1831c988aabf581f73ae5721d101f01b218088aa2b7c7e0bf6a08fdf6ab1d26157279bb7bd80b0dfd4a7aa597559e94de2691dd3c0708ba100 |
C:\ProgramData\Microsoft Help\MS.OUTLOOK.14.1033.hxn.abcd
| MD5 | 38157ca500a23dd49793e0a58207c2f2 |
| SHA1 | b53498a68749763225a5b5b043910aeebfbd0067 |
| SHA256 | cf219b044299a3e57119c4feff613f06e24eecb3b651c7b94c5f595264f20c43 |
| SHA512 | f84638523b1431f19d46de280fd18f2b5e95c7aa2636fef212a85d9a8b02366006445b89490ee1cfc919dc6213e6c619946025aa4fd81ecd52e77b04d6294480 |
C:\ProgramData\Microsoft Help\MS.ONENOTE.14.1033.hxn.abcd
| MD5 | f53bb4933418337c17e54a6ce07539de |
| SHA1 | d2dc999c258d5dcb828dcfcd64fd3e237311ed03 |
| SHA256 | d886b18eeecbf364d5b6fc2ee5789e7bf41e9404b6cb4703c2ceda2c4c2ca3be |
| SHA512 | 9f52d5ff1dd0e57666057d361df52f8e433aa0a3cd26cf04127f7104f4577c507e5ed22bb0a8c861b7a18275eaf41b3154c4488d1cdf7d3fae23b1405935266f |
C:\ProgramData\Microsoft Help\MS.OIS.14.1033.hxn.abcd
| MD5 | f40241a52c20d244b9111f181ae909b7 |
| SHA1 | 281a97ad5dcdf731ef300049f8258d4e18367dd3 |
| SHA256 | 086d4ebba8dba70dad7f72a1462ab06459916287211105828c5140a465b6598c |
| SHA512 | a75b21bc71dcd372164a2d101f26a5da7e362ab061a02632b4e7c428ce20209556ce489f6e78c5f9cc8e0f177d85be8eb47b64f30c19661cc70a945698fb5d03 |
C:\ProgramData\Microsoft Help\MS.MSTORE.14.1033.hxn.abcd
| MD5 | c769b0a6b138426f92ec1afd9d8a9b7a |
| SHA1 | 83f22c2335f079dc68b790b8ea19e36153ab274f |
| SHA256 | 1e5bdac405c803819e2934337e8a42cf7dd6de295aa180ba9205674b94316e73 |
| SHA512 | 0fefbaa5bba2df5164ce61316508809acebbc22c0b7422b8e1c3cfe45c6ab871060f7047b2942edefe410e6475645a57c8fcbdb2d2796a5e8c0c0980e131e264 |
C:\ProgramData\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn.abcd
| MD5 | 3e62cc6e0d09c793e7a2cbdee46bb950 |
| SHA1 | 019bbcc30a126d1470c0ca88ea3561fe30f714ab |
| SHA256 | 2062827ad6e0f1d70734e51afdf14c480ab4c753b7871689eb7073ce747f3dda |
| SHA512 | 66a0d8f2eb10e3adce60058346562cd140e38e7a53eb82666391b739095227ad4a2a3126fe02a2d626bf5c435ea7e9c2a71ce2207856ba56f0a65663a5097719 |
C:\ProgramData\Microsoft Help\MS.MSPUB.14.1033.hxn.abcd
| MD5 | 69b93490a78eacf2a51cb9f6ed349272 |
| SHA1 | 971a1a3cb72c8cf7bc110754d88e3328b1a1243d |
| SHA256 | 05f0bd062002e10c39c8328dc370b8b981111d20b27adecd6a6deceeb092c2e3 |
| SHA512 | 3d0b55fcd9a658a62e56486b0bb20bc7fd12bcd7d9c84eb5e960fc9d9d6d3a597fb26f197f0ae350d99d78fbc872a29bbea9eba8c80ee092e49f2140e1c1b72b |
C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn.abcd
| MD5 | adf9b213aec1bbdd627b6e42995b9a2e |
| SHA1 | 99d193868e4a76b8b1becb286978feebf1872ff1 |
| SHA256 | 7b6acb33b26946ed847f68f0c55e0585650aa7fbd24c215389d5b4bdaa96305f |
| SHA512 | 3becfb399c104eba99dd0676437b0573fec7879191c2d5f7068d69ec9924e4e1845e1cbe42430afb8b0523e3e62ac61a5c38b67d4b9347273f2bb2b7ca54e211 |
C:\ProgramData\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn.abcd
| MD5 | 8010f5119cbbff338f644081f191d02c |
| SHA1 | 87d108693940345abc23fef9327a7f9e4f18d0cb |
| SHA256 | 1cfca80b54aed8cb7b78b9e36b55a7eb8b9e54803bba0704d5fd2cbf7ab9d898 |
| SHA512 | 4df8a3b7ae817594fba221a5c651fddc8c8b69099726900ab7454aaafc848434ef9ba6d0862e35d37fe2e316047c474f31f47eebd57acccbdee817be216238b0 |
C:\ProgramData\Microsoft Help\MS.MSACCESS.14.1033.hxn.abcd
| MD5 | 7e2b55a9033d36d721ac5ca6780f396d |
| SHA1 | d4228b8c368a7f81c34cd47243c2d864158dd239 |
| SHA256 | bd3b516d11bed31f19ad545f93cdc3f189cc446d2f847c183ccdd09687f2ef9d |
| SHA512 | cbd826deb4514e31936ce33ec3077fdd3fba0222269396abfc663fddc24523661114fc56628fa7324f0ec78695e8aee15c100654c9011aecfcad87867e49730c |
C:\ProgramData\Microsoft Help\Hx.hxn.abcd
| MD5 | 5d8f74811f34d09dddff76fb1fe8c10d |
| SHA1 | f025f73d75b88f03c25d9b73aeb573bb0b659288 |
| SHA256 | e328ba54748a83dedb1eb72abf2e504bb2d7a17fe9c0d3d7df26bace12abea85 |
| SHA512 | 67112b71e8c11624e37b40d7cee36844b66a41e53361df4569f6d4205c14873b05df01bc605373786da9520a293eaeba0a59ecda8cd387de7bd23339c44ba6ac |
C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-07132009-221054.log.abcd
| MD5 | 63bbce65e1e9d9703ca8f68b99a47a34 |
| SHA1 | 379b2e6a4f3425f2cbf56be6754c64aeb818d861 |
| SHA256 | 0c843064f722bc17278ca6f48c16759159dc555fe9e0ff5b27a75bbd9b9756d0 |
| SHA512 | 2086fb90e9f8ff784489acd03c9174c69e1e76918327644cc8e1c0c42ddac87b0a7d43e5c149bf0a2c3a360a241b38504dd0ab917d5a554c12ad362c740c89a2 |
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasdlta.vdm.abcd
| MD5 | f7130cec518f4ada91705ca90e7361df |
| SHA1 | 84c9ac52a783489ee96c298e1d472e1b23396048 |
| SHA256 | 7d174dded42a2d199a5645c8c8fd74d8ad4e1ea48dcb8e938d6732a2ce319c37 |
| SHA512 | 124419be6c441ed9df86ed17a0d2686212d098dbc0f25bf729f551603e1b754726a141e7a8fb3485d16ba0775ad77677dfe14a15b1a41621088756fbdd63bad1 |
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasbase.vdm.abcd
| MD5 | c07ab5f70bac9ac63b6c46b6431ffa1c |
| SHA1 | b69cf4471da7304b192832935f7b0e25cde4ae53 |
| SHA256 | 39ad3b49e5d7d00a93d7b359c4531115b4c7b62133ab1e34f3271b4bcdbeb6a5 |
| SHA512 | a3cbf5fcfbdfb9bd4ce52cfc4f6888719d8fafc17c3788a98d39a5a5e0d35a2608c0549320d85d3f4c1396ab2975116350307fee3d3a6145a56820a09bb5df92 |
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.abcd
| MD5 | 1303aade13468c11ab61fddf0c2e382f |
| SHA1 | f9e6f9301cbfb4644ebfe49f60296080aceb980e |
| SHA256 | 14d373e4708e3d28c9c4b0782a8226b858ec5224f59c202b4ac8d7db10242f58 |
| SHA512 | 43e08f0e4a40de0309be8dcb7bbfbdcbe312c14e9fab56b4d16f1bbbe3be9f8777f51cab37d710e4551d6a582017548d3ea51df6cb1951ae63c4e434e96cb4d9 |
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.abcd
| MD5 | 7e3cfc65d481e8d8df7f71c63a0395c1 |
| SHA1 | 16423e744dfa51d679023e68252bacdf2b0481a4 |
| SHA256 | f00e20f6facc92f80d044259c7a7c92850993565537c10e9d23d705372c0da4c |
| SHA512 | 80034c89f92e973235898ad694b17fe393695f278500755eea2b993424c2b5f864dce139b79471efefec3ef5b92855a566b06b67d155829f4afd84ffb15d9538 |
C:\ProgramData\Microsoft Help\Hx_1033_MValidator.HxD.abcd
| MD5 | 2e6eae62ac5c6ecddd5833bd6adad7d9 |
| SHA1 | 5c1554e3843ea677d99437c8b40830777de7493f |
| SHA256 | 895f8d584d0715371818637ed443d0b5c19f2293dd892a4291997daf8e8b548e |
| SHA512 | a780cd591c402dd40ecd2acc790bc6f577f0264de672377b38e9a3f4542c03a2cd9e98e895b0d4d1b27927830ad09d053a00774e66ffcbd2b27020c5b650e7fa |
C:\ProgramData\Microsoft Help\Hx_1033_MTOC_Hx.HxH.abcd
| MD5 | ed524b6beeb7a08fe2f629cdfbc34e1f |
| SHA1 | 8ae1427b4fc60f0c747b409d8feba9a4599e18a0 |
| SHA256 | 54994e4a39292d41b61aa784e957705e37e4dd07476daae7a5b0e3c17ed6e0df |
| SHA512 | 70133ac4a0ba9d396f433ba930bab776e08d161340cc4aa0cda60de17466f6c14949ed967280d16e821c3fb1d2e28a66a66e216fe075547a39e5f09c05367ae7 |
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_NamedURL.HxW.abcd
| MD5 | 7403077e9048000359067589785abdc6 |
| SHA1 | cad63239d15967de8fe30ab7fa1108cbb0a3b004 |
| SHA256 | 848d8156198c2d2128e5a64bc6d3e55590addbf1983f1781588a6b17d1cdf15c |
| SHA512 | 9e63aa5e36b49f4bf27c56b267dea91cbd7b463d169f420a328866bac137144553faf9b8b4b4a1c138cea852d57222082b2c43167582e96fcf68bbb9fc640809 |
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_K.HxW.abcd
| MD5 | 326fff2b7da6d5e7360e8dccfdbce7b1 |
| SHA1 | b6b083249e084b3fa17c4b8790db5b19fab9e5d1 |
| SHA256 | 2c696066316e9f72401aa8729126d28e08fc3e59a5e77fe796a0727faa44891e |
| SHA512 | 3a5b05338452324ef403f7f44c4387e5e08a33282b5bfc6460935c3d365269f1891ab02169396b361deffd388aba9a776b3b9824710b4244b1836899df5b2d6c |
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat.abcd
| MD5 | 164749a1458e278c40be6c687c2ce3e7 |
| SHA1 | 474a286e39fb3c5035a27798f7f77773737db80f |
| SHA256 | ecc723e27e075b5f942f18b0e36c749f4820d8a024dce8f0c136c53a80e0488d |
| SHA512 | e25276277197aa1296c8e6dd652ecb2aeafc2023c86dcac5c1f6c2f0d5778a47747c08a886cb6907fe2f554d3433695a00babfdd6c2d2726fd88df84285ce5c6 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\XLSLICER.DLL.trx_dll.abcd
| MD5 | 109b5e138fe83750b5453137c69e82c2 |
| SHA1 | 6840df0066e72c73f6ae6d44c2bc3178d28b9ebe |
| SHA256 | 6f92435929e00b9edbd0f6330f71e9d3caf76120541bc80e22b9dcacb162edbf |
| SHA512 | 13423e8d85e3ce4d0ac25dfadccf06a4d76671b9fa5ed1c8cfa383cea5dfe3ed3fc22e49d7959e357be305b3a67d6840d6d832133aff341efc21d44fe0482158 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\XLINTL32.REST.trx_dll.abcd
| MD5 | 948a590a16eca3d77c58a71116a57a42 |
| SHA1 | f41e10b0ef64c16cdafebea57e5e89b2e631a7ba |
| SHA256 | f6dcff8e8e011943a601658773133d3e85f5bfdaea1d14e5ba2b5202d88cd2c4 |
| SHA512 | 8683b5cc0fb2697c1d6962c53cc716bd58d3f2457a8a39d5e3e69522b1a620d44bd339345e123d96b933a901ff04276480277107cd35d7e794feae48a46dc4b4 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\XLINTL32.DLL.trx_dll.abcd
| MD5 | 5d68a1042ba0e167814dc67ed51dc5ed |
| SHA1 | 68ebfb75f30cb8d6433b29c48318f20429b769ed |
| SHA256 | c82f07ea6b17bf03bba024ec5a44d93e12bcb88402850f913e892e5c4a521791 |
| SHA512 | d59492fc4de0928d8965082523b2ad74517ee1edb7c918f0eeee8dd1d7c224889cc842c32fa4b379449d69cf7762d592a818eb3052fbca67e78dfe7d6e153ca0 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\WWINTL.REST.trx_dll.abcd
| MD5 | 41acc9e30c76c473902dd80f939c6165 |
| SHA1 | 5cd24e1f6514559b121a0064a9fbead34674f66a |
| SHA256 | df8edbc00db8f32f9bd0662d6763e858f696e9889599ca270485ab47613a8481 |
| SHA512 | 36dd9812bd1c282432d1e298b03c36338b579c24b50fbb08ae6a96c1dc78f7328f4bd75cccea19be0353bc839bc8caac75744bb222f324c8f290ff2e00a12c3e |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\WWINTL.DLL.trx_dll.abcd
| MD5 | 3ae1b66e740b155a5702d1224a700f16 |
| SHA1 | 03e18352136cf1e6165332e53fb1bcf636bc8604 |
| SHA256 | 69c19dd40303b9f3aee9cfe183dd5fabf7db216ddd8a52cccd7ce503cd154acf |
| SHA512 | 3e6fc06ee0ce88b19a20d3f6e9e31568184436748c9b51ff6225cf9150b18cd9fab5fd71244691fd4f3d6e85cc9e85a9f174532380976bd4cca486f2bc22fd7f |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\VISINTL.DLL.trx_dll.abcd
| MD5 | aed83c47d64963f1b0382e675390dd22 |
| SHA1 | a37715358d1b83dfb60084e73ed7afd5d896e53a |
| SHA256 | 4781d7d2b089b2aa16d59480fc62fdf4a354a94d3c269e2a8821391a28a78f1a |
| SHA512 | 3d4aadb923225f086fc09a6e4d70e7eada01397d9670cb12fc4855fac15575c5cbf66b7605987c3a5da77363f06bb7ab7858d2131ac1b561377857d73b40cf05 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\VISBRRES.DLL.trx_dll.abcd
| MD5 | f03a7a85c2f94d0aade30d77a38ff000 |
| SHA1 | 13f7ed37dd3ff305fd808f1e7cdd0541f8d1ea32 |
| SHA256 | ec4584118fef5a3ce6d81a1bc6aa5523ce9bf7a16602684e53f74498676a6080 |
| SHA512 | c963ffd06663d0688cc843c97951d2bd1d72f226005d5a549c9ce1ffab975687e4b5b1ea935847e58c4778f8bd7f4cbf4f36716402d5c93d086da42a9d26a53c |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\STINTL.DLL.trx_dll.abcd
| MD5 | 877e4c767eca6e7f7ccfc780c114861c |
| SHA1 | afd807007c76dc02240f665b9405ef6ae92d2044 |
| SHA256 | 82cbae91241f31921bce725ded927ef5f3acc72ccba9d4fff56826ed6da6d33e |
| SHA512 | ed7b76cfefba01bf4c56a2fb7b853bcba4fdf933d783bf0127a13c40f4f91634cd577e91a1d93d31d8145256c635bc450014190691a038bdda1a71050517c329 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\SGRES.DLL.trx_dll.abcd
| MD5 | 8cd2bc06c7c4ff62d2c2109e22276d01 |
| SHA1 | 3c6a17e658449baaec94fb88613806682339ddbd |
| SHA256 | fe38f32a3feebcc119be7f4f180d08c262a1943289f57bbbb90ed28768f87607 |
| SHA512 | dcd248474e0ecc7cb1e24345342867ad921db39e2ff12d83b9c2023efdd63a530cb4dc2f148899f158d1f31d138a8b5fea604197e8c69e818efa36416dfa49fc |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PUBWZINT.REST.trx_dll.abcd
| MD5 | b4fee77597e685a1c933d3fc2869219d |
| SHA1 | a4b5b05764a4da10103970836b2b25f5640656e9 |
| SHA256 | 42a653a49806b464aa2bdc288ba40c51ead996992483fe3d3de458de405b0b77 |
| SHA512 | 615dc22ff688d959d89b9304ea184f8050548a62ccd0e82a4fed38fd1586a480e58a80dbe9915ca557ab6a6d3334cf2251275c718782df1f55aec2e7815b45b4 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PUB6INTL.REST.trx_dll.abcd
| MD5 | 8ccfa7b8d4fa4965cfd06703a87608ff |
| SHA1 | 628b39204f96139598949833395856d67724b3f9 |
| SHA256 | 78b7b020adc1556a2076c6efe7d0e68da3bfd39ea339ad5a600fa9a0ca401e22 |
| SHA512 | 18915b2d6d227b159b236f21e44292254a55268f59d5533067bd8f56897d4b7433b79b84cc13cbf10ae6c87645ccee57ccb1e05bdcea4573c9f007d2461ec72c |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PUB6INTL.DLL.trx_dll.abcd
| MD5 | 1fd042b8459e793751a2b29a9f15721d |
| SHA1 | bc5b9c72cdbf9c5d4764efe22afe8a910b42f5a9 |
| SHA256 | 43f4e7d69143ac16cf0dbb7b43935f2fa62c9c86c4c2d711f0560ee2fe7b8c15 |
| SHA512 | e9b9af3d4157f07505b760844485f1423c6b62fb68da74dc65d37187124f8ca684c60fb148a0217aab6f98b640a0b94cc0c86c11a0c4cfeca65f7e70b4fd78bf |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PPINTL.REST.trx_dll.abcd
| MD5 | a5fcb3982f98d31598cfab66782f4a44 |
| SHA1 | 089c74eecc8dec780476abcb867c0780491eb812 |
| SHA256 | 5e476d93f3faaf073948013ea40bcaddb168fae9f9fa7bdedf690c343b097bf6 |
| SHA512 | 263c606a7116131454c78f9009d5e19045848ebab852eda59482416592ac78e0d943f59102da932a0b6f5876dff5ccfcabea822d33ccf2f8320d554ef3926a3a |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PPINTL.DLL.trx_dll.abcd
| MD5 | 7b7ab7ad4528033e0b94ec671a8e0e09 |
| SHA1 | a4969f20992cd858f819b8fbcc3e2390fd3b6e91 |
| SHA256 | 6b0ee0e3731deb68c6faa3ca2fbd8ccf1c2e2cd5f29a488b26363d80a3750b92 |
| SHA512 | 6de6aece901d966fbab9af5164d0c0f90fbde6d3edc8615e19f0c51d2358bf6a4a0ae66d2cfc103df27dac2b3fc47ff2e7ba35019b0088cc3cf60bd89dfd0aed |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\OUTLWVW.DLL.trx_dll.abcd
| MD5 | d9491e26aae2bc3a3ffa138e79324050 |
| SHA1 | c75558ccd8944e73ab4b94dc1728803e0eabf831 |
| SHA256 | 3827bfabf8d98c37f454264ec189cd816ed4233d67087eae2f84a2086ef5cb8d |
| SHA512 | 7c563246aba48a4223ce48dd71d44dd1b277aa8149eec92f81e01f63215d581c007998e955d3da4e4b667ffaa27fded458882c4dd5053b654dd4c77e0382e7cc |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\OUTLLIBR.REST.trx_dll.abcd
| MD5 | 3e3bdb11dfc9108d6281418ad887dfbc |
| SHA1 | 709c6c5398d4049e9bd9c445119542d1e0dd2b0d |
| SHA256 | 7aa94880473d8f48a8520f45ab70ec2d106f39262f372ee169bfe91086fcf677 |
| SHA512 | 83cbf5f981ac904278d79412737ff754e0fa40dd079b09c3b72fae1afc387be14767ce8330741e5b6c28449f132a0ff2550cc2ce17c7a7808f43e7639669426d |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\OUTLLIBR.DLL.trx_dll.abcd
| MD5 | a38e280689febdf10686e0dae3bae8ba |
| SHA1 | 67d210803ac845f00806677b017ce4ed8bb489c4 |
| SHA256 | 12996d669477242c74f3a41a63fd5df92b00c98a30656922f9a7c9acf49f6ec3 |
| SHA512 | ac94f767c1d5d1a2e39ab05b219ee7cc6286665aa4dca78d370253f8137c9f16f31261bed6a6e8cfff9061653dab954f01b0f335489ff82a28f1ab85577990fc |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\ONINTL.REST.trx_dll.abcd
| MD5 | 32c7bca176169ebdccf0199afccb7dc0 |
| SHA1 | 594225380cbb1cd618d822a9d469fe71bb59f25e |
| SHA256 | a76c93bd4716c96433cf5f2426da13b4716d082d59e10ecd365de93550d5055d |
| SHA512 | ab14c2b6ad5fea200ad869a45f9d8eb845b8081ac006afbe6b714462bea6438aa393c9b76f1ec7b8e1d6308aa702c1ab2879b7fefeb1a320490c5bae98a5a355 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\ONINTL.DLL.trx_dll.abcd
| MD5 | 4850f5b9b58505442966cb7633817e5a |
| SHA1 | fa7898063c7de0b4bd6cb4ee21f763db17e1739a |
| SHA256 | f176fa0c7782ab70bc5b76f211d0abfc794ed11e3a781e056a25fee033e221af |
| SHA512 | 0e5d6da0e14bb5ec6cc452da8d1ddee6733a6928554f3807bbefe85712dfcc6269b16e6c7366456bde2fc1064d342acd2f6d2b816f5973d02a2d281f7a837ac3 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\OMSINTL.DLL.trx_dll.abcd
| MD5 | 5bf3968e4ebd14a3a591b1cadbb841f9 |
| SHA1 | dfbbc9c09b94a223f17ee2b112641b8a7ba976fe |
| SHA256 | 2d43828f9736026658f0ea37e068971d9f863beb09fe3edf10241d3a200e11c8 |
| SHA512 | a86792a3a38e7b7e33e0fdc4c2b777f45caa69f46ffb0a769fe5056d0d7a3dcdf841a1fd5ebaa389cc1386f7c145b3812965f5c893076fc5b6625a7933d930c7 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\MSOINTL.REST.trx_dll.abcd
| MD5 | 797c521e21f18ad39126ad9d2c2554eb |
| SHA1 | 30597c569fa97cae3a2011c109cf634748e2c219 |
| SHA256 | e5a75984ac598de7d68f88134efbe9ec4da0a32a741d4e85412c4ae1290520db |
| SHA512 | 84e65867b9d2d0cad07e8e4141a455b7b09a5ce1148d58643e30e79bf29ba936d5eac7c2a07269b6439592d83fd58f25b71b75e9ad6930e0e83bcaa10fde61d5 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\MSOINTL.DLL.trx_dll.abcd
| MD5 | 7c97bd5cbcb0b6921eebbda069091662 |
| SHA1 | 0a3f30606a04239a280e237380e2adf4fa8081b6 |
| SHA256 | 8f97c8206f5beb5cd06063807f2aa91e588c799a8e207a2d201d63c298f4e42e |
| SHA512 | 65bd6361e80dc5e35fc3f2288652d990d1ae4d3b89c944a9a8259bc94ea55ce1ff56b78317157473b488efc7d0294b9a5cffdff7529149f27e9163fc059aed49 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\MOR6INT.REST.trx_dll.abcd
| MD5 | 25d5b1e07a5e81736783dd3216efce16 |
| SHA1 | 189edd6157dceaad3b4a8c74f49c87cdbdb9a54e |
| SHA256 | b910ce952e3b41dca2785a416d72779a793f24fae41b8f5d9e90fbfbbe92d951 |
| SHA512 | 0909cd06a2791a1af39df3e5a361e51581769d2b61e7be76b9aa2fcfc84b14a5f93eb8e3c737ffa3787e057b3735a0fc8e636e4ef3cbd3b4b0c2c4ba71c9a382 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\MAPIR.DLL.trx_dll.abcd
| MD5 | 884c1881f4fbf91be2c3405000a1b2a7 |
| SHA1 | 1155036d88345a2833d07599702e51f84da25303 |
| SHA256 | d68c7bb69a5c4442a8ef40c53d4619ca3cd3a01197f89dd7c8cb8a3c90a71e09 |
| SHA512 | 6ad7e4301e6c029b5b2e5bf3685d4bd6e4b62b7113654e40b8018c95b89a793306e580b1f1a69572e0df9d22aac12613be2cb74e1f39b495ed74158975d2932e |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\GRINTL32.REST.trx_dll.abcd
| MD5 | ee2f1c0508524e177e25da9fce2930a9 |
| SHA1 | 1cad3f85117c195be94c1079dfe3884d1eb83a3b |
| SHA256 | b323b75a582fe85063240c74f96ee360782a759965cad277294cdc4ba19ffad6 |
| SHA512 | 10d272b64b393e08fb91f5782aa0a85d32e26ad44f1b921bbc3e496a6292092f9fff37217d3202aae2569981d3f204ea6f9e8c8ad70a156179b39d98b4a118b2 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\GRINTL32.DLL.trx_dll.abcd
| MD5 | f8f2287ed845b72a6c9b8ca6a00f67a3 |
| SHA1 | ddfb457a032c3617316eaa6de4b94128ec91612e |
| SHA256 | 68c6fea7b6637dcd121f3c74871304183b62e9499825ed4215e080e9ee1eebca |
| SHA512 | 31d3309ad25be1e4e7eb24349e4a2335b1e347257387d8dd0d85ae6e2fdda49ca76b9e029de00003146f3833fbc4e7fa8105642318049b4e73cda1b07548cfb3 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\ENVELOPR.DLL.trx_dll.abcd
| MD5 | 96c8ca52e4073a45d84622f148063ef9 |
| SHA1 | af3a25eab3038a7c0aa6010ca9bf63b4a58f31b4 |
| SHA256 | e593dfaed775aaa2cbbe6cebc6aa18cb369e8cfe7e894ac9e343ec4a5b880a53 |
| SHA512 | 0def9f2566e0a20b0271252e5b40a837082f03d078416d53f5b539a54054cb4eb29c10a069902e2dbcc8d21868c1570c30bba33a8d2275bc067f11d0ee3e1520 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\XLSLICER.DLL.trx_dll.abcd
| MD5 | d26b89ded29346b53ea0cc0ab6fa3768 |
| SHA1 | 5c432b3b320fe2ea9b9daaf0be25d5d747478f78 |
| SHA256 | 48b7c7f41a022b4736610ef65891ad07e98ce12b5dd76f83e9d4778370c214ff |
| SHA512 | f6b1b5d114593cfd16abf3bdef46471da7af51634c9ef294f5cbd77c1488030e7f9727d56938ef59ddb5be60cbacebb481f5a438a1b149634a42f56faf2de0b7 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\XLINTL32.REST.trx_dll.abcd
| MD5 | c3e941db58874e508283c144873cb87f |
| SHA1 | aa84b40ab7535c9c1b71cbc4d6cfacbcfecd2811 |
| SHA256 | af8001a0f184a8114137c21086005989b7a7c3fbbc35729fac531dfba0fe98de |
| SHA512 | bf95e6ca704ab686e7072906e2d042335499844fa43d5dda91aa0365fd951108d79ca934b464935ba165a5bc2b640bf8106a22a5172a8993569530c97688c551 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\XLINTL32.DLL.trx_dll.abcd
| MD5 | 408704ed5340061c0af3f03ef4805e0d |
| SHA1 | c50c571ff83be014b82aea8ca8030646d8c3ed8f |
| SHA256 | 59b5a91fea64d5c74a2f3d52d662e95c287ce23a2be8830c495179faf226b0b5 |
| SHA512 | c9b68c2881844cdac0790c883c8acfcf7136fcad94d99abdf8451ec3755eacd35d20c150a4b39ec803ab8280b44ab0e45580ca318fbe5dd11cc11eebc059af9b |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\WWINTL.REST.trx_dll.abcd
| MD5 | caf30e9b5c0a5ab18f8411006f8f5efb |
| SHA1 | c6a27091f8a0d938726e01e0b746fad5999f81ea |
| SHA256 | 6c3a8a288a5fc2cafa5b22b0f2f66b50fac2a6667b56826294858120e5d1c00e |
| SHA512 | ebe7ba6d521bf8940cc4f29dd35c7bee3ba443fb908c3465e89d35da5bb8a6a1399060239426e1444cefd2fe89ea841d280fff26709f715a856f2643a8082f78 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\WWINTL.DLL.trx_dll.abcd
| MD5 | 6f1663446060931d13c62e7b0a92f7f5 |
| SHA1 | 38644a5291cb3666a2d732120a4de6b6f89a8ffb |
| SHA256 | 87ab221ee97a62aca341872c88f11ff0446323cc3e724e94d17c599cfe6cca0f |
| SHA512 | d6b80f4f82df997a0d3a9544e070dd41e6c2880593028f9a2a8471549857339ede429ebb6bd8db9b54f7a26d2a2dd5973044a960b58c05372580b84d998cead3 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\VISINTL.DLL.trx_dll.abcd
| MD5 | d252832e63deeb78c046cc32d3e8912c |
| SHA1 | be91e0270b016c5c00d6c33923dada848d74328f |
| SHA256 | a24235f737d908f92b9e9b0099081dc877f5e837ba4f056f5e3fbcc9e8536e4a |
| SHA512 | e51e5042860e12658fd4767c0fa9f03f2dfc2e599dd794fd1771eec3a0473a3c179d9542b0c022b1c981bf51d5c07e664def73ecd526d018c8799f7cda179470 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\VISBRRES.DLL.trx_dll.abcd
| MD5 | f75b087a5f04d9a656e48fd225f2f8b5 |
| SHA1 | 3a3c66dc67060979abb8e1e4a6650f5ceb4059ce |
| SHA256 | e7b32e80c8f02b85f4ab3028a9c5aaeacdf617047fc9d60aa9afa8775827b936 |
| SHA512 | 8e322786ea51dfe004ca52f080017d324d1a0b123b2a003971ba727d1bc100b058f5cc8e82282dcac1f721c794227a00da94ce2930325e1e67efbc9f821db7bb |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\STINTL.DLL.trx_dll.abcd
| MD5 | 7d2bd60065615638a4e72ab45865af97 |
| SHA1 | b9fbeb83558324d4a1b84c581578054202225481 |
| SHA256 | fc8d163c4b33bc17a304e115f8a96348ccb094f25cf238e237892e8d277aad7b |
| SHA512 | 4d1e188b80151f754fb9b7de73e3644488e8026a6921907603a68b0fb08995e3864f815ac59b8b806120ebd823430b986da86b895ca838f14b9651d21d0c2d0c |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\SGRES.DLL.trx_dll.abcd
| MD5 | cf3f6b0468011ee448ceea1129e85f84 |
| SHA1 | 940b98f6a44e842959286af008315ca914f10109 |
| SHA256 | f96f74adb4aa65e9e1cbce7214765f3668bc596a297e9596ed9079f6ac472480 |
| SHA512 | fef4ae5ece71b35f3f40b7a06bee36e831365cf7ee75630312158ab595207d9d493279a60e9afe76ddc0b15446335b638a58553266b50070eb7ea1c68170d019 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\PUBWZINT.REST.trx_dll.abcd
| MD5 | dde334be7e659727b728446fa1d513bc |
| SHA1 | 6f49f982c349a6298a7d81925cfbebd378790262 |
| SHA256 | b08e2e5414743724f8ba09d4dfb03cfe5a56c27ac4fc3d523f3be0427cbfa40a |
| SHA512 | 5aae90afde97f8125c88031ad8a289d627c7254aa766b2ec42ce29ee40043f37dff36a500c0ebc288865f5e2b54b34320d1052af4d76e54e043585a212a3a2fb |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\PUB6INTL.REST.trx_dll.abcd
| MD5 | df89e584b6d29b40a103ad752f30f4b3 |
| SHA1 | dea427bd331f8b783788e87181ed3f7e40e094d3 |
| SHA256 | 49be00ed7dd3edb25326049d8c8299d87f4bec15da8f9302692daadc33a35985 |
| SHA512 | 3fdeabec6cef0c02e9e7f61c07033a6d90d800ddba4ad026605bcf584a98294ab7e4293b8fe670b6280194a72877d722a219c0b29145825db36e30ff9a22c2fa |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\PUB6INTL.DLL.trx_dll.abcd
| MD5 | 57c176dbf2f538a0c2d264f556679e75 |
| SHA1 | ef93afb74b56e976a30294aaef10682c5b980ed2 |
| SHA256 | df41202424668bbcb12b4fcb65e865647274953c5f4a9f114d02b0d2af58bdfe |
| SHA512 | 12cbf2c94d421b6f13ee53c50ef478f0d2bfa0aec422931e7c7d4bf9be9990cb106c4a567e67d6296b6fe969c42aa9975d16a3c65e95457ff2d4614b7b289f8f |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\PPINTL.REST.trx_dll.abcd
| MD5 | 2ac08b796342269de087e652912f6ed7 |
| SHA1 | 0127250d7b83808e6367abc2e60f9f3920881b61 |
| SHA256 | 998b360b372bb1ddbdff172c1a954fef95c450f77b28600ca9ad2bb96623cbba |
| SHA512 | ae07b194087457cbb96be33c635163eedf3a711f863b17127781fc88de3138c0d09e82571f070468b3c8758d5947462c0d3e588bafcb4e401472a598f2ac302e |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\PPINTL.DLL.trx_dll.abcd
| MD5 | 38db4299fc42525231125699e5e2dfae |
| SHA1 | 46ec7f63b3115dbc5c2fb4f27481204060c25d94 |
| SHA256 | 29fb7d3d9a4a619bd7ed0ba014c29c49ce087c40606fc58a293d46f48e59b0f5 |
| SHA512 | 05ae236f91ea266ebd953dda76e8b36087dfffc97edc27b0d17ac55588a59101f33db49fee5952828814bbcc1ea8422747f59a844cd5763eb6ed73589ac0abe7 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\OUTLWVW.DLL.trx_dll.abcd
| MD5 | 8d7325d874a8c9d1478a07100ea5da6b |
| SHA1 | 59e995dca8e0eebf735d5eb32392a4646f4363f3 |
| SHA256 | d6c0c98be804e26f9093c3236f15da6b2142d1f3211672b06cd951c31511f230 |
| SHA512 | 742fa1da5bb7ee33a38d25473a801e16bb40f55054a08ed036324eb3c7d00f53e91d8005c0164c4a7e2e2fa486e647ae6029ea4f87e87bac8c591b53ce74bbc5 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\OUTLLIBR.REST.trx_dll.abcd
| MD5 | 34848ad1298c024041c53fe8feb08fdb |
| SHA1 | 98612b4b44f2a811254fa80c7de0060335d52ab6 |
| SHA256 | 6bcbf902caf66bc433371344b0b88d78feecd6188defd7c27ec112e8f9d55630 |
| SHA512 | 150181a0674ced69b9be9fa785b3bd749ae678ba8daf3c2ffdc80fe35eee8ffb82e12cb0dd57217caf35925a94457619ac06805b0c4a3465c596e9bfd6ba1ee0 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\OUTLLIBR.DLL.trx_dll.abcd
| MD5 | 26dc98dca1e11862ce79b79ec7832c81 |
| SHA1 | 03f875ce0f5eb10f9e063efe6e993280ca01f923 |
| SHA256 | 903fa16c770a4d06b4e146fde8df4cbe0b0d1b78010e3086eb24c0a92241ff5f |
| SHA512 | 01be2eebb62840b89f263c5b7476cb0d8c09f2876d488f83e4f154cbc3af67fb008fe61ed199bcc27e523092cbd0eaa881ab1a0bcbdf004fda8cf0a13973ef54 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\ONINTL.REST.trx_dll.abcd
| MD5 | 6389da11ab7b577c9c6d359942ee7dbe |
| SHA1 | bb0f98e8ecbe319a6392285bc163ea72994da7dd |
| SHA256 | 16ad2282534b4639c3531346f05e3769bb69c69db6049ba0ff796092dc9789a2 |
| SHA512 | ce659efb0f7578fff722fdf0ab07486b07f77358e5e5cfd3c97531f2ba925342e255577ecc663494e23adfc874983282e1a07648cdd8296469815064524a5d00 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\ONINTL.DLL.trx_dll.abcd
| MD5 | b59c72ff51ce1413fec48dfd6ea26ecb |
| SHA1 | 1748d7dc6da075af5a1c2f9dde9b4befff3ad67f |
| SHA256 | 1f289cbe6aaaa78fa9b3dd02c8cb0363e55c77feab4ac55c115667f078c0f4b4 |
| SHA512 | a14e8f588fa5aa4ff69f25c5896dc3fd33cd7fb28bb864a4a0ad779155f49b20a25a1a52e19c60936aea85db160ec9471c9c64c78fc4cb872c4fdb239f98fafa |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\OMSINTL.DLL.trx_dll.abcd
| MD5 | 1c41cba03c4fc71fb941ceff1782e929 |
| SHA1 | 7d46cf52200fd1101e9c2e2138bf3d7b2d8c4cff |
| SHA256 | 902c769b57e4596db38b3eb5f6ba598aaf1b9b80fce299f1d4c1246acefb0af7 |
| SHA512 | cbeba3f0fc8a9f44e45a58ea75a36c715c265f67fd1e5cbb611704cdc8d43584213c652c8035d202833fa098ea8210aac1411756d7b512fbeea1d9e6e0db0393 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\MSOINTL.REST.trx_dll.abcd
| MD5 | 880839e8d3458bc8680a938d49c6dcfb |
| SHA1 | febec54f7504990d7d08afa7ea5c391f14d9ae77 |
| SHA256 | 6e703500a702997ae17794cc75fe0267bf1c917304ab1e0004573db7add0203f |
| SHA512 | 9f3f2c2759c4e30084371828c25be33a93c8686d9d13727ddbe5d0d1b5f67e34637a877665fca16f93249f7cbc650a2e0bfb691d1a59d8d3fbaf4b3f79bb9eb0 |
C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\MOR6INT.REST.trx_dll.abcd
| MD5 | 6309bbb4533e3f090b0eddd4e8502bd9 |
| SHA1 | 4fc5333b4eb0871750868818d3764fc96666a212 |
| SHA256 | a26cafe6c25508d2936a082c44aa442337d48277796a56acac3c5e01cc98934f |
| SHA512 | 577fae8f05a894c1bde9632ad4cf0acd0572e52a5f3b02d0cbf32e3d1fbb4aff602528d5cbe834faa7523edfabf5c61ba77374ad70c43c3ee3a1ec6d05446dad |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-15 04:36
Reported
2024-02-15 04:56
Platform
win10v2004-20231215-en
Max time kernel
1168s
Max time network
1169s
Command Line
Signatures
Lockbit
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Renames multiple (6430) files with added filename extension
Deletes System State backups
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C\"" | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-40.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-oob.xrm-ms.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\offsyml.ttf.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-200.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_filter_18.svg | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\fontconfig.properties.src.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\main.css | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\canvas_light.jpg | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-300.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\1033\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerMedTile.contrast-black_scale-125.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\WideTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerWideTile.contrast-white_scale-200.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\6445_48x48x32.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pt.txt.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lo-LA\View3d\3DViewerProductDescription-universal.xml | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\PaintSplashScreen.scale-200.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\it-it\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ca-es\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\BadgeLogo.scale-200_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGet.Format.ps1xml.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-24_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-40.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlInnerCircleHover.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\spectrum_spinner_process.svg | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-oob.xrm-ms.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreBadgeLogo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\da-dk\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\LargeTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-lightunplated_devicefamily-colorfulunplated.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldContain.snippets.ps1xml | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\PREVIEW.GIF.abcd | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-100.png | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.2.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.2.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.1.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.2.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.2.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.2.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.1.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.1.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.1.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.1.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.3.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.1.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.2.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.3.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.2.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.3.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.1.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.3.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.1.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.3.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.3.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.3.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.3.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.2.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.2.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.1.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.2.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.1.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.3.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
| File opened for modification | C:\Windows\Logs\WindowsBackup\WBEngine.3.etl | C:\Windows\SYSTEM32\wbadmin.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe
"C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Restore-My-Files.txt
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 20 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 20
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 10.127.0.234:445 | tcp | |
| N/A | 10.127.0.239:445 | tcp | |
| N/A | 10.127.0.225:445 | tcp | |
| N/A | 10.127.0.250:445 | tcp | |
| N/A | 10.127.0.195:445 | tcp | |
| N/A | 10.127.0.235:445 | tcp | |
| N/A | 10.127.0.231:445 | tcp | |
| N/A | 10.127.0.216:445 | tcp | |
| N/A | 10.127.0.192:445 | tcp | |
| N/A | 10.127.0.223:445 | tcp | |
| N/A | 10.127.0.217:445 | tcp | |
| N/A | 10.127.0.215:445 | tcp | |
| N/A | 10.127.0.205:445 | tcp | |
| N/A | 10.127.0.230:445 | tcp | |
| N/A | 10.127.0.221:445 | tcp | |
| N/A | 10.127.0.188:445 | tcp | |
| N/A | 10.127.0.233:445 | tcp | |
| N/A | 10.127.0.201:445 | tcp | |
| N/A | 10.127.0.219:445 | tcp | |
| N/A | 10.127.0.210:445 | tcp | |
| N/A | 10.127.0.177:445 | tcp | |
| N/A | 10.127.0.220:445 | tcp | |
| N/A | 10.127.0.212:445 | tcp | |
| N/A | 10.127.0.243:445 | tcp | |
| N/A | 10.127.0.214:445 | tcp | |
| N/A | 10.127.0.209:445 | tcp | |
| N/A | 10.127.0.185:445 | tcp | |
| N/A | 10.127.0.196:445 | tcp | |
| N/A | 10.127.0.232:445 | tcp | |
| N/A | 10.127.0.222:445 | tcp | |
| N/A | 10.127.0.193:445 | tcp | |
| N/A | 10.127.0.194:445 | tcp | |
| N/A | 10.127.0.183:445 | tcp | |
| N/A | 10.127.0.249:445 | tcp | |
| N/A | 10.127.0.245:445 | tcp | |
| N/A | 10.127.0.227:445 | tcp | |
| N/A | 10.127.0.224:445 | tcp | |
| N/A | 10.127.0.247:445 | tcp | |
| N/A | 10.127.0.229:445 | tcp | |
| N/A | 10.127.0.226:445 | tcp | |
| N/A | 10.127.0.244:445 | tcp | |
| N/A | 10.127.0.197:445 | tcp | |
| N/A | 10.127.0.189:445 | tcp | |
| N/A | 10.127.0.251:445 | tcp | |
| N/A | 10.127.0.218:445 | tcp | |
| N/A | 10.127.0.190:445 | tcp | |
| N/A | 10.127.0.241:445 | tcp | |
| N/A | 10.127.0.237:445 | tcp | |
| N/A | 10.127.0.254:445 | tcp | |
| N/A | 10.127.0.211:445 | tcp | |
| N/A | 10.127.0.238:445 | tcp | |
| N/A | 10.127.0.252:445 | tcp | |
| N/A | 10.127.0.213:445 | tcp | |
| N/A | 10.127.0.208:445 | tcp | |
| N/A | 10.127.0.246:445 | tcp | |
| N/A | 10.127.0.200:445 | tcp | |
| N/A | 10.127.0.242:445 | tcp | |
| N/A | 10.127.0.187:445 | tcp | |
| N/A | 10.127.0.240:445 | tcp | |
| N/A | 10.127.0.204:445 | tcp | |
| N/A | 10.127.0.248:445 | tcp | |
| N/A | 10.127.0.236:445 | tcp | |
| N/A | 10.127.0.199:445 | tcp | |
| N/A | 10.127.0.206:445 | tcp | |
| N/A | 10.127.0.228:445 | tcp | |
| N/A | 10.127.0.191:445 | tcp | |
| N/A | 10.127.0.202:445 | tcp | |
| N/A | 10.127.0.198:445 | tcp | |
| N/A | 10.127.0.203:445 | tcp | |
| N/A | 10.127.0.207:445 | tcp | |
| N/A | 10.127.0.186:445 | tcp | |
| N/A | 10.127.0.184:445 | tcp | |
| N/A | 10.127.0.181:445 | tcp | |
| N/A | 10.127.0.252:139 | tcp | |
| N/A | 10.127.0.254:139 | tcp | |
| N/A | 10.127.0.250:139 | tcp | |
| N/A | 10.127.0.251:139 | tcp | |
| N/A | 10.127.0.249:139 | tcp | |
| N/A | 10.127.0.248:139 | tcp | |
| N/A | 10.127.0.247:139 | tcp | |
| N/A | 10.127.0.246:139 | tcp | |
| N/A | 10.127.0.245:139 | tcp | |
| N/A | 10.127.0.244:139 | tcp | |
| N/A | 10.127.0.243:139 | tcp | |
| N/A | 10.127.0.242:139 | tcp | |
| N/A | 10.127.0.241:139 | tcp | |
| N/A | 10.127.0.240:139 | tcp | |
| N/A | 10.127.0.238:139 | tcp | |
| N/A | 10.127.0.239:139 | tcp | |
| N/A | 10.127.0.233:139 | tcp | |
| N/A | 10.127.0.231:139 | tcp | |
| N/A | 10.127.0.229:139 | tcp | |
| N/A | 10.127.0.230:139 | tcp | |
| N/A | 10.127.0.228:139 | tcp | |
| N/A | 10.127.0.227:139 | tcp | |
| N/A | 10.127.0.226:139 | tcp | |
| N/A | 10.127.0.225:139 | tcp | |
| N/A | 10.127.0.235:139 | tcp | |
| N/A | 10.127.0.237:139 | tcp | |
| N/A | 10.127.0.236:139 | tcp | |
| N/A | 10.127.0.232:139 | tcp | |
| N/A | 10.127.0.234:139 | tcp | |
| N/A | 10.127.0.208:139 | tcp | |
| N/A | 10.127.0.206:139 | tcp | |
| N/A | 10.127.0.205:139 | tcp | |
| N/A | 10.127.0.207:139 | tcp | |
| N/A | 10.127.0.203:139 | tcp | |
| N/A | 10.127.0.204:139 | tcp | |
| N/A | 10.127.0.202:139 | tcp | |
| N/A | 10.127.0.201:139 | tcp | |
| N/A | 10.127.0.214:139 | tcp | |
| N/A | 10.127.0.200:139 | tcp | |
| N/A | 10.127.0.216:139 | tcp | |
| N/A | 10.127.0.211:139 | tcp | |
| N/A | 10.127.0.213:139 | tcp | |
| N/A | 10.127.0.210:139 | tcp | |
| N/A | 10.127.0.212:139 | tcp | |
| N/A | 10.127.0.209:139 | tcp | |
| N/A | 10.127.0.224:139 | tcp | |
| N/A | 10.127.0.223:139 | tcp | |
| N/A | 10.127.0.220:139 | tcp | |
| N/A | 10.127.0.221:139 | tcp | |
| N/A | 10.127.0.215:139 | tcp | |
| N/A | 10.127.0.222:139 | tcp | |
| N/A | 10.127.0.219:139 | tcp | |
| N/A | 10.127.0.217:139 | tcp | |
| N/A | 10.127.0.218:139 | tcp | |
| N/A | 10.127.0.197:139 | tcp | |
| N/A | 10.127.0.196:139 | tcp | |
| N/A | 10.127.0.199:139 | tcp | |
| N/A | 10.127.0.195:139 | tcp | |
| N/A | 10.127.0.198:139 | tcp | |
| N/A | 10.127.0.194:139 | tcp | |
| N/A | 10.127.0.193:139 | tcp | |
| N/A | 10.127.0.192:139 | tcp | |
| N/A | 10.127.0.191:139 | tcp | |
| N/A | 10.127.0.187:139 | tcp | |
| N/A | 10.127.0.188:139 | tcp | |
| N/A | 10.127.0.186:139 | tcp | |
| N/A | 10.127.0.190:139 | tcp | |
| N/A | 10.127.0.185:139 | tcp | |
| N/A | 10.127.0.183:139 | tcp | |
| N/A | 10.127.0.184:139 | tcp | |
| N/A | 10.127.0.181:139 | tcp | |
| N/A | 10.127.0.189:139 | tcp | |
| N/A | 10.127.0.177:139 | tcp | |
| N/A | 10.127.0.180:139 | tcp | |
| N/A | 10.127.0.182:139 | tcp | |
| N/A | 10.127.0.179:139 | tcp | |
| N/A | 10.127.0.182:445 | tcp | |
| N/A | 10.127.0.180:445 | tcp | |
| N/A | 10.127.0.179:445 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 244.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 236.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.141.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplo.ru | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\resultlog7.reg
| MD5 | fba26963a4aafa449dd6d6bca944c43d |
| SHA1 | 86d888dfdcc30d013135b783898583d305f810c4 |
| SHA256 | eb4df17b7a185117d4828a4878a9e9bc4eb1ad2c9180ed49b994d341f73b3bd6 |
| SHA512 | eec7bfbac6a6322299de93de85255d5793691e3ae6c9536c984494f7aa8316f318aeb239f9f175ed8a17db49929114712fab2ad3eea7f2c41e0aa5d78692f234 |
C:\Users\Admin\Desktop\resultlog7.reg
| MD5 | 2df78b07d03e121b051e1f3bd1552480 |
| SHA1 | 397345fddaab75ffe9701757fe8553391f081284 |
| SHA256 | 33bc13f57db1a4197a8667c67adfe4a6af8dbe7868543de2c4f19de7f709e321 |
| SHA512 | fa8e4c539f4f65b205194f0263c41e11b3ca61868a31cd800b3d933ff0fb3bf41e33f338e502b024e220f64b19509582bda6112099f4f1e18b239f193c386de0 |
C:\Program Files\Common Files\DESIGNER\Restore-My-Files.txt
| MD5 | f40149f4079aa4fe4bd4ba3ce09986c4 |
| SHA1 | e7721cdbe719429a428043a86a8af58b06fcf758 |
| SHA256 | 19f8cc56799a60c1c0ce4f8f54c9e56be00ceee56ae57af7edf2c4967c20008d |
| SHA512 | dffff359e40f4c01afef2e49c056a9a63877115f276feb8db78b9fe325a307c5226bba2d2e348ae98ee00111beabd5125cfb5711ad4d4b138b58b8b6c760cd73 |
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml
| MD5 | 2fd57b0dd21f8666b4b5c7dd501f5a2d |
| SHA1 | ea3b1124231a3db9519e8f0c4e1cf4b0d9dbe06d |
| SHA256 | 5614f4c648cfa8d19964d4e41742b8e2942787ec19f6479a3e3973a323b66566 |
| SHA512 | e10ff466cb457085396d42563aae45495bbbd500e8d19c8f69c441a6ffe5c915bde263f0307739f87cd16a5f3f70280516412957e0735d47171c04d59cf8933a |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man.abcd
| MD5 | 2e638724c982d910a510e911bc691e97 |
| SHA1 | 640a2d225b8b4c45d066a129fab57353a1886737 |
| SHA256 | 9cfa7721359362acf54d3d9814743863a7812397a7f93467dcadafeffe18caac |
| SHA512 | 9a94d1163684b77fb21310cf9f592f0651e1d9d9ed5b57c1877152a1e94029dd09df398eb1d276ce8bf4da7708070664751686163e97a24d10a7caf8d60e5cac |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man.abcd
| MD5 | 0bd707a9345f88ddb59e556a1a4aa147 |
| SHA1 | eb665fa9820d068c72b3bf856a51e6c358a207f1 |
| SHA256 | 9a76cd139678d36af42f881df7b8ad97d0a54a1102da6d31df62c10e7519015a |
| SHA512 | 2ba3ea6a9bd500b84d4061a4253ad5a168d13948a18a4c191d1a89e82e5aa1dcd905402923293eabdaaa3ce8d4980b603f1c3ce1454ab5407dff3f6e768b7e25 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml.abcd
| MD5 | cb332c4209e79225058152560ddd0dd6 |
| SHA1 | f92006216dcfa8c10c3732e3bb30945c4c2c81e2 |
| SHA256 | 9fcd3002e4bef4f04f55488c41b960cc17a9873741b2e5ac39bd831137a98ab0 |
| SHA512 | b5514e32bb0358a3597d5b0bc45413a40f9f8416b66e14a384cc78b413ec19dc982374bbe3a613b74669f05f9c308cd7f2e5a94cc59917b2214bfa4bd11540f0 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml.abcd
| MD5 | cf80115e50e14f4dc108cc5200ed290f |
| SHA1 | 2446bc5acaf11358c313f81b8c3f107ecd88f538 |
| SHA256 | 1011b1461a029c02ee13dd32ef185d39f6e35b85c118fa4fdc72935be67172dd |
| SHA512 | 2c60fa5df54cf6b59ae1b7ce3e124cac8dd692a9cf0b8e96a114c78e03cc933702596dd3f17b62c162b5d4aea0cf07d8807169d205b59ae84d8f06486a044067 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml.abcd
| MD5 | d520e79be6d3928e99e074caf98723ad |
| SHA1 | 8a948d4e47bbf5572006f4eec9f5eea23489c070 |
| SHA256 | c531b1b96dd54a24ff1a6724ad6627b446e2a482e4dcb86c2193940c2c13231a |
| SHA512 | ffc89128b5a898efd6f383893e8098ae90e5b9af8f28691b098b3ca5d86e20b8ea647bbd65a904fb54f061b91230d88b97941dc02c0637ace2ba63a56c0ef82f |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml.abcd
| MD5 | e8f4424aea40c1695d1abb952ae5878a |
| SHA1 | fdf6c1e590eee9af38146b6cdcfe5da37f0445e7 |
| SHA256 | eff1bb13eec369ae80c8ebbf66a86e7398f02c6cd40f6bc0c06819dc6b5d047e |
| SHA512 | c552fd4b63fe6ddd968154155b75fefb7b14b0ac0791c2a01cbf75c070129ea7dd6f3b980d8e19423127d05e6385dd7118e30eab7aedd4f23af2e40be48cfd12 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml.abcd
| MD5 | fabe9bdc834d671637c302510c200343 |
| SHA1 | 61b96f36ec35f87dc95f9a8a9c7e3be9733a4c50 |
| SHA256 | 7efa0d3679754ee0951cf31e1c20d9c1959e949ca8881a0f0fff913456d11b78 |
| SHA512 | b16e8318c94f38aa36afac3f310626fe22d96656b24e00f9701ca3caa68fbaaeccde63d06c57f83a739c559db45f3b288c28319fcc274e9aef02d56143e4cf18 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.abcd
| MD5 | 75dbbb97313cb4a6da876faf53b5f6c2 |
| SHA1 | 2f25dda089227214f16272c6dc1e67074232eb35 |
| SHA256 | 507e14713f17aef2b48be42359e30282dafc1904aa18203fcfc1fe4e3fa3c581 |
| SHA512 | 6557f291f4ac39cf34d259aa404dffc72c3645f7c57a239dfa867abc278728f3d76a8566cfc82e0d1df11f3969fa7d87d676eb9c3c3159c177728adf6ddd229f |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.abcd
| MD5 | 2d38740952f347dee7aa20485b06b7a9 |
| SHA1 | a98319ed1ea13869349baa85b2f57c8d3a448416 |
| SHA256 | 80ace6164884e349b8b6a79210b3fc3767b5f89f85b3900f347f2aa54074781c |
| SHA512 | 5c6a494824fd6ca825d4868a1c8bb0aecd188d274a07c3cf70c792db269a9828afb329b9f05e50acff46438b111cdc78a71f57d3f892e06333f5cc54d402bdd6 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.proofing.msi.16.en-us.xml.abcd
| MD5 | 9ec8ca4b7e824961afa08152be2cd7a1 |
| SHA1 | a77ad313b85344ed4239773f5f8ea9b390d46ce7 |
| SHA256 | 74f80f2dc51a5f92cf080d0587067010c684fd7c5cdd2904fcd2bcb30aab3e81 |
| SHA512 | f606718e282fe359b075d970019250061e9e0e2018057132674b505e12448ae2272e1b3ffc11107c23d31241306832110ce394dcea30f716432d465d7b3e6444 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.abcd
| MD5 | 5817b41b2a5cfc8a29154714863710bc |
| SHA1 | 35f4b454d7dd4c8bdfd38888c45eb5dc4b923065 |
| SHA256 | abaf7e821167c2495c276926125cda898fc1fac1a19864ef7ceb4b2b14638ab0 |
| SHA512 | 96abd36307db159d2aa6f1044d030344b34cf63d217cbb6f9db16898d09a4898d5bf2afed8dd7f7685d5a92c2bc826b7104a1f3ca0b4caea0e3e508ca2e8af8a |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml.abcd
| MD5 | ca596437a4a2aa20c914fc5162cd91a5 |
| SHA1 | e72108808f59eeee6d5906af4f11e956f9b57c85 |
| SHA256 | b22179ec7baab77d843438ee939c8264b1df9da7888b004076bc4eceeec483d7 |
| SHA512 | 026694c405c0a36685142cbb43932a6034999a2fa85203c66a947bc505023d91b5656d65904044b62bf436c0086b9df0a703830929de1e6bc4e4998e13e1455a |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml.abcd
| MD5 | cf3581a2f4378da903635761cd656f1d |
| SHA1 | 251dd889629baad7a5df9e98ad1ba47ac2ead360 |
| SHA256 | 31969507d2a361cab0c1747c6421dd9a54b2c51578f60e435578078aa8e3591a |
| SHA512 | 4de9e64e32787bebd2f2ab0d3b14ad9357800493d10b2252577e1e5b2b6df3adb44bdf459ce4552ad1624e861ac30c3f8137d33d080cc84929e892b93f1f437d |
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log.abcd
| MD5 | ba039b292a4ce3eb9aefb65872fce23f |
| SHA1 | 264b6ad0c2d0814e94fd0d05ee60a7809fe64791 |
| SHA256 | a97cb24df14418ee3c749b7829122298aaa45dd1059ab2a69a7de85e0f40c1be |
| SHA512 | 669104161bc7c72663b213c2cd6f7dd09f99ce33bc90046ae7b866a3650bf7d9f49301dfc52b1a194d4cf32103c5dbfa27939f3026a8c9e028a0136ad796445f |
C:\ProgramData\Microsoft\User Account Pictures\guest.png.abcd
| MD5 | ee6647db031c1f1fd5a10e164f1abd2a |
| SHA1 | 43afae2139de3d38bc39ba192ba95608e4e1b10d |
| SHA256 | 91d214528c428c4f567495876e5aaa238162b422bc5df255b063ab9ca89fe196 |
| SHA512 | b84e4a647641280c42767a319a252e4aaa6c7131e94cc458e7dce3c5fdcbd44a07ec0233463f2f5828019f2fe1de43961b1420c376e7af220a1b28378fa9749b |
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.abcd
| MD5 | aa92fcac0d27ed35fd6a43a07fe61935 |
| SHA1 | 12cd4d2b13942d595cb21ab3290cd41ea5e50a53 |
| SHA256 | de91758fcef9d387bd3bcb540152b1baf416eed5374590a6c22d3305959f2f33 |
| SHA512 | edf814d792668e77110aa7288c6070223db8df9ae65690df53d33a5587fef5badb8bdd26c20236bd32bb0bd863f7dd5369ef6e495587af5d0c414d385b8a34e3 |
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol.abcd
| MD5 | 96f412b9350b8dbe0e7839a3a936ae5c |
| SHA1 | 80ae6192a06998831aa3deeced1699d97c14afc5 |
| SHA256 | 852b95f8145416c37f412e8927aad16bd02322b9b6fa1525735071a417926b5f |
| SHA512 | 7aa4e863b3fa02ed21b653082325f5478887f643c8bdfa13f6794598431c4563b8f20a2d5de00cf474801cf7a72142640e47681d14cf945023627741ab390644 |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.abcd
| MD5 | 7a02a8baa68bda335b06316b3850399e |
| SHA1 | ce79852b39cba4d8d4f7d7dfcd4e136e39ef487c |
| SHA256 | 601662c913bb1fa46d018380590bb4079e1b447a191d383bf09f0cfe6d0dadcc |
| SHA512 | 639ee6ad91f9a1584032381e1396b335a58113f57559db6a8e750950e29a417804ba0a07f73956655d2863be86c17dfc7a1b82b65990364ec30732b3bc00f3f4 |
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.abcd
| MD5 | cc862d558154dcfbf74dce999ec7ec7f |
| SHA1 | 63f9531a6de297c08fb55290dccbca107503d384 |
| SHA256 | 89805f628a401b119f952606752692f0ddc31644d1edaab2631ec723b8ad2165 |
| SHA512 | 602f7b8ba25c50fdd4b43608b2729009630e2fb08d9205163a65282b635f06304cd4142da70ab5f4b9ce1761a1a66b62aab237abe17c82bbc5832adbc226ab35 |
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.abcd
| MD5 | c9e29328a708d80714a559f29af96c24 |
| SHA1 | 03b24e63d2fded653f9fb22e768d557aefb6f4bf |
| SHA256 | 0cc570e29e8e6a714f554d9e5fe348862ab785f8d8818c43b568d8f2a9a17780 |
| SHA512 | 9af2b45448203cd6ceb907b12d56189f6775d5e922abccb7050e19576695fac5bcdf9a75fb46357ffa622bbb529f4dcab8fdec39bc35469f4909b089f1f29173 |
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.abcd
| MD5 | 33a8a38efabe3ccf2363b738810118de |
| SHA1 | 29e75d2e68f3be77974302a02f14f645daea1cff |
| SHA256 | 74f38e4da230780c7be47a5ade3490235798cfea1a5818446afbc1047917337b |
| SHA512 | a6adccaab7185cd889081186abdc4f843635daf3867a66c0afc96bfb68a14f566734f655e5cae884328877b562e9f2453bb2bd363dadf0bd6df0bc738e8a54dc |
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.abcd
| MD5 | a40c274c72b229896fd0206ac0c64ad6 |
| SHA1 | 36368b2ce320ea37561dbaa2447a6e128a2a29c5 |
| SHA256 | 8eeb3fb2d5923e3d163c8451799bfceb0aea73c395b12a986ed74dbe0cc35127 |
| SHA512 | 116a3460ee094aaf66ad9fc334181e8538e8b8f97b210a7903da7db70b5b9cf01dfd27516095bc0577aaf663b465187ad1df82ee38008d2b1a1b08540bef3c35 |
C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\state.rsm.abcd
| MD5 | 91c49b8773a7f9bb6f676350074c8876 |
| SHA1 | 32c0ec422b24616c4a63d72f35719ff72d8c896a |
| SHA256 | 63d1a5f20f71a0ca34abfc065c2d0bf326641035562086e122b7d7e3868053c0 |
| SHA512 | 911711dfa8beb1ea405f0660a081ccc3ccd4d1cc5f5cd217540074d15f6da17438619e79deee928b8a957096bb85535d49bdf57190f4dec9d9006873bd63526d |
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.abcd
| MD5 | bb0bb7f490aeb9f4f418c85f210b6077 |
| SHA1 | dcb7c92e1e24d9308620cdaf46b55e43f3243d3e |
| SHA256 | 1362cd9d4eaa85da6cc9ec42f913a962c5816329dcacb2eab75df43d20b83e8f |
| SHA512 | 2eca8d4808f83e12c4dcbf87ee44fadd403d0fd844af57845de97752fb9f97a0eb2838fd6e234cca4c6202d4d7293b6394069ebbffa1d71c6a5512ba795d9862 |
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.abcd
| MD5 | 6093418ef8299f049070fc6486c56b56 |
| SHA1 | 39f339ebbb087a0bd1f297aaed8702130943f1c1 |
| SHA256 | 9de6a80fe96d7d1e56fa3179e73754412914dec7384f9c83135de6d2071848a7 |
| SHA512 | b14d2c8e945cec83fb39602bc7851f31be6701b6a492783d920f820d4ae21c5d202ca29b9666c96d3c72e170baf9bd58fbf2be8491e7a949635e3b7406a5416a |
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.abcd
| MD5 | 3c3db2b5c3ba275feb1d00984340306e |
| SHA1 | 779160ed89aa2ad370f1e9d88baa8b1471b7bdfc |
| SHA256 | ae50c78105adccd222d08bed971dab153be0b42b1c442855eb18cdf0b3ed5e50 |
| SHA512 | 936f1ba30408096d1becd28d538e2c00a0c6f7e110dd81b961aafa46a5a6e625b728e537a94270c84d84912f1a2f90b2b6cbf11ba645dac1ce71e2b37e9fa353 |
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.abcd
| MD5 | aaf9812dd9186ed07b9ffdd78ff1144b |
| SHA1 | a1dd47d1ec51d40c6b07b1ffeac9f4439309ae33 |
| SHA256 | 6140d61236d877a95c86fc39348798ebf6ac6a276053bda7a70f390f6e369bdf |
| SHA512 | b7187bad65dbc1e9d777c2577461228b280fd0b12398447ace46b4353b3cfc5a34ed080a0647b0c69adb3e8363441ce3545a6bd9d164168f27c6dc5855af47c0 |
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.abcd
| MD5 | 9f9720942d29aed75b718f71d48d3ae3 |
| SHA1 | 643869c64844ee8a0db88867fd61b4642e12a2d9 |
| SHA256 | 5e235d55332a1ca1c9458e128c4b356bf59eef0d8319ac84a2f68ef930a046a0 |
| SHA512 | 00c39ee96649cc7dbb1727f2a9ee53993cb365399fd9379dc4829424dc15d4dee2821e269de94dd4ae0748766e30811de474a2519b62264657c5129b36a524a9 |
C:\ProgramData\Package Cache\{17316079-d65a-4f25-a9f3-56c32781b15d}\state.rsm.abcd
| MD5 | 6a4ad130f94a72af98d52c5cc7753e44 |
| SHA1 | f75b1e19125327151b94fa75a1ed39eaba8ac47d |
| SHA256 | b1268c9eb02b8d599698e344c6eb62e056269e9872235a9c26c22935bffb1362 |
| SHA512 | 98c4ec4be49a803e83d55f76044303f1e3ef08d90ceeac05dcee9e5d244013273cbb774ad6401fb2a7d90e5ca504a2709611c8d6ea3992af386e5be4dc6e1318 |
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.abcd
| MD5 | c2e4d46834a559e2f161e11f5b2b21ec |
| SHA1 | 010c6af243fa6df9623ad1b1933c8decec0d7cf6 |
| SHA256 | 401f98cb4ea59d2d2928dc869225149bd1d9f5d74722f44a649b67c7694aa879 |
| SHA512 | 5454ea1dd3dde1e041fc3098a68742ee7db14936b1c782a7ac2b26ce841fff0d4d69087f400e92d4aec7d5f8390515e07e8149c40b88aaf7a9fa134df668d864 |
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch.abcd
| MD5 | 3b988f57cf271bb808da37ebed74047d |
| SHA1 | ced4a8a004b3594f916095507c1acc1f350497ef |
| SHA256 | a31919653c352929c687996584ae3cf44644dffa7ce68326179d4a5c07c20af7 |
| SHA512 | 447f1da8e81adc22d3add733d0f03065f78f66928c813ba749a9339e65c767a1846745c457ecf24c92dc0dfda67d2a7b376416dee3648e1b3b0e9adad95c38e0 |
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch.abcd
| MD5 | 4b62d5f4553bb1ce439a092c8ccbf9d5 |
| SHA1 | 73b6e0e11d7357f6037962823a4be0a5e4379b72 |
| SHA256 | f386c8397bf026cd0f1e404726895788cf21975eca059ea1f17165cd6edfcb5a |
| SHA512 | 9b20f66db76760a7ea2de790442f9eab850c0345b8b9203a0a106d57ee818a3e2b8cf9ff72e6431c7e7dcaa27a3ce1dc14f440260b10dd8015a7abf1030b7967 |
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch.abcd
| MD5 | 07c51923a61112dde3acb2266e923d09 |
| SHA1 | b9044210f0195f14984c86c48c95cf2e3b422024 |
| SHA256 | c083cc434e74543a9c50fcdeb1ea4fc26fa109866b518a2f00d410dbe08a96c7 |
| SHA512 | 843388a67fcdd185181c087fe335fc3859e67c57a7040b08a95f12fd25db20077696e667ca9b893837d51eaea18015d6801be9e2109a2c05674b474a342ac072 |
C:\ProgramData\Microsoft\User Account Pictures\user.png.abcd
| MD5 | 0bc73ad52f939598a1e6ab65e830fd02 |
| SHA1 | 4df1e4e6b701033b03c4a891cec3f02b8add74cc |
| SHA256 | 081890c6fe26301beadc1ee1551118f7010a143e9d5f59b148efa4d9f8d67701 |
| SHA512 | a71496e79184b4852fdb44af31bef6c5300ccc8af9a4e6923add7cc84c8616b2b6ca9a459481cd589e4d8d759874e088affb90f89abb029dabb0c117b157a4c1 |
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.abcd
| MD5 | 85086a27665f6e4175cbb309ebc1d9f2 |
| SHA1 | 582ad8a3230755c9761b7eb04e61883389c1faff |
| SHA256 | 3e2052772b9ce39a43351818e9673fe3fd50f2769d3d1559443d79f03c58cbe5 |
| SHA512 | 1a960bf1f37b088011630bc10212ed560ccab818908c97bf5bdd594441fe4901a13d5243ba999b1b766288501d540dc47021b1ea77fdc265c799d02736b16424 |
C:\ProgramData\Microsoft\User Account Pictures\user-48.png.abcd
| MD5 | 342ffa71a6b6a384c1a51de5639466c3 |
| SHA1 | 6381cb880e17e2039bfb14a20f598f68eeccce34 |
| SHA256 | a5240e498c88d29518a6b9b9092c952e369c8b9e27d1c327a9ba144468596aa9 |
| SHA512 | 57dfab5915b772f2d1ac35621060fbf79531fe5bb88c53fc63f3390630553d342523386e21b37e5ddbcdd488ad3632542cc1f32ef9c8a4971e32910f7150e177 |
C:\ProgramData\Microsoft\User Account Pictures\user-40.png.abcd
| MD5 | 976c8399e47dfdc8ce85562786de09e7 |
| SHA1 | 88d53edba7f173b0c7045066120345d4f3174111 |
| SHA256 | 7a3ce3aa08aaf0e54664d27dfde336cc143a4b9390f952455e8f7ad6d74cc9fe |
| SHA512 | 5a46e7d96dbc9ab80ccb119a1ce5245ae76b7de1afe2e1f15657d6d8fa6ba7ed5d5af68f86abe1314d863965155767026221012798ccb7e5f2fa527384368c14 |
C:\ProgramData\Microsoft\User Account Pictures\user-32.png.abcd
| MD5 | b71d390109518b51926e21c941f7484b |
| SHA1 | ee087c9b6611d625154e60aa99a877a83244fe5f |
| SHA256 | 4007dc07d0bca9cb121e22b48b790bc5f2703f78eda75c4ae2d3d596093a9465 |
| SHA512 | 7d8ee960430be0395f64612d2f944c3e078a6a632d1fbfd2925eefaba064b735bf52d8c5bd443423be3dcdb3ca724566fa9f42c23d0aaf05582d89e195ec610a |
C:\ProgramData\Microsoft\User Account Pictures\user-192.png.abcd
| MD5 | 9b92eb8bac6b8af05103694b789917b5 |
| SHA1 | e43b0ac1472738790ca818ccbca4f40e824d4a75 |
| SHA256 | 31d80760e3c56155ada68beada7b25653bc88c29035b5aad483c4a0f50cb4d97 |
| SHA512 | 2df3cc901208479895edc3c655f2c1e66fd26725f2fd47aa6102669610f8d636d47b3375c015479998bd76e556149b25ac3f4b304db79b239a1aa0e0828f276f |
C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm.abcd
| MD5 | d5ac9130e6a653ae31609ea5de3ec8a3 |
| SHA1 | de90dcf7928b687b0bed194334de1d01a2f938df |
| SHA256 | 4ad57381c9cf57f353a82b78d2907f813ed0be0c1d589bba437d46434b302a96 |
| SHA512 | da1139763fef269a19061143f7bfe44ccbac993ba2cb4f9274222a38c745b4343ff578181452b82f556bf5f29c69405e2b1108be306c52be9decd45e16c7d1f0 |
C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.abcd
| MD5 | 5f07254499210f2d73a4b41dba408427 |
| SHA1 | 5e94b1c34ccd5b8f8a35a39d4cdc187e17a8ad89 |
| SHA256 | 03a32b91c4f498ce9e446dc7e9e3ec457ae48c41620d0620c66bd598d8b59668 |
| SHA512 | 4cb5043e9638a4e4814c6f91133521da74561b524566e4e0a26e47d5121fd2490735c284e9b2d41dcecf57e9e9b3506ca2a6db5cb745acc217ecb9c8801577a2 |
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00002.log.abcd
| MD5 | 3ee5bc7a0e834ecc791c7dce829530ef |
| SHA1 | 9c3719ad8cd50fa3ca690797c977fc3e79c64780 |
| SHA256 | 9dadbee405f7d088386ac11ce673eaf98a7fbbea51c1064e1beb77309cf07c2d |
| SHA512 | 6f36781f9caf519fa91beb82f3b9b1ab63ba6b5de161f8f47050f3cff140987ffd4182db94591a97486204733da5111510861ffb3e288d0310c77ae5445618f6 |
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs.abcd
| MD5 | 4e09e9e828a0df76105e511ec73ade14 |
| SHA1 | b28902ef0ba59bc2b971e7c0b8eff6aab2c6bc84 |
| SHA256 | 50fc8d4c7fff595cd69e5feda85d797d190ce3f0ced57809caa3ca1afdc73272 |
| SHA512 | c7fe87c00adf8775567e720f1af2ba0f6544b5c56e5584cbb5d419a34a0467a19c2e861cc50bd3dda56713839c61ebc584af21881709c2d60a48199a5d922fbf |
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs.abcd
| MD5 | c101101e36e05f09de278a7e71db3c22 |
| SHA1 | 9f7c3f86f19481d1ae97be8ce42cfe46271cc38b |
| SHA256 | 10a5bd84df2988c42578bbf50092761855ea0cfea86f08d7adc01abb91dd3a3d |
| SHA512 | 8d0adb8b59db520582069a4565c203c8baeb735a459e89c20cd0ad645a90e70f0f5e4f54b78bdf641b63ce77bed3b0e02a13de620f00a9666e39c7c181a719b3 |
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log.abcd
| MD5 | 602bc0bb3ff13349bfb8f7f2073f483d |
| SHA1 | 50e200e0968b5dc8319d2dcff500e7e3f98240b0 |
| SHA256 | 336701c111bad324e32a740b4408177be98ab5e944139091ff64877ad937801c |
| SHA512 | ceb543c1163a4a6660d9fc535df344161e09368467bf36af304a000c75d87c910cde3c137780538d7cac11683911ddd668b97e820c866e7a35445c6781976bff |
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.chk.abcd
| MD5 | 9ff34df878ad23f710013eee76e43e1a |
| SHA1 | 801c08e3d88de149378566e27d64720dcb28ee1d |
| SHA256 | 01f4188a8d4c2db0727d190170d75b94fa8b365e74bee4a948f3fbbd0932b16d |
| SHA512 | be065dfd8ea9ef709acc5cce8d2ecea99bfd8d1201d79c93f4721145ef6075046571dcd12590ed56d3844ba6f2197b04fb272f244de4a133bdf2e27bb0c49976 |
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm.abcd
| MD5 | 8310df78c05e3995335e9373c9ac07cf |
| SHA1 | 249063948554cc20569c8a1daa7e492ce4935ba1 |
| SHA256 | c7ed05468a815910ef7a26e6de37f42e859b6281f832ce9f087c91c11cca6891 |
| SHA512 | 094b69cd59e4aff5409b9277bf9e6ca5b87daa5f9d4eafaa597431c0b8cad3c6f58e914b87a41e9cb78adc1bd0a1e698eda617f63c2426e04366debaa631934d |
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db.abcd
| MD5 | 06f1ca1b1947d9391216e712e86b5817 |
| SHA1 | ff54421577bf772f425fd8b378c87b55c197cd67 |
| SHA256 | 108241564a1060c413ee26e159886664d60711c273052b73bd8ec98fd4ab8dab |
| SHA512 | 358608c051881b611c1c8cbcdd636fc8dda0f732e19f8bf0bd7639e3dfade60d6143134ac7124694af048fa3b1fb08892f18211ca30e3e0bedd9934278968d60 |
C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log.abcd
| MD5 | 4ace707ce498589d2e50112378fa4293 |
| SHA1 | ae86bafbf240bd4cfc71395464b688c3e38b4710 |
| SHA256 | aa78c687ee513918e784f8933880850fad72e78c8922648a992a635bd3f7ebb9 |
| SHA512 | 3359f5e93939aab28db814a20be5a2d96d77592c52fc78668444bfef346201049212c99e331528ff9ff6d04d420b027683dbbe1b489e6b081a2b858f2d1aea14 |
C:\ProgramData\Microsoft\Network\Downloader\edbres00002.jrs.abcd
| MD5 | f3370c66a0bc4308427f54d879fc5242 |
| SHA1 | 06017289039ec6be118471299d35cfee13bf1957 |
| SHA256 | 449f9c4059ea9a16cff4385c589b3404f3e5f5ffdff92b51f0120091b780c6be |
| SHA512 | 2ef72abeb801f44ba48c368a1f187988e9008ee64511e16942be8492f7b1602d577ad490bc48870162ec6af7a68e890d2fdc0b12a44cbc2d180d31abdeb1543a |
C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs.abcd
| MD5 | d36fb6c6ee9993ed688da0c71450b168 |
| SHA1 | a755c9c8ef1b6044cce8ef8ccd461073c1f49dc3 |
| SHA256 | fbf946e53d97d778ca5550a6500aa5d1b304110735ff9823fadc526bfbc54910 |
| SHA512 | 24455d7095af885a76b84c95a0b228794a922a41ebea8f64e07a91ad4c363932551e75c2d707374dded173332e2b7518092a7fc07b8d01dcbb31ae9f4c191954 |
C:\ProgramData\Microsoft\Network\Downloader\edb.log.abcd
| MD5 | 689e0847b6868236e65d951246c12325 |
| SHA1 | 1e16f3bcdbd1b69fa440167cd5960654608cdf44 |
| SHA256 | e4a32f1125f4bc4d0bf36eb0a68a4c841934798df90fdb01ba0edfaf08c18a9d |
| SHA512 | 00b0c0b0594aa0c855dd14a9db2fe2e29585d577391c35ac04becdb53d5689e21a69da3292fb17d23218cb66db1f871b4886458cc02daabf801fd28681087acd |
C:\ProgramData\Microsoft\Network\Downloader\edb.chk.abcd
| MD5 | a6db62d1e3b2035c730966a8564a5038 |
| SHA1 | 6b88c8c0bb2b0bae5f1b188eda7632c2c51b2223 |
| SHA256 | 85d0f0cdfcf9ac0355b02e999af7caa7f64a0ce7dfd780eb521c1e5e1b28a42e |
| SHA512 | ba22dba2e3c644fa6861c907084a4deca6fd403543fb487d5aa7f93cacdf6578714dc78640790ae85bfc60ae389b795bff961c1d61c0c870d513497c6fda9412 |
C:\ProgramData\Microsoft\MF\Pending.GRL.abcd
| MD5 | 46ee7a5de27e282873720c5c238d0e94 |
| SHA1 | 01df638878dd6f4c474efac68e4227bf2e59fdf9 |
| SHA256 | d5e812745b85095fd957cd3e679ea3a824bc23665fd3d8f4fef9c3dc9256ed8d |
| SHA512 | 4855c933a79b9fdb15a2b85c8f7e9bcf217d40f0679fa5827ea58cf407a8cf6346ec2d9d940b7642a3ee0b318d8ec5f846371369b4b7ab077b5680137a183162 |
C:\ProgramData\Microsoft\MF\Active.GRL.abcd
| MD5 | 0a4074b6ffe41369e24c5ac27696a17b |
| SHA1 | b135c0d3d342079f2c0093bb89739cb8aae61c81 |
| SHA256 | a3670abac71254e34e7a62306e52c637886b9f9848e0c635cbdec7ee209aa6e4 |
| SHA512 | 9ec9a6fb4d7e2c68ba5b7020f66bd27cfd5c5bd9f225285fcf1068e5127bd4d5e2e4bc79e0d9957e73e5494aa6957a8927819480ee2e77e9ae31624d9b831142 |
C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml.abcd
| MD5 | 4cbfc811f036b051b3e9ad9cae3833a5 |
| SHA1 | bec223e218ed5bcc93aff3478cea47fa2c0617fa |
| SHA256 | 180a236945bb063deace8e1ebfc7e562b65444227e697ad13252fce1b7aad0bd |
| SHA512 | 080dceebc242c09867530db5aa41ed9c2c6efd67272b6c49a73c0e772e8f8ce9bd134a525015ecd2fe88aa02583bff81a6dc944b2741d89e6c0db7b580e92088 |
C:\ProgramData\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml.abcd
| MD5 | 7cea3c5311ca85276166c6c29970c04e |
| SHA1 | fb97b7550b32bcbfccb675969266e211ed06d8b2 |
| SHA256 | 575097a4667f0a79412460d90422268162915accd9057c24e05a582e4a81c222 |
| SHA512 | a143c073370f03d7f53e6622d80c467112414105f36706da08f69b6a8583faad9da8d0ddb35bfc2144d22062d1324bcdb77148876fe2029e16b444d73308b012 |
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log.abcd
| MD5 | 8bc768bbf48cd76ea6f59719adaa8a17 |
| SHA1 | f77a69bc87ae0d05e4c346798f9c5eb7b0478da0 |
| SHA256 | fd23c2eb12236bea1b7335db922b0a636ec5f01fe6dacca88f923a0e004bab6a |
| SHA512 | c7dcf707cacfab1405fef92a265bb72290b36e6bf0b93831f3d65765695c87190c2551f6caaf04f242413b4b6c8d47d968f22fb651591afa079f529a74514c8d |
C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_12_15_11_11_15.etl.abcd
| MD5 | 4f2d6022539ffb6fa4211c4ff91da645 |
| SHA1 | 2294f9d76fe65b7f2dd69a4159bf6ea08bfe9654 |
| SHA256 | 0939673791bac9d6f644ddc54353844dd19271b4d2c92508b45aae08048920f9 |
| SHA512 | 98fe50d95b5b759005489ed6d50587d1fd3d9273b09287d914ac9379cb2bb97a6fc3f5fbf19c7e42762916cc21462d7aa6bee0d00f8c913a559a4e14820ae672 |
C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_12_15_11_10_49.etl.abcd
| MD5 | 26e6c265a0fc828693f7cb21ead29465 |
| SHA1 | 768c692386652ddaaff0653d63e3869a1f395b09 |
| SHA256 | 90e1191241821c10d06b437c95b14109be185d48009479682345cadbfcf25dcb |
| SHA512 | 61c190a5a3cebaf4015cc1bd657712d3991cb5e5d42944fb587a40b3b2a408425b3541d0f942de537acf2e519c71d36047669f0112239f8cae5c48fed30c2122 |
C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.abcd
| MD5 | e3cbb85b7f51aaa8d97f1253578acd82 |
| SHA1 | aeba19503bf74562c591d71479685449bd3f0f49 |
| SHA256 | 50a2efa3aacb6fda9f55d6f88a8f78cbe2f086ea27a604cec77fb645c7cfe239 |
| SHA512 | 461ea6a4313157b4527f7bf5e43da799172b96a55ccf091001068bee3d2d3698a44d6fc66999d9144ad6ed15338bbfbe9c960d27186f7cdb0dcd71f643aabf11 |
C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.abcd
| MD5 | 87ed0cf40d48fbf13521f6a3e591e324 |
| SHA1 | fbe2b3fd061f42aae51f3028645b13619bcb6fc4 |
| SHA256 | e6fc98d90df4a8561442e256c4d48f0f72db0f8d0fba8f68ddac81bf33f3f550 |
| SHA512 | 1e9a0c4f6d35d42f77e21dc41a9263af686fb817577efffd810187d2fcc0738ac863596b9f1f0aa3b6d3c014ecce18634e777cf30dec338a410f33cb66dc5553 |
C:\ProgramData\Microsoft\Diagnosis\EventStore.db.abcd
| MD5 | 74a3b0c6d7e9da37debf310cf4b29779 |
| SHA1 | 4ebec1f803a7e3e17ff4cec0bc87438c117d3c1e |
| SHA256 | 881eec036cf604e9bd01cf0304e789bd28c0a33682cda2e42e638be28f2a8e6e |
| SHA512 | 63331eff46313efac8f42b46ae1aaef2b72c54aa3a65187921e6239e53e841cfe42cc3cda1c8b279475be95a1cddb5d1a500a5e3beabbdfe4e395438cbbe8495 |
C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl.abcd
| MD5 | d56a9836338c9c6c8ae9c44b06746605 |
| SHA1 | 84e5e601dc0806e9699a328b73f1e9d90955a700 |
| SHA256 | 0acbab879c8f579aea15895272fc0b0318c11c6953d9394da2e10b03c332479d |
| SHA512 | dac74f584ef6cc0f1816202303a74115d41fbc6522ad1cbb689df74a48e7d36d59466670e585ce05ed07a67fde67334838fbd5c4daa1b58ad29819f3e7f4d577 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json.bk.abcd
| MD5 | 3d3887720e7aa41db9793efb477e43aa |
| SHA1 | d44a98626165fdfdf2975a7409605aec3bbe3d6d |
| SHA256 | 10b5315591eff16ec7ef9d9825e7b4c40c90f0afb224f4f996dd337d3fa6bd43 |
| SHA512 | d80d9295d83af5e15a042a8af959f665e7be511e5908845a0ccaedbef7d984a697bff7944e0e92a6f4f83c31cf50d1fc245d23edeee061d05eeef31aa6d3d395 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json.abcd
| MD5 | 8544929cb90515f37c43d9f5dfcdfc21 |
| SHA1 | f53b545e2a20a0114916e2d1a71b691c8ab0e19c |
| SHA256 | 102a52e79eea5bb1c55c8aa3e34e44a87c012c1873f7f51981327a00ad91e6c8 |
| SHA512 | 6a2db6afc10b70b55f95421389cf14e140e4b5ba59e9a0aa5310dd1290b2e85d168ed3f29081a9483932d677147f06f137e7fd7b3a3288a79830f80724887da7 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json.abcd
| MD5 | 15491a1e7857e26728e507a5228e9660 |
| SHA1 | a3bd67c81cd97f421bb737103bd5e05aa6afafcf |
| SHA256 | a11e62ed6a487aa82cd3369438ce3cb5d56f5d029f3d2c2dccf36c6dc2edf05a |
| SHA512 | 4b0a1de147e9fa4f33b1dbfa618b221adf85ecc2984c04c9678829df7b44edebbbd216b76aa4915dbca9a3be6e318cc0d26db2996ef2d34ea5c614d60a1a4643 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json.abcd
| MD5 | 4c006e8eb009c8ea4c145ea573f8da20 |
| SHA1 | c599457ebf93de5ce6a9cec5765b77a3e10f1b42 |
| SHA256 | e1037abdbc59de49e0a0311743cd9f60c78b88c30513e7a91371c12d9af773c6 |
| SHA512 | 90108f48f168d131a3e0dd494a13b6f97dd85745d2803d5f2f430c5c7b82b536db0c24f1a0aab3a6ecd90fb27dad518c4a48ec1b8865d7312dc8cb1d7f24d6bf |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk.abcd
| MD5 | f8a91c59e3172d8a1c60062485b35e66 |
| SHA1 | f6e863abecda3622391299671ae824ae8cb8c31a |
| SHA256 | 51075a14c19f114254b0a42dc544ece030584c59f0be7df03e72a4128bd72ff8 |
| SHA512 | 08529b04aeb81f5baac4cbdfd7d235dd69ac454b196dfeed7bbcd33521db631924d43ca9daddf6a1e152a8900c016ed136677856e28763a2900c9129ede75cc3 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.abcd
| MD5 | 51fb0c55347bdf8ef14408a93ebd1f4d |
| SHA1 | b8926a7eb6a18eeb9b4c1a0270734fc4f0783aef |
| SHA256 | 066d5c06c917bb49c4dd60d0d9095f7f8b6debdee09ce381d5d95aaaf3e36c4f |
| SHA512 | d2936efd50115ab87db47a9a042ef2fe64db30f3e8d3b932d9c2a8689098a98635a8802f8d54829c53fd732c66a5360960b3b3fc627c3e4454545e1d21a0c41f |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.allow.json.abcd
| MD5 | b4ae3dfddd7ead4607d931167f517da4 |
| SHA1 | eb4de13aa534440aa2532cd467836af2ad01959d |
| SHA256 | 7f85bc8590d0508a8599b2801620f8bffbe61b417066e7e552a8954ecc43c41b |
| SHA512 | cc52c318899685da12f5ebbe16dd005b60e1b3a07297ebad7489dbc2ab8453a479eeb34011435cf0be15ef91e985e4a4a045e62e0ddb5c9b0d4891284824380c |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-Eco3PTelDefault.json.abcd
| MD5 | 2a679deb3950c480542fa79098904ce0 |
| SHA1 | 0e1cc263ac5f2dd5939068c84c176316f4335f6b |
| SHA256 | a91037dc1194fb47ed3e4936edcffe2fcf2e79090282a1790748e59d4b623461 |
| SHA512 | 66c1780874b193e1df81983c7d8b27eb9dc324ba497cf239e699f2581fc3596b5e86d71abd36163179922d6402a7b7a1b0ac3fe0567ac2fb591c9ec5a6d65405 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-d5a8f02229be41efb047bd8f883ba799-59258264-451c-4459-8c09-75d7d721219a-7112.json.abcd
| MD5 | cca7d239f8988b0b5900c9c3ea56ce71 |
| SHA1 | 7fc668e443019f10918e0cb65cacb102fed3a0ea |
| SHA256 | 9ecefd49d0f0168bdc52f8393c25f19cbf79d579f635f5dd5a282c9f0cd1c1bd |
| SHA512 | 8daaa959313bf8c85ca14812a890442f73b807883a638dfa3d0b5e1c180ad7b230281e5f742dd775b03609cea1bd9f9cb7f1f435f54718e6ea7eada9acb3ba72 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json.abcd
| MD5 | 7824b2aeae534bf6a00de315144daf50 |
| SHA1 | 726f1aa8738a8586a0192f8757872da9eed00d9c |
| SHA256 | 6ca7c3460a3210605274e98c30eaddc0d98e5684ebbdb422b45ac480680e3003 |
| SHA512 | ad1836b133f4a106286229a4bba6e0c53f57e06e8307bbdfd6d3a4bdac488210b723bc85abaa35e58cfb884fc6212614c0942176ef1a5f990e416cbaf7680bbc |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json.abcd
| MD5 | e1f0c9a2cdc722ed84a5fe514cc5919b |
| SHA1 | bc11f4a4f0d88ddaa1f43180ad425d3dd42dc3ed |
| SHA256 | 937fdc2cf40eb8d24ed15414dfa82e4c0a9de9c899612020115f8e0f63fb246f |
| SHA512 | 27ed75f6d970e59c2485b66df6602cd444e23306677cbdfff57a2c2e8c91ff6218f367813403873ab168b183a2c95b0f4531d19df8c1c97eabce6427e7d77280 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.json.abcd
| MD5 | b85ba5dfa56c39ba42df227a16baf93b |
| SHA1 | c3d977ae74a96e336010c1b3dbe84ade2db4e33a |
| SHA256 | 447b904d125b3e6e318bddc4851a54f5f04cd0d08fcaeb8acfd055e55375759e |
| SHA512 | 7e2edc9120196008b12bdd88172332969d3d2cb14663f97c93c4a29c22f9168c4b7dd92c6d97d8eb441dd109924def1809277e0dd4d3d320afc427c91f279d56 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json.abcd
| MD5 | 042cd6f51e75c81887d01874d63a5545 |
| SHA1 | 79a6948813b706c430b971b28a82ddf630c65800 |
| SHA256 | da6f6ac800c41076fe47bd5b8f0ca2a252f4dc5ca7a6cf1c9138326654f2238c |
| SHA512 | 6d8921ad786790131c29c1cbb0286df300a3f609816656757826bec7cd9a74103fb72dbda4f9aba1e978a0af98f4663435c7e2644b184f518fa80c9af734312b |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\TELEMETRY.ASM-WINDOWSSQ.json.abcd
| MD5 | 23b77676b354e30e88efcef3a0032232 |
| SHA1 | bb0fbb9a3a150ebaf6bf03424d889a628ab61438 |
| SHA256 | 962aa66c4b76ab7e4608451d18dddfa0bd49cb794c8c30bd21a6bc23e91d505c |
| SHA512 | 095bb22d4b4ad8c087ba7b5a6b1404d888cca3f28daa640ec4ad69804601c375e7860f2fd6a7b18bf8a6295f0294f7a2fb77e32e0938f776c569833894c47c72 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk.abcd
| MD5 | 2a1df8f43fe0b2a95dfca6b9e0a6d68c |
| SHA1 | 59afc78914949b92fe4fcda6c425ff0adeec9df4 |
| SHA256 | b15e147a3b382b76e80eccaf9c414e7c68dfad2b1539410476f35af82aee3fa5 |
| SHA512 | 641e9ec5048150efb6eb39bc030df8651a58eeb9867112f7c79b1a2f6b630f45b9feb3aba4aecd7b25d85a07b4df8e3008d880755b0206d9cb2233414529f2af |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.abcd
| MD5 | f139881e216c86a9b2b6bfa6ccc937ab |
| SHA1 | 5a58e6922831d2d7449ac0d9fb8794931a49b0da |
| SHA256 | 0cddd123ecd7e09a4e6c2fe08f1ddfc8c431ba67bdeed344248b35216d283597 |
| SHA512 | 48ddac6fc927f7d193645477a1b838ff6b9ce71eb86ee6d54fde83f32104b5289d2fd194aeac694102aabc7dface03d1042a5d5681ef67654ab23eddc66e3fe6 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.abcd
| MD5 | 403e6386481e3bed5e5401d9467ae057 |
| SHA1 | f426c2cfdad1fa2f52b1f43e2f29585a2386313b |
| SHA256 | 20f6607b99c236c2f5ce9a89bf612d5b85b19a031ad14096a230184464827551 |
| SHA512 | a45472d5abfb82d83b6b38233cf2139be8768b11ed8f729813f5ff785cbfa09c056433914bcb466721edc721965efbdc9cd0df0955db93355658e132a41f8fc1 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml.abcd
| MD5 | e20783ad1b43271e70a9acf336966a01 |
| SHA1 | 65892a1a85bbc99a6ca4d4b5f4bc5f847d4e69fd |
| SHA256 | 1107dcfb34e277c7351ecbc4bd7f851fd7c6db72c9529ba095229c6242cb2bdc |
| SHA512 | 577d387bf74dd2694bc7f9476ca76004e874cfcacd0cb179b95ea219f4f5ff64d7358ff1f5089ea2cbf58b4743c79129af72f60a2677ff0d2f98989f60741d37 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.abcd
| MD5 | ff80b0c20ebce4b67feb15ac9e352386 |
| SHA1 | f09e3d57650c6233f86b1ed5c1c67abe6bac9a7b |
| SHA256 | 30d090bc877c674a37eaf563ad217ccdf981695e410cbd8d78232d29771fbb47 |
| SHA512 | e816d99e97d9e5377646005118815c0805dad1cd7eff45958af1aafa4adaa918b2e11d5893ef0501be1989bd5223183a104a5cb7252a152d60c783cc27646849 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.abcd
| MD5 | 2d920afa355352483c81a9737ae52260 |
| SHA1 | f6c13120fe7007741ac88b305b88783fd0551229 |
| SHA256 | e172c0149e5e7185a33060f7c01ba8271873986b61f3f7e10d65cc3d42577f33 |
| SHA512 | b8ccab41ca43df8b9605f613850427738b1cd6eb28491942049ec20448b367ddc37a4feae2db632dedb75f3e5569d7d5087fb0aa1d5a2064fc427bc2b2530b97 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml.abcd
| MD5 | 55823d3194657f8debbf0ae28a5ff03a |
| SHA1 | 01cf6b80159e30e04069f3563f4ed0f074081115 |
| SHA256 | 7f738b1bbf2076ba717f67e79e689ffbfa0396b7cb737a22ea3f63f259df3c0b |
| SHA512 | 7660f24a67b03cd38be64a31620be9dfa0e2b313a0b03827d86818d0f241a66794679ecb3712c70792046a9d813c3324863f34ee1beaee1861a290360a0f60f1 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.abcd
| MD5 | 39fb40f3d99f7f3cc3b626d7a3f5f3eb |
| SHA1 | f051f065fe78e71638a54f94ca569866bd70d1cf |
| SHA256 | 912126b0d70571bc5767da0d0aa46d9c7efb27cf14b151f2ff65613f97021213 |
| SHA512 | 754f9b7265737b7ac5dc27d6ba1da49d7bc9b1f1daadd33a9e73bd5159d86ef2b42794b11e3fa06b975402d42f8cac2eec1f0e2478ec74a6e93458508f90303e |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml.abcd
| MD5 | 3ce2b688535e9a12061f73c9840bd7a9 |
| SHA1 | 1e7881ce4f79bda8a04401c01b1e0b95fa088b9a |
| SHA256 | f9038687d0c0d7e48d3a88d2e807b0501927518fcd17f680a11a0b20c60b6497 |
| SHA512 | 2eeaaa9ef9902708732a3f9faab3f24635857f35ae79f7952b4f4bbd93efc4bdd88fc9ac9b952b3af0a22b35195aecb4b50d21a39726ced3e34802ca874eb295 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.abcd
| MD5 | c30d065a6af95014202dda0a1bf6f350 |
| SHA1 | cd33eebef7c0ec9eda8177c1fd86ff0e58da1dfd |
| SHA256 | 9698b709549fc2a22d451537f683f1fa7e0cdff7aeb24f9b2e4235b8293dd78b |
| SHA512 | a6bd80b77409924786a4ee831d2d66b915cf9cb4adf5e98327575d1ba891ca4024e0d7b2846a15863b9cf348ed4f40ab73490da3c6c691f52b7dea9b28cab78a |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml.abcd
| MD5 | 25576f64effb8906ba49fe6079d044bc |
| SHA1 | 145ca5dcfdac809a968ef7ee642a25387a3be039 |
| SHA256 | 1480838eca53563a9f68042924613afb62a2e507eec693c63465f358904841aa |
| SHA512 | c37213d5796bbd3966dea7bef78252bfb0880707bc10f857e76d01e8cb2d02544b86cdeead23132a2569c27faa846e7ce899377eff2ca2049fe69b129ae334e6 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.abcd
| MD5 | f50707624bf6f7d1f4a7ea6086fd4a00 |
| SHA1 | 20cdebeb9b08253f14e5ec06ad5c3eacf97dbae5 |
| SHA256 | af3c622262950106f33c04c2a767a16e2af892eabcee10d8f151554562fe0fe1 |
| SHA512 | 359dbe5fcd97e57a6522bb9928113b83ab557965147bf70272b981173cbce0254d77e4bf4c18e7738f709cba1e01c65dd65120b96a319181d79dcdf6dd630b27 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemuiset.msi.16.en-us.xml.abcd
| MD5 | 5ad9add07fbf6291f6c3bf455034a9f1 |
| SHA1 | 6fb6c133e953d61ab587473aaf764ae99cb2e3dd |
| SHA256 | e820e60ea81f0c59e075647fdd6a1d6c5345bc82c9f92ad6e2a9f1cd01a74b07 |
| SHA512 | 8d33edc05b3b0596494a7c83d57e73650086ca6372394d990912f75f825628f7b5d4f0aac29eb9278b4bb019586b3445abd085284126d897ab40ebe97ec0c853 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml.abcd
| MD5 | 1f4aba05f5baf6c0c2f52dda4babc572 |
| SHA1 | 812e00417189bb28a3fb818aab9d33b9a1dc66ee |
| SHA256 | d74904652e3519bb199269851c75875518ae2ff6ee25c36c8f9a132a580f9d15 |
| SHA512 | b783c8ab8023b726cf0d291c31fbc788a96e7d147dddb684b8355fb050bbbb104b00fe10b74aaa2cc6ccb456d86b9d097db91848210dc337a45bb44743030688 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32ww.msi.16.x-none.xml.abcd
| MD5 | 459b094f12c991110652e6bca9a7d5b0 |
| SHA1 | 5986a486a5be8c3a54fc5279253eddde3834dea0 |
| SHA256 | b09e2484098bd4437d10d74ca72d63e124806dcc7705be30bf565f055b34e2e6 |
| SHA512 | 409b6ac073f9b25b818f2ffe69d34b64bc3b8240e630b4b50a48763de9d8823da982a4df89b05e79e60f6b9a5d03c8571cd4b93caaaf8b02237bc6c489c2586c |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32mui.msi.16.en-us.xml.abcd
| MD5 | c362035158d71aefdaf01cec2e37a40d |
| SHA1 | b73c16ee2e63947af8d150737254fd6550a0b33f |
| SHA256 | 67711e3eb4dbb495e2580508c88d2ea34244ef65014d13638fb003277bec77ea |
| SHA512 | 4469a7b7adabf05ac5a953460054884d988426f97ff1fefe4ba4e15e51a94ce503a63d156f88e4fdc985bd4ed603a31b835b032d2a1d327cc875ab1f1f707851 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml.abcd
| MD5 | 8778b9945afd70d5ef44a6dd532cc6dd |
| SHA1 | 92446892762e84bef4b34a32ad428c708feadbb0 |
| SHA256 | 2e3e73aa5779db3f77c5429626fb833b13400634fae8d0c9609038ef2f0e4f94 |
| SHA512 | 6eae0afb9ddc9c010fb37d445acdf066819d7529b02ddf353d4c685796db36334616f52ab70e40bb2d02b1911837a7237eb5247d7eeee041e5706844d7b79ed5 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.abcd
| MD5 | 8aad95bfa4077707a33972659790c83c |
| SHA1 | b4cd4e221438b56ee5e3772d6d6e6afa6440faf8 |
| SHA256 | c4d1cdda9d430120414bc352e47d952a1dacf05c1b851de18ac531f28270dec4 |
| SHA512 | 311b0f42aa60733af4b44f7613680d20fb2bc29c895b8a33bec954e5d8fb901835cb2547beb7cb905dd9aae4bd681d8a4436dcc33bfd71d95033ec86a59d3e9f |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml.abcd
| MD5 | 104ec8c687af8e203afbe9d16d706c46 |
| SHA1 | 5026053a865b9dfabfe2c8d435baf4aa860dfcf3 |
| SHA256 | d1e12ba7f45447730314b5bed31fa0221e3f33fb9269e53f0889d1c521018d92 |
| SHA512 | f3b2c7db2b41c240bc642053b48b550bcfd7f78211929e06d0e421875e82e52f1dcbd2a71085dda9a34188d6c2a16dfa975c76338670a628ea556b2172d04117 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.abcd
| MD5 | 7e30039025bb42338936b78d1bdcd50b |
| SHA1 | cabe3c64fadc54dd5787c323cb915f3adccc7274 |
| SHA256 | 390011b6f236a72e2f4ed0f32430cd34bf389913dc0b358a4583ade7e3561d95 |
| SHA512 | da6a295ff6a3a9f9731db5719b404ab37db0773b2bfd56344b5a09cbd14fbfe0e6f1905a60edc45a2819f491f78d8c6da4ab22c829a225f41d41d3a98e732e83 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man.abcd
| MD5 | fc94a2dbddb54b9a1e18f3ad5f0debb7 |
| SHA1 | e675268ac0c21cb1540b86fb87d47e4b103e72db |
| SHA256 | 5bd44cfe7b553b6231181b607115d7fa7f38e5cf73b7643245a89db44be02478 |
| SHA512 | bc4dbf395758380b4f0fba3930db35f39b917f94081621d006b25477579ea6c4d5a12b3cce25fd61034f965cf901bc27c0a65579c4dcaf735e3a394d350f4681 |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\B3E3C9FE-EC8F-40B0-A1B4-5FCAB6B6223A\x-none.16\stream.x64.x-none.man.dat.abcd
| MD5 | d1d96abc2a11c0df7c7aeb0c7fd4440d |
| SHA1 | d690eb62348ad09b147040326a64dd9135b97ba4 |
| SHA256 | 6afb443a468701d6ed7566d3fc043130171977e774829a77e80a4fed0b67b8a1 |
| SHA512 | 64f56a292192ccccb431ad03a2e51aa380ca486e588d2232df4537b02a580b371fd595cdd852201e0015037a6ecd4bb068c719ce12aec1d786832f97ab28b2d0 |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\B3E3C9FE-EC8F-40B0-A1B4-5FCAB6B6223A\x-none.16\stream.x64.x-none.hash.abcd
| MD5 | 10f647e92ce2f8105a10d1c24db7a9de |
| SHA1 | 597242dedb03d00e81107f509796a935232c4739 |
| SHA256 | 44bbc9b9af48d6aa9284eb588261e0e6a7dd000a15dc6a807ee8a986ba2c0e34 |
| SHA512 | 6b04353d68f2bb20624c79eb75a4a1f6594b201132444dcc7a2aa2ab9c2c84ba78a2fc7ec1480127e4cac8d8b0b9f7f902a29a493c1b319d3d458fcd26396cb6 |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\B3E3C9FE-EC8F-40B0-A1B4-5FCAB6B6223A\x-none.16\stream.x64.x-none.db.abcd
| MD5 | 9a0612917f3a7cd4d43f85988dd282e3 |
| SHA1 | 19b4862e7c38a9d95a2046c985ac26e2e8c8c07d |
| SHA256 | 4cd4d0f4822e3492fb7a0b2c4435cb4dc2671734a3a39d3eab3cf72b932e4e5a |
| SHA512 | e346dbb81b650d470b7ebe53709187d5e26eaf0c7b89757e6edbee3f70dfdbdb04a5955a230c991c32f4b8537c221b59cc6c912be81e3202ef2b44a305f5faa4 |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\B3E3C9FE-EC8F-40B0-A1B4-5FCAB6B6223A\x-none.16\stream.x64.x-none.dat.cat.abcd
| MD5 | fea9c5336ac29691f4093980cb99f48b |
| SHA1 | 53ca1aef506c783e1e5f1ee48558aafdf10f0480 |
| SHA256 | 414ec2d85e0d52af8600859552650e94903b630dfb1d5a7ec9af9c26c6821973 |
| SHA512 | 4bb68ae19fd12127068692c4dc276c3e42b5dc43622078f86e814420070fc4e244d5d610a663e234a4389e720a54ad49116dffc7b28c9e12a88155d08a344230 |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\B3E3C9FE-EC8F-40B0-A1B4-5FCAB6B6223A\x-none.16\s640.hash.abcd
| MD5 | c2b6c7cec678d43145c7d1aa4e6e82c1 |
| SHA1 | 28af9a128ad6244c238d4f6c62df2557a20ce572 |
| SHA256 | e62d1c0f126f8638831574a1b1ebb7cd7b600e3cd51b5b370755f68a45af809f |
| SHA512 | 35ddb21425eaf1001dcb69cb5bcee990f7df177a99a361a162dc2e7acf67f890b9648fd2b27592d2c2f309de588e4ed4cd3cadf56ce56531d72ca3436b7fb47c |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\B3E3C9FE-EC8F-40B0-A1B4-5FCAB6B6223A\x-none.16\MasterDescriptor.x-none.xml.abcd
| MD5 | 3e562a690c8cf02e3286be580c6e3a61 |
| SHA1 | 1d4381976a8b654e9d26c4599b0048741e2da166 |
| SHA256 | b3bfc4a8722ad608128674eeab300bc1f123881b7cf32a22fc6e8020f24a06db |
| SHA512 | c85e79f71d7022d742ae14f1e4310f41cc832e8cdfb651b764b885d4d93269ee21014169ec600db6ea0cb861b24170ebfe54db08242d2ecb3e362ed25152ac08 |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\B3E3C9FE-EC8F-40B0-A1B4-5FCAB6B6223A\mergedVirtualRegistry.dat.abcd
| MD5 | 8efd23c40771e0cfc0e7d159df6c7d1b |
| SHA1 | a78488c53917307361fa7559de1d5848f7c6a9f0 |
| SHA256 | 8ba47aec209da891672f3c1012fa936fec2f850b8ecbd27bf18b4bac37148354 |
| SHA512 | 75397b8af8b200c6bc65e311cacc43063a696c95777c982a0ac518df8246c33c217fae70636571c20c0061cf741457614f5877232e773aeff7b5d1ff0623e89d |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\B3E3C9FE-EC8F-40B0-A1B4-5FCAB6B6223A\en-us.16\stream.x64.en-us.man.dat.abcd
| MD5 | 90a61298f7b87304129caa59ca730627 |
| SHA1 | 341ce442bbb09dd0842e9fe7e2a0c29d6994f769 |
| SHA256 | 432f11ccee4dedc9fd275ea8ebaabb803c5659e5e09af27eaa0bbf310604738f |
| SHA512 | d21a5106020ec5f2329c5b8426507273f8de1ab3be2d5034db05658d1557433d72fdaddce79bd69ff129c3d3d11dbe91d5fad8d045582ec0bcc8996cc88c6e65 |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\B3E3C9FE-EC8F-40B0-A1B4-5FCAB6B6223A\en-us.16\stream.x64.en-us.hash.abcd
| MD5 | 2c6149d66a61a0cd6d0169a8c06740ef |
| SHA1 | 05ff6c791742f5eb2537cac782b947f2fdd7ffa8 |
| SHA256 | b39506ac492a36f4bf599b9ff8e9fec081ccb8c6817cb3668fbbbcc8ce8ab5a0 |
| SHA512 | 5a38c7a17d7818468fb5dd65a919ebd967edef0ac325e2641a9a09b4cb80c104d057fbebb68de32c72ff8568c51d344d98a4b7717b48aa29cdd1fd4c6b1d62c4 |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\B3E3C9FE-EC8F-40B0-A1B4-5FCAB6B6223A\en-us.16\stream.x64.en-us.db.abcd
| MD5 | 75c5fa58e1b30126f66ef95d665f9490 |
| SHA1 | 833cd462c534ead51408652954f7fcb4d40ec896 |
| SHA256 | 5c97fd30c858f03f515885c86ebcf36d7d97701a1d83765863736b0d134c68d1 |
| SHA512 | 902cd814e781e66296dd7b47b637550d107afcfb88c0fafa860ea0a13557a26fcf9c5476fc2656ecfdb17a58899ef321567a8e6839ea55c0ea98bf0e0013592c |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\B3E3C9FE-EC8F-40B0-A1B4-5FCAB6B6223A\en-us.16\stream.x64.en-us.dat.cat.abcd
| MD5 | 23b656b3d1f663822f4362fb98807eb8 |
| SHA1 | f56327c4ea2c41f8f8cdbf9c4fdcba1ae187e37c |
| SHA256 | 1afbb64a313212306c55ea9bc27a1db6a7bb42c8c90245c5ef79224f5533e02c |
| SHA512 | b2c570b9454df8d18ce1a6a928627ed1aa685014ae045d0198c02245b7d2715e07279837bfd29485070db177b59a387f186c8f7555e81f2b390a275fae40724f |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\B3E3C9FE-EC8F-40B0-A1B4-5FCAB6B6223A\en-us.16\s641033.hash.abcd
| MD5 | 958cfb82f6560718a79ee748a3217713 |
| SHA1 | c652abda50cea0cf6d23f3de51b404aeb87723d1 |
| SHA256 | 0d7f6f530c7aea825268b6e6dbeebfdbebc7e0d74ac29e61230b60104bee989f |
| SHA512 | 7bc64442a0eeda3343c3f92d98ebdd6dfd964f71de95c1354d0bccddf7c38b627be090c5587d3647d009a87325d0eaccd4c1c97afdd8ed30495e73fef0d83b0f |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\B3E3C9FE-EC8F-40B0-A1B4-5FCAB6B6223A\en-us.16\MasterDescriptor.en-us.xml.abcd
| MD5 | 7e8e40de2b169be56e9727d2d73b9757 |
| SHA1 | 3b65201a383d588d157fed5efb3419102235db1a |
| SHA256 | 204d27887dfe8de566b639971b3ef306c046c4098a4b68481640cb85b1d9d039 |
| SHA512 | 0f3488a02280af8d242ca50c450bd21698ce87072fe874ad46a6db14789affc8f3624d8da893256a5b053aca3d00d60cec5c5d87adbc05623d15e2964d85b868 |
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml.abcd
| MD5 | 7c6f5c8033a574596ddc6c030bd8653b |
| SHA1 | 22d280054f2281175cb1a43663329ec3d6fbd5ff |
| SHA256 | 54e9b2e6cff1634c3c5098ebf34993d0d94dc5a0b0d3cf1ac6122bc945fdae16 |
| SHA512 | 758d402e1ad31f1d6f10bde9559927ed4617c81a620a079e80aef93e3480b68627a4184329ed4ea8b91391388b87ac1b9c69218d5c643c674f7e860247befcf3 |
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml.abcd
| MD5 | cde55e75dcfe36cfa4ffe58f7babbf2b |
| SHA1 | 2b13ec0157f21ff2bf99a54a767eb2a8f9a1f477 |
| SHA256 | 037deb8645e26f2c0ae0067ffe41d781bde6204066d7d6c137a55ff01caabbdf |
| SHA512 | 059bdc22a06b20c7c71640fbc789ef50bcba72812ba1dd129fe3e2c6a454fc0e3564f76aa06076afb722f0a416ce7b6eaca2e1841e4a4e84e7c445213045bed4 |
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml.abcd
| MD5 | 3df63d26e8edefd3dcbbdb2a86b6d12e |
| SHA1 | 98d5a530b300a3d0b7765f2de609bf3665b08358 |
| SHA256 | d1bbb649a7702eb4d82992823b7502548301ce6d3a0d78b7d1edcfada5410adb |
| SHA512 | c3d2e84a68a24cc2d7bd834940be29825719089cefd167c23dbeb1141eaa3ffb04ca9dd3f168bc47018c7af93b72ebe7000a8143f7f48dd6dcc891a8634b2e49 |
C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.2.xml.abcd
| MD5 | c7286c8a3572db2b9b3542c2545d9856 |
| SHA1 | 214ec3b713be02ea30eefbc5fc40f832efa86c18 |
| SHA256 | 7b5b0715058d00c66a74c7ac6d8c2310184ce34f50c8e76e43a1461e5c5732a1 |
| SHA512 | fac37020acc5a8534ba94af1cef3d4b1f2770b7ee3480759ff5d06b8088e034f06bf4474ec3a5e32cf3df4830994f17d71240150914bf61c43f470addf8537fb |
C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.0.xml.abcd
| MD5 | edc93c197c82e7e855dfa650f0f86eb9 |
| SHA1 | 6381495470d3d522153cef5f16ad90afb9f1c240 |
| SHA256 | d3364831b4ec29af773ed3b05d8dd2723b1fe57596661915da0eaa81b99998ca |
| SHA512 | 5713759f2c9948713b87fd6d49add55f969737620526369af61cd91864d8ce8d9e27a71b6c881f77bed4f27f3007521eaacb7ec0a57054f8586a5ce3f51794f3 |