Malware Analysis Report

2024-09-11 02:31

Sample ID 240227-wavrwaff5z
Target 6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.sample
SHA256 6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b
Tags
evasion persistence ransomware medusalocker
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b

Threat Level: Known bad

The file 6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.sample was found to be: Known bad.

Malicious Activity Summary

evasion persistence ransomware medusalocker

Suspicious use of NtCreateUserProcessOtherParentProcess

Medusalocker family

MedusaLocker payload

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (6525) files with added filename extension

Renames multiple (7546) files with added filename extension

Deletes system backups

Modifies Installed Components in the registry

Deletes System State backups

Adds Run key to start application

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Runs net.exe

Suspicious use of AdjustPrivilegeToken

System policy modification

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Interacts with shadow copies

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-02-27 17:43

Signatures

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 17:43

Reported

2024-02-27 17:46

Platform

win7-20240221-en

Max time kernel

149s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2924 created 1204 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (7546) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe\"" C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe\"" C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\cipher.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\cipher.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-12 C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0291984.WMF C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RECL.ICO C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MML2OMML.XSL C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBORDER.XML C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Sakhalin C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\UTC C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ja-JP\wmplayer.exe.mui C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107182.WMF C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBCOLOR.SCM C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Casual.gif C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\settings.js C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183328.WMF C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_K_COL.HXK C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.PL.XML C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\GMT C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10297_.GIF C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281632.WMF C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Flow.eftx C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21294_.GIF C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME48.CSS C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Vladivostok C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Windows Journal\Templates\blank.jtp C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\DumontDUrville C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\library.js C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00462_.WMF C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287024.WMF C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV98SP.POC C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\spu\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Windows Media Player\it-IT\wmpnssci.dll.mui C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN027.XML C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\COUPON.POC C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Kerguelen C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\slideShow.css C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18242_.WMF C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_up.png C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090781.WMF C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl C:\Windows\system32\wbadmin.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2924 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2120 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2120 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2120 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2620 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2620 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2620 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2924 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2544 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2544 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2544 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3064 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3064 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3064 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2924 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2440 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2440 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2440 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2924 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1912 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1912 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1912 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2984 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2984 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2984 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2924 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe

"C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe

\\?\C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe -network

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\A:

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\F:

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\C:

Network

N/A

Files

C:\MSOCache\All Users\HOW_TO_BACK_FILES.html

MD5 94ecb61333bda39edbab82e57c954dc1
SHA1 99e37aa889e0705e02e87bb854009741668f7c6e
SHA256 96636af17b7a9988181c33723a6f30ee84f110f57a26004054d4149d0538b4f9
SHA512 d6b526895dca0ed7abc84807d3c5df9261767173955589323395dad270a9f22ce3ac587e07f99d96f557f6b894dce2951e7e70986a0dab70e4b8cc7f4945f359

C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

MD5 ff9cebec8fcc838c11e5f9f9f5f609bc
SHA1 079bda7d762dd59b41a0635ffe967e8d92e78a1e
SHA256 25b6166cc70ca9570a13e98829001abd319058c01c9fea6ce2a24b36aadc27d5
SHA512 4156ce356b65db7da81df4ac9a8e34e9d55503ed6256f3f7057b3dea6d4d0ee6890cf275db6470399020d60c990f253668147e8b34455bfbe5580688f5f8078e

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif

MD5 55b078e406350b602f14dc393516345b
SHA1 5f009f55e70af5a27d0c8c0d10717879e4e577cc
SHA256 111103cd324d614690b267f75a5deb477a281ff9325680b0d99a3dc31f11da38
SHA512 f855176dc9f174425feb5caa1380ffb00d81806aacebe3913fee440bbda42ad3a619ce8de09b868311eb0ab4920224455195a6e090fc0edf0cf2d05d4d55be9c

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

MD5 4205a370d071866be8ba408e2469968d
SHA1 6d29e803e2f6e173242ca0ef84951649ce754b26
SHA256 275d1bf2522990fa57dcd34dc416d05714082875c1077b9995aed58cbdf8e025
SHA512 05b72c249b8fb58e3a4694649d12aeb16519c1c5586d49741d42de7a81f919b5455ed7b11d434fa1fb662850bba32bb7052704f0a5f7c341a55053d690d035db

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

MD5 1db42ca0a6a37093e5168199e6447fc7
SHA1 e0559d66a286db72fa4b621e69c996afdedb4e0a
SHA256 446361063956698fd70e8b3e8723805899fbe26f1b4520c573aeb6181ef84720
SHA512 2f2b66bf3e02d208e1a55e8220174069dabfd963fbc40bd7802c63aa096064cb6b71075f15c37256efc6c8aa0d0016593765879bf76c86e26cef0fafdf01c907

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

MD5 7cdf5b200d94f77ceaa7a43e4343a737
SHA1 0bac71883be7c03058611d807186e9698e293df2
SHA256 b47269091efc870af2e57c51e53d1e8d854209356409d33d31bfa6efb6298489
SHA512 8fc979ea2d0b1e5957c4ca5052bad6631533990898041c9bf19394cdb8a053a2763b854823bef31efd72622ac06fd8239e788f8e1655920ab7ec385b8a7e781b

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

MD5 604ca0765e81bd862f7a637fc6b0b77e
SHA1 d8c017532b66104ffd52df0a7c81ba6ec4af18a8
SHA256 5be0c142945f07579eae9480def4a20939a816a4733972b5c1666f4adf663d55
SHA512 98d097d9256e015a65f5edf2b06271cdc72e9170539f12f4a6ab1eb8f2020440bf330a36d1a614b7cb03ba7351a99258a274900ca3b43265ea0960d1f7b254ee

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 e2cf926a383f03065a2c197673eca595
SHA1 733b20116d8bc8a81287f7e692ed59a3c1d0944e
SHA256 27188d8a8596d80a0d8b797d166f189e26d0651a90fc9c27aa106a98ba6d5f00
SHA512 bb3df1528e4c48fddb49183991022dd752ec32ad071beb6e8ac41bbba213f3e6b538da9167f50b99eb0141bfe792d8c357776d3d4ddbe3c1ba55ca2d2b7becd3

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 88af3aa76200462a8ce0ed215f1338c8
SHA1 236179a90981bbf961dea37beca0f766d0be6a69
SHA256 62fb58adcaf6ae28b0e2b30c64a20776cadbbfee571b0676c5b2d56b439ae535
SHA512 faa0ce4c0b50f4299afaa4b313c294693e5e17393cf427f4d91ac7141fcf9ddf13f7ab5f706a68c3235deb6ac6990b67760b8c6c79fce5e3955d512081c97651

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

MD5 3fd7eab10e4969ba8c1c98de237863cf
SHA1 f005a3ffe7d0b95195a100e785579325426e4618
SHA256 bc26246b4fca4cd14875b9e0cfd033b89f9e73cdead7125063cdff814f191e3b
SHA512 e078a0c4f89e440c65f3e2443ad7b52cecdbb1355f976749a9bc4804e97c17a3abfdbdf954eafd4655baa93f8d8cf655b75850cf4dc9887895f0e9e3b6336a1b

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 b23615a602ac7682d165b8388995b917
SHA1 68c699ae0a80b38fac2e6481c642d4c29dc0a8db
SHA256 1782fb9169cd0ca241f1facd679792153bb10943330abae27495259878e5b507
SHA512 c6d4968fbcfe9951702fb8de96352b2ca73540852e663192303ae55c78f5cd99a6e4dc754bd65db06846016a7e11e6b7b5c1e329b930deb3b6f547e65d95dfbf

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

MD5 6e6c3d634f6186de14aa21f9aaa09ef9
SHA1 b33b1bc42fa8c73460b98894e68d99a3c3151534
SHA256 32f09c349a5e0af0506f5100d143569c03365c810de07ca510d0a136b49ff868
SHA512 ea30402539540a2b16091ce297d77bffe55c9986d6df2d6aaa76dc912e887ea9748af895068dfb861183b42fd7caf718d8ac5b26afdca4d83322c18f360283c9

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

MD5 feb477e8ea14e2d3943c1a5c6bee2969
SHA1 35c5cfe83bc4d517bb15c7260387674ab53a39d7
SHA256 54ef537eb03542847e57abfa70ecd05c03985ec2412df89994a2d2962b6cac8e
SHA512 3989210337e618b523b3cdf0953ca1952876aa8f1d1029bbf5fef62a81a8aceb1e9cef78dc61a40f485e7473345c49d291b0ab1eed44b707743ca483591bd879

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF.deadnet26

MD5 d0a464152b790f40921370400d83556d
SHA1 45e6f83bcff98b96e67af5d4a1edc77f1d130bd3
SHA256 41e82ed719631abc5851f29b35fc2b04c1d1b0a0737dbc49654f3c4e820d15d2
SHA512 1c9e65e80541ffb8375afef5a4e88440b2d48ae58e5fe4586edbd4c2b44b951dd14bf94ec72f2018f1621f0cd817f006c15db3df3a84c1ff69a1c7fdf5caefee

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden

MD5 adf1b06ecde7dfeb3bc45a9fdd2c7b2d
SHA1 a4c3d669047b2da7cb656d8b85991b62b0f01826
SHA256 1256232810f10071d89020c4c28c15a1b4efb31554df81b7969971bdcbe29893
SHA512 26b8628ed5471caf0f54085d60480f2cd9930f48a613b2dea86d61603c534ac0b4c3e552a19f73d92e81d58a38d071cb4ea747d81142bc9c26d1d2b34ce626ed

C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 bc503cd39519f8f1d18fd2718b3019ea
SHA1 652ef8fdac8e1c24438baa51085a1641a16981f8
SHA256 f59b8fb44977ae3af843ddb56de219edd89a7e08928957ecd8704673c4662d35
SHA512 15466dcef187823fb412facc6acec6c9f84897970589c5b487a4eb5afedbd2ca0031f7cfb635a92dcdd1983c8bcd629f34ca0ff4306c1c6c7267805a3539f3e2

C:\Program Files\Java\jre7\lib\zi\Etc\UTC

MD5 bc667f48fd5dc0ef31c02dc4e984f46a
SHA1 7ae95e354b215b66c21abad80d2eb0c82fcc8bc5
SHA256 816546c02d59b78cf2a7fcb2ec31674620fb5272a2f378ef96c5984ab9af82b0
SHA512 e5c336858feb32b4a6bf8859c7ff5811fc638c8ea38b26ae3b07bea171a314aa8c3720767a5d3c44042fbb0706a981ae3bf5b6251acf8b291941fd2281adbb34

C:\Program Files\Java\jre7\lib\zi\SystemV\MST7

MD5 f7868b1a047504bc3a1752b680d11289
SHA1 80bec34d0c95a90e04d1a38b591c06b8927f3f79
SHA256 d6735dff9e4be6947c5c9718a9e282a482fa249db25f3874c19a54f5e3134edb
SHA512 dc2aa2c83b00c0768a4793a8f9f21c5176147aa4f720172d6dc8e22dea5665c13cca8487c03831a6f681cfbe92e59c6899f682ad2f45ef78591c7cc02dcf8e10

C:\Program Files\Java\jre7\lib\zi\SystemV\HST10

MD5 e0c347a817e838ba500a70089ebf8b8d
SHA1 1de7e76af33f7a8367c3870e4458e2503ca3b8ae
SHA256 39b11a9e19158cb978c3473f6584a55aee733f983eeac96153962121d9b57f8d
SHA512 8769ff8866a1a334df917300e0c56a9dfa36abd3e2acde1e9c71d57c3e735935240173a98c7146b9573d944fe8e4e7bed13ecee01fcd9edb8f7bef6c4f63bf69

C:\Program Files\Java\jre7\lib\zi\SystemV\EST5

MD5 cb3a09794f2b8453797e93fd0f7d802f
SHA1 1cf0ce003790274c984960152315e6e98c280cf7
SHA256 0fd4e4e9e6bb87111e7df458bcb02bfd3e89759db44380178131c77b5e8ac372
SHA512 bf2a4ecbdcd0177104deecbd64559af4f6d0c183ccca52eb299b8e7d5fe323a92b83344125c239e55643d188196bd2befacabed4b79dd677e4dda79a55fed19d

C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

MD5 80db456b1c04211be5d88b4643cd4206
SHA1 9077a0e3a09326edad574bf434d148e84784743a
SHA256 3d043a1bda9f96fa248b2d99da41a2f6d9076749871cbed6cd6db2b0abef2c7d
SHA512 8fe5321095592b0865d2ec131597538e69247da97c25dd17c877cabc1954ef200baf991ed9d5db78a48b90b053c9a962ceb0dfc04d6cdd3b1ee2ceaca645cf10

C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo

MD5 1cc3d75f3216409b3769c97b5e7d2570
SHA1 5da0b9cc8d8e7bed8ffe1827be28e3dd67a9512d
SHA256 96aa4c9e01be4bb8a00e7d10af7c59cd368b3676f36a36c4f2f01a231bcdbc2a
SHA512 69d78c3296aa4eada9807bfc874a47d989fe3b39bd09812d2e7b20484f0c5a4ec3a64a84c6b1d1937b3f57058f2265142c76a6d0b68c0db63a70bf2a9889a307

C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_K_COL.HXK

MD5 0a827cb412244e4e392598f0c047bc25
SHA1 5044effd14845d0cd2c4d7b538c955c5f66262b6
SHA256 411da73cc3aa65691ca14d776512b947bcf25dc096de6f35321ba692c8c4f65b
SHA512 70ddefe0f07324321b1a031130a06494bc996ad19f2862c9756a3e6d4a2dcc3e8d470b5d7420bd76af78d1aa39731fe776be66b176b258d7d7198ab469318a1d

C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_F_COL.HXK

MD5 89cf7bd951cc074286888a2f4f41b6ec
SHA1 862d591ec7a34bc5138164d93f77e98b33bda9ea
SHA256 10e483e96f1fbe9ce7ef8d73029179c003df1018d992b661ab7e6c6d037948f4
SHA512 2ee038b8c4d17d53658c26b60d0f99582c51f57689a731b773ade3a4cbdc036958164e939f2177528eaeee6ba8d98d4c724b76bdd4ace93ede004960837df056

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

MD5 e9cd74ee1fdb498752007714859241d2
SHA1 ba4a61f9808b303e8e509ca32219142cce6b896c
SHA256 36f92237b7a7a7bbbf7ab5678789179297a32701ea51672691d9e91f59d8f60e
SHA512 0d8e41f04b17acbb839d1d22e71b803883fa380dbe9d68e66f579908d55bd06abfd5996768ba352e1e57ab6ae335330be0eecb27788076f38dcefaa2cc69dd9f

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

MD5 a59c680beba3150991263808079627c0
SHA1 a923e81780cc2df12092398d64a065d29d76d734
SHA256 41311540fabad45e9f11fbc72743ce89cd45972fc6e263d4334882c574ac1e64
SHA512 0b9d2ec4bf62911800ab3a5c9633ab02e7f4239575d22cb4805f2176587990ce0264f9dca72aa286b86b80c8018ab9392bb05665ae9e1bae18d6c7a9df472d46

C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GB.XSL

MD5 87a6e2fc1f4c2e9f5cb076c8f0a4a0b8
SHA1 044fcee304607f4a07866c077882ccf258f47e13
SHA256 fcf317fea43c36048904e03f70b4086e7f1a7ec7f829ca657ed86947a3cff56a
SHA512 f103fd031f956065b45b44a045511505ae0697f48e9a2e228d3c57894684af881acbf1abc4344144aa3ec987b39a7ca61a91630b3c0344f3eecf97820efd2305

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF

MD5 eeb4ca922907b39fb0be8dd4a2f23835
SHA1 a2334efb1c9c61cc74a9c2e2b22e0a40593a75e6
SHA256 21ddd31416dd456233a303eee77573b2b9b3302e13e289043a8f6b54a278ca5b
SHA512 593371b65bd285af548c513cd43f71c0af30ce2672220436d0b035a3bd745f243f30d03ff49bfea744d0d440eda05c86dff704b4c01d2279c65bed7c9fae4f4b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_OFF.GIF

MD5 65f4f0abae57aa70e56208603b581b20
SHA1 b22612c425586aedcedac3189e9df70873a22275
SHA256 60a604eb890b1fbef9d133e53b0a3a057ddc43b310dc906d98c87c3a69cc604e
SHA512 bb43fed051905b64d09ecf73a9b631ee1d246dd541937fc0f01d11f5b111ade2efb67479aa608fbb369602762c4de389409b065666ea4283dda3cb276bc93ac0

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

MD5 778d5f46783dc08bedbcecf3263d2f4b
SHA1 0e1caf4021ce3214cd768a329e94ea75b9249416
SHA256 4f095a9b43e2f90201b3791b08cf103bf2fb5fcbf714b5c1ae273823907a32e9
SHA512 678394304a1d9cb797b33fd45ba7561904f144602975bf32962640b98ce9aed3580b0c7babe0b4eeddfeba9039f243e989f7a3ac3baf5351243d8ffbaf6a89a1

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

MD5 463f9322de9f48be38845f5799881f4f
SHA1 5de351da86926334f31ebe5c18ed488363fecb94
SHA256 9a0a311fbf3b1bcb7d3397b802e90eff09876465266a117095cf87d6d6c7daea
SHA512 3ba5e7f1ef84d1e51c051505af4825ace01716536d63ee9ff0da977b801c0735c9fab196e92ab97f4c828c7a033cf506879bde3c56ecdf04563856980b97a39f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

MD5 a3b3f7ef9b102812096f79bf2ff6c355
SHA1 fdce3f19bca7c66f2c58791098c56a05a62eab39
SHA256 c95284fc7c21f13b9a5bb72277d4bebe0977b04f0107a25b8ee8a6c597df0891
SHA512 1aee3bc59c264bdda5634bf1071f45ad451ea2d0d729932b9bc2873c4bafaa74657be56f35b2d7e004184862bc295e76fd489f718a8c82c2e036d9b31a6eb177

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

MD5 887349ed45988da529916aa2e84fd828
SHA1 d99e1ae77a874130aff28bebe2286d307dc929fd
SHA256 85d56ec32dcf7309e45ef72e20902b19a0ad48160c743e0aa945a02690bb6433
SHA512 2eb07904d63f956da81bfbb18f66dd458b73e973f24d83eac649cd1aaa20269ea9a591ca14ec29b792c6e7273e4535e85636f6d19539022205580e148765a2a2

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

MD5 067bab43f0d25399661f182453e51d96
SHA1 f61ca95e61897dff954e2e51a0db664ac9e315a2
SHA256 2fee5ca67a57e44a5cc36af137a2198116ca5b81173a051a4ec16435a746f2e5
SHA512 2dd899d9535be67fa6fd4155a5218a6661a2a41aa740a60bc17df33190ad09abc1debea2f03489abc0391de3440dd78824b0bc1bf5bf2fd8c101996550f28295

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

MD5 6bebe077118bd12b6173514107ea9e7b
SHA1 be39f06c29e53211d04cc637ba5bcd047ab9c4a2
SHA256 5a5de16ff363eed6657636ac9029d4028aa4e8374f9ac7b33029d2828ac686a4
SHA512 4bc11cfbdb6d713e3c0b5c14f96ba7cabe545ef2e75408f34c11c1ca2508a622c264cb7dc6916c4eb9277faa979ff1a5ffd2dc7315aa0f606f8dfe22e33ec970

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

MD5 90e40f7482523c8be4775812f20996c1
SHA1 362a98f0c9bacf64c261acde6dcfcef5c6ae111a
SHA256 0c92a8b4cf76a366e15ab5d23397a945c0462326b007af4d3b9f13f01a3369f0
SHA512 8632a09c4e9a230c93d6f5a5730881cbd74b7d327545ca330b8440b2452b9899b0ebe39b95d428972712709137a99237ef0c4c9a524ca80bcc78f7117b8738bf

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

MD5 36fca8204e35db6ebf3231ae8e719222
SHA1 e01c7f0e688ce0e371e2e87d325e3ec241608caa
SHA256 5a4ab9c390a07ef31daa41033bc73aa2c39c8ef6a3ebfe649e41f179c5d25260
SHA512 e824f921020f63c04eb1835e4ed4666c7e3bdb571559c3d0af5a2e392ac123bee0d743b693aa39ec4360fd5cdfbed8c5e6f51d745256eb44476f7c5fc2d1a924

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

MD5 8f544e14e9e954cf9fe180a9c826cd43
SHA1 fa91a96a9bc8676baeaea87e52481783e40ceb82
SHA256 c96ca713f2ae294d91e85b7d42498268d885478e46351e957c07996d6bd3cb38
SHA512 e8d9df4b6e0b9544e4a662a5a55db245275d893086d3a9fac917b6599fcbaaedcff339ff7fb874f6b7562973dddb5e956ab4e4c0512a745f25778020bb088ebb

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

MD5 38009a15ca1efae425931e9ec6976a5c
SHA1 668b5266158eee8236487de97b6e445bc11c8e68
SHA256 0cfbd01c1591367d97fe04f0ba554cc30838f229cb332cd64a51330c10d9c303
SHA512 4bf32336038c0b4e743ede86fd8f68b0f30ac5f8c7602314fd90c0dbded8e8d37ac04905744872a07327b2a7a2a1aa6d2f73efa429380edbaf226fbfab45cd5d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

MD5 99aeac1f96d3ee9a7f35c06aef1f66f2
SHA1 b1bcaafdd9b57b07f586f607e7fb0caa491d272f
SHA256 4a602df4fd1bf22a75154ffbbd1f952be2059e086e375135aeb7179233896c6f
SHA512 38f722b6f16860c7e873dfe495756dd8b5f74b252b212f25872b5134a1b40df73fa02c19fffcd0074c48a05175fe375139534f29c17659b645c288e2d49b49ac

C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

MD5 07dcc57792ad88a4cbaed446062d46ac
SHA1 f23d5227f64a8f8afb1d9815c5ef1a56cac5f1d4
SHA256 f61ec2ff87117fd0cb4fa7aa29bd890ce1bcb68b722cfab4361fb2f23534f410
SHA512 b145d41ff207b319d2316b6460c41c16ed2ea5c1e9d9ea5ae5f360714469f0b923811f5ea21b1b3c82d2c45c09758475b1cc86dd9926f6e28f5fdf20b3b359e0

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

MD5 00ef43384285dcef2dd8d7f5be979a07
SHA1 fc470c19bcc0f7e469f9c29bd38b769043fd76c2
SHA256 955bc17ab052e4c6ef2e15890054fef69e7b97e020a743f17ddd3fe8b2691df7
SHA512 741202e94a522c9e26d382bd92dbf63a0a68261c81b4a6f5c0a7f03477ae26e69b48904f7664774abb5c153dd1f94804a9d9667b3804519f05a6e59feae77e1c

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

MD5 903d477194abdaaf89f47e0dd3ce95d7
SHA1 bff8dec6c7d8dc51068abb46ffef2a40f12f93ba
SHA256 1069f257b623c44a1a13e12492c5aa3bf38686d033e4f38cae74bb4f3b3cb563
SHA512 a1eeb6a083c4748a72b94dae1f0b2345fc7ab447f7469cffd313df072867df1491d1b3a5e698b4bd204dff17458d8a5581408b55b33b2bcd256a07b5e336a764

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.HK.XML

MD5 6be4c3dd334d099d3ba7732e73e8111f
SHA1 0b321e1bc936279028ca4c91a3d18c2048119351
SHA256 c5e0eb574f39b29eb6280bf68903ad7f4d61e6a0ff371b65f241de60c30d7f7a
SHA512 6936a2d1618973b12243adda42f0c26a5c7111927f2585d321fb9fe0e46fc3f5fd8fc58b6ab9ec4add551026c4c63d8dd8c197159b9b3c5b5cee608916353a37

C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

MD5 24f2d64b341536541246c22f35312639
SHA1 6a12447a9b408c0221b39636abe1962b5c238c2d
SHA256 7f6e3991d624d79ef393c958687f356c058c496bf385ddbebd04eddb7eb0f3f3
SHA512 4ed175f8c9aea38a0178d9157d82a177c8fe17fc066dcb4ac50b77da098bd39d8e01c17f01955c018adb43565065f639157ae09dab87ae1b1bcb0c4f947b3602

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

MD5 dc7677e100119357b6ec29383135c894
SHA1 d784a5ef4b56b5faa43aa03bec53efee8b8afe83
SHA256 57b30bbb5de73ff0b77a137e70d77123a9e1e4431edbc968806fc284991f559c
SHA512 2c78789081b5cc686f217e96c01c74163717cf1eb618d45b7f48b5254c3b2177408cb137a00eff415495d7ac8c22968480d2e2aa012b172f34b120b6e9fe3646

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

MD5 101418945b1e261dde3742ee8982e513
SHA1 ecd50cc9e2e30ba632e65bddf5fd8251332f05f0
SHA256 7937ba37918104ddc9a95ab3e9a656763c182f93d989b2a0082c93cc014cfbe5
SHA512 3f2e878536fc3e20c4b4260099a0d87058aa7dbbba8ce34aad7b7e7d63a9958c26e329ba2c0342b8dafb0579437a8a3e96611299b787644bfe6d5415e7c8c1c4

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

MD5 740e8ba6847fbe30c50e23912c4f895f
SHA1 3d1042fb6ec51fb87069be8bc17966b3e6d89c64
SHA256 010c188dc977b7fb403c901ed346cd507b39fc85fa0859cd6ec31db94fc04ab2
SHA512 84ee63ffa2aa0e38a5dd9b712c133b294a9adec45b5b924fbc1925921b94dca9bcf55fe7f57a133ec0a6e91c1b11f29e317a9a9baf3037363a7b85d39ed072db

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 17:43

Reported

2024-02-27 17:46

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2348 created 3556 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (6525) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe\"" C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe\"" C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\cipher.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\cipher.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\ui-strings.js C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-150.png C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-180.png C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-20.png C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-60.png C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\ui-strings.js C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ms.pak C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_contrast-white.png C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\eml.scale-16.png C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\da-dk\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\plugin.js C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\manifest.json.DATA C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-lightunplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-hover.svg C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\build.psake.ps1 C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.js C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\BuildInfo.xml C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-default.svg C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-sl\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\cy.pak.DATA C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare71x71Logo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\en-us\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\zh-CN.pak C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugin.js C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\compare_poster.jpg C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Microsoft.PowerShell.Operation.Validation.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Retail\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\GetHelpOffline2.png C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77625\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\visualization\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_tr_135x40.svg C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\uk-ua\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl C:\Windows\system32\wbadmin.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-399997616-3400990511-967324271-1000\{D8582605-B537-415C-86EF-08AE399271BB} C:\Windows\explorer.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2948 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2348 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 3528 wrote to memory of 3112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3528 wrote to memory of 3112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3112 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3112 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2348 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 996 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 996 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4728 wrote to memory of 684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4728 wrote to memory of 684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2348 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 3544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3032 wrote to memory of 3544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3544 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3544 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2348 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 3768 wrote to memory of 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3768 wrote to memory of 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3576 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3576 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2348 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2936 wrote to memory of 4716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2936 wrote to memory of 4716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2348 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2432 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1020 wrote to memory of 532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1020 wrote to memory of 532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2348 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 516 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 516 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2348 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1872 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 688 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 688 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2348 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe

"C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe

\\?\C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe -network

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\A:

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\C:

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\F:

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp

Files

C:\odt\HOW_TO_BACK_FILES.html

MD5 9be733e789fee78cf387f0c686c657be
SHA1 af5be59ed514677e53dcc5b5a96abaa00f54b6c4
SHA256 b2faf988cd89affae79735876081f0d7637da761dd225ee2d2549285ab4ec4f2
SHA512 a620dc7d25944b292108a0590b19d7f505db8c4b4374040db2c8e2ded467459539034415bc4ab5f0a7e73ba2c960a81e43ea3b2813804d4071256cf912c34d93

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif

MD5 62d28073e4cddbe9b39e87e16a509cac
SHA1 5a67ab9e7de5af4e2f0246cbe67eca1797e11b6e
SHA256 9548a1d8c6e4fa303bdca029aad3dfaf408966920300124e0c824a4083dacca4
SHA512 66a0a0678e5570437979fa5fc5fbae851c027564a48fcd0b7a325ae52eb8d7c5585ab3c9b35bef0378537384b679b3ed3ad321b9e9cd15356ca0092afb2abb5b

C:\Program Files\Java\jre-1.8\legal\jdk\asm.md

MD5 7a72b2fbc0fec51db2506222d6eb2090
SHA1 92f476a49c45c342e94a568b3cd39db90eca9d06
SHA256 c123ae8d8cbe1b834463df1a897dbedd14ac9ab70ba4d423f62ff0e8eec72191
SHA512 9bc91eab07e18671f81e8f93c671d1b6956fc34adf49132275f30c731cd1f7f213a067de20cf812d7aa2d1cabcb4b10095e8c169d6949c2de0da3e7b76f79eba

C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

MD5 ee470ba0c0f68d12e54e7ca749c9d0ba
SHA1 271cd618032cf2c547332e48cf95d49dc00d3c98
SHA256 7e7e0f8236041f892563f6da2f8e3d02bb383ebab8e338e2cc9f5b8cc39eb117
SHA512 a6e3fcda81e66d9ebaaf285679a5d1d9ffdb246e175318615a6068f231385fa05e38e346beb7dabf698cd67b02b327b5393a4fd4753a48ad3342a8bde585588d

C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md

MD5 777a90301c40d73dbdb18a6f51c336de
SHA1 a7b42b3f8c79997f08cf0d80b2d5a5b4772cf8f2
SHA256 ab92021c7c9d9bfc9a6a208f4380971320881a6beb2a6b75abb2fc46a0a1c095
SHA512 c95d759ec84592f8c63530b68412697d2d1c2d62fcca68498efaa24993445aefc195f7aa73789f9cbea5963e4fd8f03a6b5bf409d3f30bbc2e3ef4baa436e6dc

C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

MD5 662058ac6967cc7ee1785ab767e80d1c
SHA1 e29286c1cd3377a3dc3c190b80bbb17bfa571cb5
SHA256 0d2ebcbf48f686d47bf734c3a9af29e8e41b5853d08f0e4d0fd5b60257bc6b31
SHA512 41b23c987dd82c023425aa657b8fe7e91fe976cf73ee54592273afc471c0be07ed786daabff8acae067d5e245c546ced028e7ba79a6a356cf86b85079931de75

C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

MD5 b6b72af64b8de3bffb95446f74e97b92
SHA1 5a59e823d4852a4ccb0b30ceecc82cb1855f2616
SHA256 9ec6e31251b5c70c882d4c119685832914f1b8c603c79e6b9d9a6891a75c22f8
SHA512 0d23f353031785ac2cd13cda4051ab7e011ce753a870dbe9e4ec9e6d77cf51f79d2e62ade07cfcccb7dc6f8ed68723f103b7877335cb740f46f305d5fd36245f

C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

MD5 cc0273713cdb7e97b611ff14b5c23698
SHA1 99c159886dbeddf778246b9e0e279954a9a91ab6
SHA256 a59969201f9339c5b810a8998e22b6186e7681eaaa012932a9fbf2fdcead3605
SHA512 a42d5d4a49cdb3c664e20414835edc940a3dc3e8e0f93c0e982ca46ea7c82f5ff0f5a58698be9e25685adc70e5b9166f4ecb25a6f5dc693aba113f057d42cade

C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

MD5 ee3f6208b4b14d565b8c06eebad8cffc
SHA1 83114935c88ae4ed781c25657316cc82408f7c94
SHA256 5ae80a26592b87ad6d9f0d184de68116ff6db0a898bf6aa5c37bd9eb216cba06
SHA512 7155de0d064e28ea24fa38ae46e85b164d59eec59a950b13a63f9f4747559dbf82e7ed7859631851ecc39da509867e99502de9ced1a64392df01e562efcddca0

C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md

MD5 984eba6cee5d99d194c739fda70dee3d
SHA1 2053388c9cb3572df75ae190090ad0de1f6b1390
SHA256 9a746e3cec0e7ccb631d1a01cc7da75c82c54ff3f6d89f2845fea851d53457ab
SHA512 4b636b4ec94c7af4c42312957c044577af8be1bd42024f18a69515d9cd5e405182fc11d191acdf3b5fb51a6fc918a9dcf60e21462e99d79b75693515947d3d37

C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

MD5 14138455c22e77c9f8e218d05376e4ac
SHA1 d6d07bc301e0cff4675e2beeb38fa796ec3882d9
SHA256 6ba0bdb725cfb7f4376b462fb67dd7f98e4c01d98037bfc0c28b3b29ff9cf297
SHA512 84fd50dc266581a45dbb745dd7a6f5bc2161e4e20319c3c40493e0c6499ebf5b606cca2c4b151a18f8436c24a8287b2d7aa83dc82022d54c807b89c718a8884d

C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

MD5 4c34f202b9ad99df4e10e92ba999ee7c
SHA1 c67466a533505375785f67e1716ceab06961823f
SHA256 bf2099b117472729ebb9a3c5192b203356f9c06ad97aeca2acedf2aa21bfe5cf
SHA512 d80a7481ed73fb39a9c79202c6dbc0841869ea6b7fdd06996d0d72a2d3584f3306adcdf9fac42c424d3a4bbdae426290560fa30f3e0596f7561e974a4cc3e8a4

C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md

MD5 9b93d895194bc4b9321c6ec7ad32a9e4
SHA1 8980a894a94347d1b54170a6db74657ea95f53fc
SHA256 0456fa1b948b42f5329d16623d5ac2bf7ff7a14374dca35e8fab021c26452588
SHA512 42b5dc8f4ae76e17097fdcc36ff87d9ff93e221038b46c0f2f469a2dae4f79ee67da385ad75361c6bbb5e4717073bff03c63f6125fc263aa9443a3ab1e7bd0a9

C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

MD5 e2ae05c20768f792e52e9b8d065eeb4d
SHA1 0a4b644393cae4cac9f61647594fe436dc1ad996
SHA256 9a137e69aff476f364369c99aff5dcc2d405374af2b68c43eab3050375de119a
SHA512 b6d9ce96c38bd2353efd27079987dd7308f96dbd1114d0215ea99a72080aca521c5463e343893cd2b0788f0ddc89ca7f53c686aced4bedb4e97c3432e17695ed

C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

MD5 a5bb18cb08072b3aca06291e32e47a67
SHA1 7698b0a1fb13fb25df1a697cb5973872d2ff465d
SHA256 6e71b98b83c6a999c6be08c421a3cfb3832aff2d1859961a88f5dc4d7ea7705f
SHA512 5e157570da58ed3906639738b95176e62d1276033849b25711d204774a3d7f876ce677e2d9fbb55c5c969b818fb50c89abeb8d799697f463680c4d313e943952

C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md

MD5 109678c90113aa98da148c2aba9ccad4
SHA1 06d1f1fad2d3d837c71a7d2e78d8e64453e40b9a
SHA256 467ba5c996455ee2c76e02299ebfd46b67dd027649e7c44a94a1e3e09145914e
SHA512 47d05a73335b9a13647a7e6996ff25956b3ec719e3183041a738b1d9f205ee25a03116cb3b80d3463a753ccf2ee8f5165fcd05e105e51eb4cd1d6948718c00d9

C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

MD5 7811147132614a2b1b89d265bd3642c8
SHA1 1758b08db06d430647ce6baef713c93be6cd9405
SHA256 a4cc96137bd3da022e6587e509481008bdd1aa9f692b31f1f8fcf97dfd77490c
SHA512 f07d35d36d00bbbd7a55524b18e06f5dddd7363a617243a7bbf1c5e88c373e9d414716e1340bd39bbe9cbe62df79cbe95f9dddeb20ed4b8f24fbe6c561c93372

C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

MD5 e48be6d619520fb888a705eb4783e3b4
SHA1 fcacb1aada901ec0c49040a9d69a8a834a1b106c
SHA256 5c879b00443684d1c0362deea05e2813ced836e02c91d06ccb654aac315b2d55
SHA512 27068e2ca19e65346151fd444aee95b7f4062208c609b22c2c795078796fbdfbfe01502d01c752fb681051c4927c4ad0f6627c22d94f0dfdb52230b46f9f2f76

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

MD5 280048c91cac3a637bdd00dc71c9fd3b
SHA1 21bf0c399a048a0eb5b723a6b8ff5620d02ca03e
SHA256 fa2c313cab3eaca8e321e0e9af8332a0d428e1225b55b8d8212fd804f3e9e660
SHA512 7c2df825391190dfa41f4852180eab5ee7c8f3fe54c2f45a5be24c88c6755c36cfc4ba3e210c563d6adafc5747626f7eef6f6065177ccf9661e7189f37471053

C:\Program Files\Java\jre-1.8\legal\jdk\dom.md.deadnet26

MD5 010fa15d560cd83cd21cb8fd997bee9c
SHA1 da1bc1de5babd2a16f0a26ee9894516db1dfc7ac
SHA256 4957246d49661c6831d1fd0befe158db451c61c6c0020b5028991b192a18cf21
SHA512 be25ae2ce6da08d030c5c203780ef76c17f6107413a003508019db0701bf6f80b98edcaadc2bb7a42cea97f7cf11189fa62a9b08639a7ef25e41b59156b147ce

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

MD5 5b8bbee13efe9f97e294a540b858f93a
SHA1 5aeb4cfefeb084f489a1cd490e7a3355aa126e83
SHA256 26b4e4a5875252b935e95846a908dbe2322eebcbd3cde9dfb501d6dbb6551f61
SHA512 8aeb7dc3c80f4afd3406f819ab1ef17d719e04108d22bd77a4a3ebaa2fb9148782f9f763ecf16d042642cfc545a7abb0268037401ec6d16b284f4cad4b4cda79

C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md

MD5 2a0c8eab09309893ed8a26c7812ed1c2
SHA1 0cc22d113340605f997f7902c6016968c60132d0
SHA256 149e1704a8ee3952c915fbe96819a3a19e41a9ab99910d5c28ad2f419b14f018
SHA512 20bfb1f121f47492a6a2f82f0ca91aae444becf38dd4fad3247b4a009ca627e0e19f99b7ec530fbc70f47c92b814ae2a8096606ab51851ee885e46dfa56bc537

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

MD5 313952dbeb7ae256a9717aba1238e334
SHA1 503fa20780a0466c8f229aa5d80b349b0154281b
SHA256 e215064df12bcd91804dca9ac7614ab0b8a7ba7cf7dcfde2d06927eb9b7038e0
SHA512 74e55aa8a695beb6c80b426d20e055c2fbacb4ed08fe63f7f98352880341fe1b602a759748438fbb397cf0d2b58d3739bebe0ac9e5c1db16c17dc07a04c154a8

C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

MD5 84345c0fed74d15ebefa70134860afd2
SHA1 3520d6c84adef863df89e8015e7976052286fc00
SHA256 14b050c2bcbdc6d14ed3fd4042c6b03dc983059efe99a64850b106eb2093495b
SHA512 0cfaddebf4db7e6258a14e9c8b7a069bc7d0af0c75d047a94320a87c350fe7d2a35bf4d819b8caa1a178dde7ad8cc47986055491d85f012356b9f49c5e2f1cbe

C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

MD5 d10c75a09b8be4da9c456512326045bc
SHA1 863bca799461d90dfec326e3e276190df7e49796
SHA256 6d177acd441cce05bfb309729ae366253f381f215d4ac7cdcb0f7350f1c57df2
SHA512 78b0ff635ea8ef1a3726cf55e7c369262ef5260fb2804382a4f3ec9304750a99ad6e9c9e32530a27ac1f5580d3708b423290e87795aa93ebceb93922c3b815ff

C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

MD5 5dbd5a4784493dbfc86776357abcae81
SHA1 85e6d0416b55a190dd755270a11fe25487b6a8d8
SHA256 5dc8978b9e4b017e83307e0be2d76b7f7ee4aaf2832109208ed302cc5179d0ee
SHA512 10cbad52a210fc519180324aaaf6801aae4ddf216d3f8e9feb6fda4aba7bb98785713c957ba51a4e0bdc2ef97e075c218e7a6dad607276ea07d0cb55be57ccee

C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

MD5 44cedf8965e31a049cf750787d0d578d
SHA1 a9780368b8b9f05bd8e1dc5694c91f8493ac2ab2
SHA256 58ce28c94a7d15c443cea5f968fdbb6f0616f0a6a8f750a7d080fa6e1328bbbd
SHA512 18b53f4695d4d021581c345a10349f3b48de5079e150d89be01f3c861de1660b7ceb164e53aa1fe420d5bf70b185b079685ea0068406e2736b61415434e129c9

C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif

MD5 143277c3b8c81a42b65c646397e113eb
SHA1 cde54ff0432bf8d966341e66d6f480c4d0a02a50
SHA256 7e49b5f56ab2b5beb220ef513fd72d0938fafa1112b1f1379b3fa7c25e32ddb5
SHA512 55222be656c051d1b7a742fd438d0265ee87d38fec99c1f64352cfe38656c2ae7076aa90a16dc811c0eba3df1f623d678a270294e14662b71f59bd0083bdbb1c

C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt

MD5 1222cc0de4851662cecd5366724cf392
SHA1 439f09195d344d3d37d6c476fc392461fff6146f
SHA256 7690e2ba6c025b5ac74f9a9e7fee9c6593f73890b49ae67de91aedd09f37a5a0
SHA512 6e0792eb1513718e96f0541f0351306865be26158e07ed33630a327410fbbd28a19e98553558a9198d25701926fac7eefc147b8736cb99cc2365784863817448

C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK

MD5 d8290035ec3f324bed276ba541402980
SHA1 34edbb63d76f9ab0dc23cfe6bdc9da9ab30e3b56
SHA256 470c84eb4e5d88f4848141e76fa4b1ca56de954b640801efd119f7eff2123d85
SHA512 858f41755af1fc0a463733e3f2cf3053f4a2855e85a57234430997a2eddf99b655fd879f96dbb6a3a900467667c7e20e65398b43caf911bd55e1f841873ef660

C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK

MD5 73f3977ea7a8cf66313aada8198af629
SHA1 e071535d995efa502fa3009864c7d0d2ce23399b
SHA256 d843b93e8da3a09e82c51701616926af83f48be527e3521ac9bde67c1e5a2d71
SHA512 a3c1b07987b030e3e3de9e4078564ea1875c0260b1f7c0d8ee9b0c00f5824aee57e30637296843a7f3dffa06d745dc1b2db72c03a6f52c4fdb6950e30a98780d

C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.config

MD5 70c0e9bdd850d78ab895f37ddb6cff2d
SHA1 ed566fe3bb124e96e73f181e7af0d5052ab3f384
SHA256 386f5048867eb65d147d492c59a846a6472df1f5189ca4d3f7afba23595649f3
SHA512 d3ce97b88fef6b5083b422c856ca24d959fc443419f6a50af3687a6c7e9138316f4314c8159db488eb5fad5b0d209724e0510b1e762af73ff47f1394070d5dbd

C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL

MD5 d90eb0ade8e428f8a2ca6b2db26db46f
SHA1 ff347f079c1adf011dca754740338e7239652c24
SHA256 beed4dc2828c231e27375d31e2ff3284ab7f1e35caadcd4f367ad7f65dc00483
SHA512 caf94ce32bb3046f860e8b5dd08a0e55120582dd821c432161122824da18aeb75db932b9d2340a50d148441be82bc5b9e13d31943386c0bc7413f79efb2b498d

C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub

MD5 5d222a8134d6e45561afef7a6c8547e0
SHA1 ca235fb7481d9b37667fbd431ac3e51271630163
SHA256 c8691ea7f168b9abf1171be63cf59b06def22bf882df89ee253043d707a9929a
SHA512 b2513103426e13e719c9a1cb4dc4529d7566b2e45e4602758c7ee8c5ec1b3c4b462bb94e7d25d32bd87a140c377b5586ae890fcb759562be9cd1849abdee7053

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia64.msi

MD5 7a4578a83db642c4228d9e898368904e
SHA1 b1ade2b47d505e3af9408cf43d711721581ac84e
SHA256 69c77e4af874ef4bde5e6cfbb249e60bad0b9f2abeeae18dd969cd6ff2b77a46
SHA512 8379435be3bf0939062593291227347416060584627960a26960c73855ff51f91dc047e31acdd33294b6519d8925a5b0cf81fe55d5a3868ac18bacd60006438b

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xsl

MD5 265573bdd20b3415cd73d4086f246a08
SHA1 02e7e81eb7c0c5807cf79db8ae31b0147ccfd380
SHA256 f7f7d1ddacb0f3a60cd437903547ef258f684aa7a367e947d7de5b58ff5b1019
SHA512 02ff888a44daff896ac23cfdbae65f146f4118c71bd52e17780e0019c35f1c23fbbd6ca09262f10cc355b20fbbd2ec01432f38c5f76f68ca13aee799210335a0

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Informix.xsl

MD5 823f447a4dde5f05806f2fd4b0365740
SHA1 aad5a6c7d3a644c57f19bb06d68eccea22f80e7a
SHA256 49869ee87e50fa128d29420bfec1456042b38618c2ba3e0e5c4cde37293577b9
SHA512 b67fa1c5d0690526c8a785fa71da43a7c75c55f6fdd40181399430c5148e34d94ba6d70f7ea126ec962c79addc1e1828ddfcdc4072e758466193302aa9e167f0

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xsl

MD5 106a502b7d7418868be39fa1c212f85e
SHA1 ccea03a6d700f6f213be979b989d4568da7d73d9
SHA256 77b692eabe299a6d6cdd2d3aa72446a58dcfc93fed95cc3c9a4bca281fff5b6d
SHA512 e8529444351192a25fee0316093c382ad4e5ce0ae9a09acfcf33b6bf4fab29393397a5d5a7ecefbec7ca30244e8d4ad2048175cc4ade38c3451dba3586ae2a43

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xsl

MD5 dd5fa104dda7028ccecebf2f952c7d8f
SHA1 908c2e5356c3b4339a6da5fbc94a54f84779f750
SHA256 67741cdd69a335ac2e04aa94f92bce5c9ff64d07fb809563b2937ec38d35f02f
SHA512 5a4c27aa1795a07a0bb767000f87259b2fa8c1b22f428d6faab04eb25caa3c7a8a373ce11e8d90780d74abdac53c7a94ba0eb5fc6d170024c4c7593545a20f19

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl

MD5 2a374dcdf2b014b623c51f912c6ca0d9
SHA1 6dc72385edf27cb1edb8f88e9477f64575487450
SHA256 f5f34c4d5df4756ef00a6946325fc95d5e392f12bd3d359798a974e0c50d6ce4
SHA512 24c84a3032f83aed666489bb7e4e3868bb7918e224627d87a76d7b889d9512a1289712d0a5548ce044539f588b70fedb3ed3d03d4961b894bbb11abb59df4e5f

C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

MD5 9e27c387017147ea4ba73dff1d76ea33
SHA1 2b3004c8d5c180c3ce578d1b0d62c512ac8948a9
SHA256 c6736eee7f8f92bc53a112b9c84863d443c29003178785431c1c6bd6538527be
SHA512 1a908a41eaf2a58ff2ce67f8771f3d8950e1b47113fa8fa8b2f0c92ab396eb29112648be4e3402eb2f5a24a72d58a24bacd37d824d9e57f1e21e0ae8776d433a

C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

MD5 3cff0f85572659b94e48e8b280a05994
SHA1 23a3b51a2726bae90df7de9f1504bb399fe0ddee
SHA256 c5a0a9a597c872500b3f8ea5c905e6fb97fea6fe5bdd2ece5d2c716f55f3dfa6
SHA512 8b160b2f1282c9127c07b8d1e1146c9227a9e5513614339cd23866a9d4f524cdcf418bb6d428b6ac5e8da16fc841eaaeab1bd2a9279a4d8734f926fe9b0c0395

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak

MD5 06db1a86beb98ab44e67d885f3ce9fd4
SHA1 91d3e27af40ce07a7014a392d2500a262cd29c14
SHA256 2850f78def86e6d5870b56e59264ed469985d20b576d7be98a45612766432e3a
SHA512 994d6d20f7e81f5da1eb1c900fbf3fb6e63ec319b141a94a78a07293e26d2023c59f1db14b7090b271cbdd87396fa9197d5b7b3326037b3a1f63b8dace199454

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

MD5 689f34bdf88e8f1cf19ece9face080c7
SHA1 7f85f53dd26dd89ba2d6af9165cc4d64ef9b7169
SHA256 22e032d05b5160e72d11c7172fce878d0b09790eff1b87c008dafa69197772df
SHA512 5e5f4bef60713a98bbf60af7d7ac177224cd29c016c2539884cee343efd945a8289ebb1360b89b8df465e33a962cfa909ebd7212b70ba2f18278799cb4f1d45e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png

MD5 0270002d91364515d5d792f89d3d1b0f
SHA1 5e1e1c386cba3236b2795fcfaba10fb9aa0e9844
SHA256 3e64dbe47748ad4be0a7d4ee668682bfdd91a2d869c75969b05b68fd798f75cc
SHA512 2ec81a4cad15e23f05cbe5bb20657555962d484309ea4a55c23c321de62b21a896744587457fd26e19889b3e8a66abbf0ba7ecd9e8c58d99fd8726bd05a1cfde

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reject_18.svg

MD5 516a2485bb09621d7716ddf95925e125
SHA1 845e28c269e71ce4950aae0599219eb7b56c8f1f
SHA256 b1320d3573e1c9244a9a5885fae29ab15732d0eac44f9ad2bc211eef69916429
SHA512 e9b8fee5a30323febfa36321e443cfcf8c3985b4e156ea9ba2807d256a9ec8354e0b0b85ef664112e3d1a5a03a76ec87973cd7f73feb091ad4b7f14a3ff2d950

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_backarrow_default.svg

MD5 7b90be2b42e5d81191400c9aa4bf4168
SHA1 f5e94209fb0057b0dadc0035b9dca9b30890e198
SHA256 fe3ae508aab467f5f0882097f237f30e0cd3ed40a66f80fcc6e4bb25f56395fc
SHA512 8ae8771636e1ffce25a7363aa8109d61475bf8598afdb94e408d6810cfc7700f559b86ac38d93a6b3cb95de0269b0f06e8c2c66f1bbd578ccf2dfe588d870eda

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-default_32.svg

MD5 fc78461b5a86c31ec554f65e32fcbe77
SHA1 b4c683b413037833a20f64e090eebbc0c527cee3
SHA256 e5808481ec471ed742fafe320bfc1e0c7d43d12bb69dbe28dfa1aeb3d15c71a5
SHA512 1bbada4e3cd8ffd26e7d0e26fa3bec27a2bf658285aedbec554eb302cfd6d38d3ddceb7f784a0ec14abb90b803a982ae95d0b12938d293883b546789f2580b07

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nextarrow_default.svg

MD5 ecd9f0aaa7a1076174207c760a5d617c
SHA1 1aa03c3dd1debb9e820b7fd91a0d86d38045df05
SHA256 2b4980d09a3b28a68ddf6d6eedf590daafa3202cbeb9e7f2a38a5dbed90ed717
SHA512 74708635b3a9029ccaaf21f97fcaa9b741a6523d89fe6bb4c832c15af02073d0c09ec12c0d75f9f4858eac6d311fe0383d546893e764f6bfada5cf5f34f7ecc8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_organize_18.svg

MD5 9f45eea1998e27e20879f6c8621ec725
SHA1 390498ae362e91434138135b0fb44468304f1260
SHA256 6d0710bda6be2805cdf4e44610f6dfe8fd05b5027a225912f8b531e174a7b1b6
SHA512 1477f71eb06a537802d8965e36a754541596ba7ef5d9fa428620ab98cffa18c3a6d1005ec1100c3750f31a18c008546863b44d3ec8a59ce302e3fcd50536cc8f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_share_18.svg

MD5 d25962ba0131f9fa19cea6cfdef63533
SHA1 167826c3e7936cab4da0a5413db2877b33036c5b
SHA256 cfdc4fbce383ac26496620902d7fb33574fb61babaf51bfce88c43a672614621
SHA512 580ea5714536cbdd054be8329e2144b32b25a4b7b9370221ff192e2fd3fb5f12399167555979b838dd46ada271d6a9a6a1ebfcdd043dc68df65d693749193533

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sendforsignature_18.svg

MD5 ce96ae4863f902f5d5e0b298b0d8e25b
SHA1 4dad435a36784da58f8fd62ec17386eaf88a1c3d
SHA256 078b305ccc837caa5e7f11b213cb4bef04770f5ff0821f11630ed626a9ada7bf
SHA512 d8df5f3218fc2729372f2be22a6672b23b0034a9ec7684f98c62f789d2ea7f98064f140c9a106c0eda15619ec349a81cdd23216dd57ee96dca8dd38ff600eb05

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_rename_18.svg

MD5 ccca75fe645f2e694165e1dd22e151df
SHA1 72636e43571d495ef8ecc5785a523f1f883748a5
SHA256 2545efcc75b38d82be91ba69a1ca09bc0a746bced5f793e455557ea70a587904
SHA512 d37dafe6ca1d84f60174120c43ece4fe69e6574f1e5a3e1d878c3532034f6d01dc9ac17fcf8d1a6d52d13b45098a21b7dd0256d91f124156ae74360dc16d9de4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_move_18.svg

MD5 e613ed646c4417ee406ef40bec0be23f
SHA1 b754534c9cfadd00d65a64347fa52e0f45f28f92
SHA256 f4e29e9103333d6e956b98db3cf85663858f420b70a19111083f15b172194202
SHA512 195ebf64ad3611de0cdd52db4ba44d14ac796bf2c253716f3a5975eb3bff4ec826bddd07aaecb1218554ec424d80f189bb57aeea5890893afefdda5d24da9e3a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_fillandsign_18.svg

MD5 6b6987f1b203be9224d3ec60253cbe4f
SHA1 ee6c18efe113058a298e9e708c661db3620c5a7d
SHA256 77b9f5d873a53adac5c314da3e068865ca5b21dddb83154826db6a4044d98fdd
SHA512 37603a174d87d495c568c029786e9407a8b9186875cebaa08c8b2ec4a52ad79f45320302e54dad1014cc64c48062cb2102fdde10608b082787ecceb3cc746d52

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg

MD5 8426af7549320232a900d59ef6017ee9
SHA1 9c24bec8955d46bb0dcbf4cf52fee6200850713f
SHA256 778b0fb30f7e59441ffb8ee181cdee6ad0ac6f5b56b6cf5a021de85acf425d77
SHA512 7e48594e1f62f1289278693cbecf318995dbbd40c87d24af3d18884f1e2880d4ba5dc804ce3181103bbd0c240f697e83bc1e3dcd62fdcdb21c65160a6c1ccf34

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_editpdf_18.svg

MD5 e94660708a528128213c6c66c218a1f0
SHA1 2da95b2fc669f8290c25da2154c7431d3b4b5e40
SHA256 d93c50072d2943111c602b6352346aa5ad2a54b28e1eb9b27e8292d3dfb70b08
SHA512 d161b2baedd465a4573e468375fe79acaec632f98819df48356b1aade23a7edc8a23430c9b982431c1fb6ad24d8d94a74a5021194b80f47794ae523dfc15444f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\remove.svg

MD5 17a2cecd7d885a09faf15c3ada470504
SHA1 001a065559c6e7cbf17c129d561ea7fa61c982b0
SHA256 eb34ed49316da918d05f87f348926b3b3de51db5564c925ba850cbf267568883
SHA512 73e97635ceb53dd3a2f89b5ce1ac2c35a7f61f19b3457e1a127cf539202f84d9bf4890c02a442c9fcc76bfe7a342d79e7ca7bb1f7aad3efd9343578ee2658191

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_export_18.svg

MD5 048ba4f5ba6df8d1953e2b08ff9b5126
SHA1 d621da115fb19444e5ed302452ea971efde5137f
SHA256 39ef983be9b8bf7bce6a57c12653bafc3abd5566b3a639d51d80c79321e3db6e
SHA512 1ce02225da996c63b1d2394a128ff9fd784ff8b1534e70f733b134348258ef35de6e92ecd11108fe508438c332083974dfd8bac91827d29e6836176601d7d319

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg

MD5 b70ad5780cd246718e63979c4bc9357e
SHA1 83b553c5834ceaa8581af662490a2e7d50ae03a6
SHA256 068848f68d8ede7603ea159909b526bedcaf237be083d3f876479707cbc456fb
SHA512 9af236ec821f2886762cfb80f7234c718886cfa1041acdf8639503dbb3233272578d7c42445446b3ff0cc72f46553f983242fd104039a3e22e61564fabf2a5ba

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png

MD5 eecd22c04e9be39e6a21cf7c9bcc60fc
SHA1 725961f3a6398694cc74548c0554ab44c59592fc
SHA256 6e78c0964f0cd77d9797e3a5810acd191554a8721f882b9a1c837f623fab280e
SHA512 2423f9e9e6c22cc130a3e178561ad92fa394f1264c04f7a5b9014cde7d9058e96be35aaa06263f22e6b10b708142e98b184caba9877aa4ccbfe1e08498ea01f3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js

MD5 aabe40ef148070421c330bf553abef43
SHA1 d70ec9f46dfc45a6b2d4cc99194a09125bbb33a4
SHA256 fb2dacc01f6d7a5848b7714e5c928241d5814d8ef4331e5513139faef59af46c
SHA512 491b1ec23dabd6174c35fdff73a81dda6ed85eda55ec5820ce945f30c47b0ea646545661543480f881c069a457bab271204d6d350053006cfc3dba6d50e43c64

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js

MD5 3db0c114b1820538afc2aac3cd811050
SHA1 30e901648e089f07f95b6eded903872c0ad8e3c6
SHA256 2b358933651be32fe28394aab226becaf024367ce9a52d44dde936f034f31104
SHA512 92bd950054fd3b43db72a66589591714138b7cd6f456a67f85fdb7f4af5a4e8fa58b9c5f0bb145e312f81c7f55b7fc248dd8f1dd4c1c9275f14f2855fb76d49a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.js

MD5 a5ce7f285f140a4b733c5c7126cc0a01
SHA1 2f935875b584a1dde65d9c95071f584930b1ca4a
SHA256 35aa04f490cce9491a98cad13716e3cbd66ae12e06f8bf17fcd7fbb6cb9fa622
SHA512 191b5dbc14a5d0bb9767ffea6f0422fc0a157892beb7107bc25317e5e38bed5b88db54776b2e9ed897b61dc1d69255da5d138c5c91bc0348ae0f57f27e4f3e7f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\ui-strings.js

MD5 e4beafd0f88bdc53ef5865b814c7a9c8
SHA1 9ac6bb17ba0e9ca068aadb57f30e16af250ab715
SHA256 e1238aa36d61685128f9b78edebd5e055311e1f9d1fbb9633868c62358fc13e2
SHA512 8cf7eef75110a9b1c3a513c8b299d19e1c39612fa1877c4adb8359612a980cca51dde1d960e5c1715441d12401defaaf9b3e90fae44d33cc973ff15cff5db76d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\ui-strings.js

MD5 14223a444501d1bb3f6eb7e0d658542d
SHA1 fdf4181abc41acb87489109edcebaa89516d771d
SHA256 45b56583986d4b4878ea145ac00d8fc049097d408887354774d2a741b38347e9
SHA512 d69c9d15daf3c5fab42fe5026b871524a32604129ad6f8b91015b0a01ec29df784fac9b56db5cd1292153464dbe91aafb6d16af2bc19a40877bc41ef45ce2f8e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js

MD5 5156ee90b92edf70a6ed464cdd0191ed
SHA1 4016381d9015924f1fd833e3f6812563dcc83490
SHA256 aee0883eaf14fc6cb1a436ceddd6a42cc3abb428daadd560d64c2db36e58a579
SHA512 3a7ebf67e13e4595247436b4ea84335b0ac2e4fa3892d392a1e413963c7f784a35b661295c5a4b482cf3188f2b8a04b98934fd45a14494932dddb2da14f95990

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js

MD5 241d610ee31f1202efc8055c9d46e137
SHA1 3e9548482c5184d2ee7a3acdaf945916d7a44732
SHA256 2674547259ff9eb29c8eda45f08cc4ada03ba2ba1bd92978ad492a0b08ab3fd5
SHA512 cb387ea95759c83d9a4ed2008fcae249398ccd91e1944400a6acd5cc7226aaf6aad45a4561f618ed02902091589ac655a6337ddbc20bec1ebce8b2c3612f5a00

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js

MD5 00f633f585b64dd5431527fe46640da8
SHA1 cf4f2b1a2a9d0414cd86f476d41d5ef728d5c82a
SHA256 e6df0a9f7af4469e5b837059ee4d81e7c96ba55e44bff9556bff68abeeb063b6
SHA512 78c0164e502fb587a78609358f1e0e0c0033d6f59c6096f4d1a89e8debce3b15381eec1536737e56afd6bd4831b14f70a2c4e7bc934c8602681f5ec4347f4ea6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js

MD5 876cc6649d46468a2695876807b2f4e0
SHA1 33fb4b2199581265f1ffc67d48555df73f2e18de
SHA256 c4e798504aff7a570b973eb99dfa52554a04ed01fd51e4f6df9a2a065594f148
SHA512 890743c5b6d9dbc4a4d26001ba4f6174a326a54f3d586025b950f1a468601478de35750d8b11993178ec56210b17bb654bd5d876003e2e49dc7d68355b0cc4fd

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js

MD5 dc9268827c97711ba0d13ccfdc47f408
SHA1 b6bf28fca31a879ac84a18400ac6d5ec2778b0da
SHA256 ba5917cc2ca7ba84dad5e9ceba04c1e80fcdb88343c4a45b4bc918f1a7361b9d
SHA512 0f4d3dfb1057a5b040818ea05bf5429781a1abc06c3ca2128448866458eda31c7bd9953de360d3ddefd6c3e5ad2c8266d3a4ee7a06e6ae2b6bdcf63dd565771a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

MD5 7923f82289d93c495c388477ed6cd4fd
SHA1 47a849c67157c999e21a84dbd1bbd7dc9341b518
SHA256 9c0cc3d2f6986cbfd95fd76852d67bdab0b0466cccd68886f5cb564994ae224b
SHA512 ba577f0d28a2a75be46d2a7e1f8773dd463630f804e7aa096f28530dfe187e77bc5828b53fdb7cdae8d6fcece1e0d78141e55720df4ccd80f847ec195c29f212

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png

MD5 f53f7af4ab1963cb640615ac71440a5b
SHA1 268e754362673f6c1529fb56d727d7c0796f23fd
SHA256 04af7155e9d4245eadad29d03caee80a6f590ef61241bf2d28832bb5136b25ae
SHA512 15fec621236bc83e271ca1d94a9a9b07787bb1de0f11e30c05e107ab44a63d452a77895eebd7e37c963cb514279ba66f7947b1a76874131f9f5740de85cb6a81

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png

MD5 d2e17c0d3e54a5c9c37582fdb49ac0ad
SHA1 a1ec71daea17352d925d1ee62fd11db7166aa8d0
SHA256 0bdbd05d89b08d2d4c64c0b9a97c638f67703b8aa0ac19dc289fca1c6c3120ae
SHA512 c61d8d34d27ca2f8029650a5d4b1d892f0e8389f5878c76d240a702cc3e49a2f0c497e2b22e7258e6cb2a4279bd164f461180bf3f60c8ccf021cdf8f859d4bd1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png

MD5 7e6884e308ae3d2911ca3b47758ff987
SHA1 98db30570b7070fa24e0153dc284c0b3667c2244
SHA256 3cf0c2598e3082fc672c9d74d1def01b3d3b34d1f4e728853564c30a601ce7c4
SHA512 a42ff68c0bade801f7f00788bd1019e5ff6fefa3b55821f6772498deedb8a4f3809866b63b1920e6fb7be24d055db4daf4c475ecbcf5d23ca006321282af0c5a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png

MD5 1a018382dab9b8434493e88a74f9fb22
SHA1 a6a7b1a006bcd1872a412c14b5d98c891af9a94f
SHA256 5c59dde16ff469b2a53ede1723d54ce2003aaa1a0f37a0400560b7890897f5d1
SHA512 c31011373a52359a5bd643cb40b548b10f084b8be1c7505274c4391a95d7cc343142c24534477037461dc6171b08ac53e0e3aac096544d71085654b9730f5713

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png

MD5 eff5b053b8048db56cba24e07fa37883
SHA1 b80c3b9b9670d0c7fff945cec9e68c055c5a165e
SHA256 95ef4d64b9abcc12d364f5d6635da783abfc7fbf50c38f19aa198f2ea5f41336
SHA512 3dfa22fbc1da19170c5e2e059ee800d14edfa45e9f4ebfe6cf7db17844fd9ee36836cca4f70d00387203bb8a3bb59f8f19bc3130eba83a8e669b62343c48310f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png.deadnet26

MD5 a8e47234815af90450c7ade2a3a11281
SHA1 91de292f0c7f107c9d44fd66c67f6b97737711c7
SHA256 d2dc76c51feae2648018aae6a91801873651282dc7f2dade45b20b3622373261
SHA512 b80d4406a29ce45b64e99305d917c994ccc8ea9c0460fa69e794e025b88bb12eefb39028d1259d38041626441c9ab93c5423124dd9b02c37da10a25b2bb47a5a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png

MD5 82181b6d4e4f90eacc46390073ae6759
SHA1 d5ec64ffbc3e3c243640833e6fd009dc0f05e3a6
SHA256 94a1327163b9d9015751d6d649e9c3421c47d046d9312ad858a5b93e75c4adae
SHA512 10c341c16e4c208a595fcca8e47c97dbb84fb521283142e14939f4e5985911e689598d3e7b3d0329b64734d98f9a47eb8d126baed4723de637503ef6708c79c1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png

MD5 64215980950219fba0d240576eab6577
SHA1 ea539eab023a4dc74c4870ec7c424ab326812d13
SHA256 6921dea85a4cf787173a20b0c6a0b2e5c24f018c9a6cba3bf9df92fc8a79410c
SHA512 fb908168a297fac2646a7d22cd0d270c76c6d14e7f2f2b3a74ccc5bcb00e1b194e852c3f7692324ef0f947945c4d752a721c13136c03d78bea0aacc99cd8df26

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png

MD5 093da5864fab51ad0ada432b8a359d1a
SHA1 713c473763827da90cbc783de3f6cdd172f15af3
SHA256 785d0d581519edb2e1ab2047136639c92f027f1fc7679147c019ea65353ba82a
SHA512 f06d332fcc7f88a275e1c08aa27466b792836566601f9a0cf4a73d6d0e7cb2555fbf4dee30421b0c079a0c906bab066d23917e9d1168a19eb85c6bed91b58d81

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js

MD5 da698c67f458373413d0bbb143c525b6
SHA1 9f917a63e0e53cef11ae1f453d5ab3bb55fe706a
SHA256 dfa8709d8891e9305e93e64736e0700a37c9997d3bd21f9a342c43ef3c42874b
SHA512 594e737bf296c953da8ef0019ab893e990d994a58931df909f0b0c30a7427f338137b8cca08e400d419e42fe25103d60f6f437ad5cec56d000f39e69f7141ce5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js

MD5 7c772921907d8e9ba6c2b428ddc7cebf
SHA1 cd8267963e15bc426622419516ddce9df6be64f5
SHA256 ce81bc828acfc0c05850339624b67e686ae14847483dc529096c21d2d147c21c
SHA512 89569504ba9c198cc746a027dd25d434104460721ad606656296c016b0571c51879bb11d9dc1325ec89c1a26f4354b9cda960d49555c10c9a09517ce5dacccce

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_checkbox_unselected_18.svg

MD5 5ddc185272bc8609c386a37e2afa6f3d
SHA1 7d7d1a081672b35d352c651441011cf7499d2f22
SHA256 cbe92823cfb82fa3903b354d52d33ad4a8c950ffd1bf58789ac8bce3be7416b4
SHA512 2b6146e21fc715c5a69e9bb8bf9cb97d918bd6280b74545229541f9648bfe4559d8e33057f9ffbf193949758d6b6a60226e38ccfaee64122d623931042ad7796

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_checkbox_selected_18.svg

MD5 4d98b17fe867671b351bd2bfd96de3b6
SHA1 217cf60783e6f7e96e0cbbc27b395bb7d0bc1955
SHA256 9bd7fbfe993de1eeebc840e0e2cdc9bee4b495a251df3fc5c647154b6b91b48e
SHA512 0a7e46a8db52f109fc86ee93d5378e5d31bf034ccdaae86dfbc47a4f03272e479d50a31a74b35a3c249ab5fd3fd1f8d53db40c370694a38e6864bdd3d93f7162

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\ui-strings.js

MD5 a5228adcb94fee02f913790303b38562
SHA1 3f707779d765edb06a5182dcf2a46655b41f2595
SHA256 aa0f50fa2d661fc69e96736b493eb16db88f2a21e955bb8d2a0005df551ecb76
SHA512 8e8d702bc9c94faca349acdd226206cc8cb1769b1822b52a93a566c6e968d20a8483262253e54b1dc7d8e40b03f4c86c373b63bffdc7ed989ffdade1c8a4bca8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons.png

MD5 c7005b0d35b1c40974e04289459a9566
SHA1 f4daa155e10ad66a7ed037d6de8cb083435ede29
SHA256 3af53f609b990ece5d4033811ba3236c8b1659aee4b08c4e35c1dd13a4bd01c3
SHA512 1baef71c58927fea3619c3f3354e1ab4e40ce3fba59b8023a37840c11586b9ca0fb47675c47ba0800f56adb3f22ec5d9bdc4568ddff573301d433411f6aa8cfd

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons2x.png

MD5 f65f983703ecf0f059f572760505064f
SHA1 5f41a5367584dae508641ce6dd65583694d0ea55
SHA256 c7778fd577e2e3b31a195ebfd70f4d4853f2be5488798552fceaa139b4d388a2
SHA512 97f4c4e2649a08f9369f8d48ff4858edfdf20654995cdb806c26b410abe638f93da3b9ea16fe2aae065af55ebff42550721a3c90809a6833fc047ccdf8c051c0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js

MD5 99152d4853bfc47e9ae74950dbf68c5e
SHA1 9bf690e9d2efb8fa397e051e4df9614ec9578079
SHA256 1955d573ef9b7a49e0f9ff6d0d304ba92bc9ff0165e3634c8ed99b8352f2fc5a
SHA512 422c1370aa7550b4731d3767429395e18b66f52d022625ecdde5af73c02f7df00af03a7102fa0f0adb5db0d080bc84234a5b38659b64efa0c802b120fcaf1347

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_hover_2x.png

MD5 2e586510d528dcfd12a6ec793a5c0bf0
SHA1 2373087c84793b68a0842c2577ddbd0db30eee99
SHA256 d93924a0c5d7c691407654ca2891861e980cd379c7c3bc425e58ae126ae58c2e
SHA512 99077c9e88213876c9e8f72ab6cfd3e06f61088c5b233fafb9b76fe89d89eb68380eb0075fae2bc15e4172207b89c60811d731f8c59227622ca67eb48d040e93

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_hover.png

MD5 9b34ec649ed76e6fbe413fcd281cde93
SHA1 5d94b265cc6411106c3842dbb31151799b42163f
SHA256 42ac561a51e54d18e9d6ba7c4424d4b68f41a73115b66368a0fbf166c38b579f
SHA512 9148fbcde7ef3da7868130559a522f07ded11ebee5423f283b4c4bd2bd4aadb0d04ddc831f6050304442ba479e8ea10c0d650d8ce8d1acffbbb015cc492b040a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_2x.png

MD5 b5c7f4429dbf27fbcdba2f0d084d5eea
SHA1 8efedf874c62f8040c228e42336f69ff5669d295
SHA256 30ea07922269a42eedf62260c70ac2fa1bf34d7753e9420f5fad025e4adb03fe
SHA512 67317e286d9bcf2d2bee3af9f649add70d24278d437d94eabec4c06de923d3f14a4e8c97f1cfdb442ca80ff3eacd180cbe62442e12dc931a98e9291f3bc6a19f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon.png

MD5 348d9bd99f91eddc79c7fbc8ff2e0e90
SHA1 c77bd810ab9855b23ea8481fa3167c2f8f2bea00
SHA256 62bd6d69b1d3dd20eec2f5e3c658d244ade93571c2e976e4e93cd299a52fba54
SHA512 64dcd4bb065df36053381db15a92fe19bccdb691f916e352e3b55ab7098b6caef0b10f2a045be8c0fe961c11e5001486cd32a4c66c8fa955212245e3f625e546

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover_2x.png

MD5 a7e02507ac783308bb4db5b647bec76d
SHA1 39322084fc7e482703f3f00de71e18cedefd06de
SHA256 c58679921c7a7976a64221ae82137043ee936537998da7d1e9a439b9f9917d5e
SHA512 034f0ee361478a01685e611a27b8e392a5b0d4caee396ddfdc203e26cbc20eea238cc682c69225cf5cf523ea1e84336b686c762b8839a6803aaaef077b69695d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover.png

MD5 5aea62e48d11d626cc1ffd69a90ae812
SHA1 c925b7eaebb7d54105c39dd79feadfa872c39e89
SHA256 76a47ffca74bf8c26f51b967c6030b19ab04f6df193999048f7906c1aba3365c
SHA512 035a79309e0c2f7b124aff885c4767efea2e87e2d4f49ecbd65feab700ace52906e07cec884b0b71be4e113a9202f5b069e980228232bcb605bb864bf555e284

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_2x.png

MD5 a1ee3aab46b334e0ad07f3f87c24e92b
SHA1 ef92fafcbaf7e9a746edbdab4660042d5fae24d8
SHA256 e22bdbd4f268e0931341ce59f3556c24b704e989cff505068f584226b45a6629
SHA512 346a86ff1c4167b1ca88b4bd98adaf37306ec214abcef6a9436dba8f7b151857923c50230e9a5dd10dc97558268f436886537445a2d7d8d5c534abf95a653d5b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon.png

MD5 254f625cb2000142e075645f74abdf02
SHA1 a707fcc649ee71d9b66422b0d66a748bf3885efb
SHA256 66bd4a9c7c68c42e4edc69d68a4eb06686ce5863ff1d59cab03358dbac5e4b0b
SHA512 889e21b7dce5d53265878f847abce9fedb3148d9f027131cc1b0a229d84e234af28792e6fa26135270f6f0e78f121b7c6fb0493149c3de23228375b4510c1b77

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png

MD5 8b50c09eff40f32e6ad44bd9bcc601b7
SHA1 e7d8d1b4edd1523c812325919c302546fb16a4a7
SHA256 374c6787b61818ec6dca6a4766ac5cecc58d9733121300e82751936f01612e88
SHA512 14329b6777bb0f1b7ca9494876f7de36aa58e7d4b79eabbd38d897203c9fe1183779a0aaf993bd589f3f7f76cbc2d21186670cfa2d9a892144fbd58b5d507a1e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif

MD5 b9b73ed29bdb771e4cdec63d0204b63a
SHA1 467c740617456d0b643c0068230f14869cbecd2e
SHA256 21cc196381ea177038722002d208898ecc33a32789a39b4c4fc767e10268e89d
SHA512 215ded1a2762d7d895984730539caf49f9b7a396b975e3a4609bd9d149994e5cc5a8b012296611148fc3c71fdca9f63ae21e51dcd00de2b95c2912228d9f46e2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png

MD5 b15e9141f4f6e9fd43c196d61bed6d3f
SHA1 1452fce46b74a49d7a2ac319a9a54f6d81ebb88d
SHA256 920f7175b1d128b7cbb471f070beed0549ee01a525e9ccf71a2ab577fa1590de
SHA512 1d4dafedf5362955d15dc6f5da7d0e40046367437acdc71dd9406aac75e4ec474acf3200bc55b9920d6d52d12b2c8a1948af03cf7b9bf0b3b4bad6a501d54653

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png

MD5 0e4cc102d06d916cb548ae8fe5e8b378
SHA1 aeb141d15673eb5619b7f26f731023a8506886af
SHA256 f6e464a5343780913b4b73efcb021e8ebd84da528169f9162b22cc949936e2a5
SHA512 a88dd8b15b38d1b6a255c79f8b79f9a3b6cfb11ecc1dc934393a1249e4f0546d4daab90ccfd87018c4c8d75bd4bdb31804be9d19117c60a0874b1a9d5d0ed6ca

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png

MD5 9ce1cb52726537442e6c9c45215bad8f
SHA1 bf8771d8118c8a8a6b6836c92ac977c2ab4c74b1
SHA256 6a17e2bb86478f1fdccb29df80840204d068450d935b5956546f25425a521194
SHA512 97b78e1b032548c8d67587921dab9764339a3fcf7185fa97931e3d42f96ac21c0163e598809c80adeb1ca682e98ec9bb2c3b2276fa9d433382d5a5f579c571b6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\ui-strings.js

MD5 63204ffeea57556d6c2275f1adc81dbf
SHA1 d0ac8b6f86b297c2c89e3ee73e99d9fc51f38b40
SHA256 130c29f405c61d6f5a0ac0b672d8241ab0182f22e2df7c167e3e80e42e079d36
SHA512 0601c6335e8d467f23c4491dcad8224f320b285634408db3422760a8989ff1c6e1c7b7473b957c680a8f5a188c70c1a9f1eee004d78f846a3af513c844496f7f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\ui-strings.js

MD5 ac795b647e2fdb136841b082cdd1033b
SHA1 d8cca6ba473fb089367b2989a73b2ab766062eb7
SHA256 b7aa10329126400024189d4503f9f5fb64787e39d021c9057873d5b4d6a75f24
SHA512 32e8b632540785006b2bf5ba6f9aa759ebf751ecb46b9b732f8295f34a19ed089938c3539d2c19c555bd3622a0eeb92046036ac24d5b1710b7845665a6450950

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\ui-strings.js

MD5 325fa1220abed3d25cc4ba175307c688
SHA1 e89524f4d53534dc69b9715a965efd784a8b7560
SHA256 cd31fa35d1911787722435f8f9dcfa1a1f97e4cd44954bb0a4ff54e839b15678
SHA512 a7c46af1acb422d4e081727323e4a0d4338af2f446113bff28780cf0ebf01dfbde8635db2dd6420a2981324bd2a64397405e38e9e265700304e49bdbb2615239

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\main-selector.css

MD5 faca11292964e18ae407039d4f450ade
SHA1 c76978a6d3b6994bb1854eb0a590a067cbdc2ee1
SHA256 b05931f9e522d35d6393220b307fc5a574649127eff832fd486863866400b870
SHA512 3763e22874b0fb1d36da24a84d687d2ffe9162ff21eaebc1df82d9425c41472b858054bbd70146fd86169f633f38ca41e1941f8188e43e887961529a7bf9047f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png

MD5 a3c62aaf79f0ff4617cf291b051e4f05
SHA1 17caa0b5add25d3b9a9403a19942a05ba237e2a7
SHA256 e3979892c50707a47d3c799cb199735c8eae7e1c4f00594801c4f8446e5359a4
SHA512 a19080cad2305ac43b920cf8262cf0e7d6ac1a43bdd1be59545fe6af0bf004d5b2663dd4bc5026a3455d53fcf22157be6956075a81d1b642523e2759bff630b2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png

MD5 caebdaea708d9cb9994107fd0a972f89
SHA1 68db250973ed6bf28081799f6032d99d7eb62857
SHA256 5169cb67d8281a73eda27cc82fb4ba4957de499eea088cc2825b4568d85393bc
SHA512 6780f21fa7305b056767cc0eca33af31b01d929b8ea4503aaf9fa3aa65a8fcba218d22579feea93f230c1eb02c95af82b80661be2fddc3f9938893931d21094d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png

MD5 f7b95dfea3c9feb7a6c46caa7f562e5c
SHA1 b172f67b6116b3dc4f1eaff477fcab675e9b93c1
SHA256 8062c7f54f38a9e326a44f00291517b7cd47eaf99741b29869581d78ab05d0ff
SHA512 5be1b17062aba44aafebaa807adcc449cbb171cf233f815cc7b36896a31fc207c69c07b9749a8c79491544c0101910e995df184990a3f04db9fa7c10ed45ec60

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png

MD5 af9c279fb169968c737605e511a6e904
SHA1 4f2177b661570b3f86a5022043176168d36b5159
SHA256 640cad3727ee928cebbcfd47e22c5f063f6e050f01d6f6a0a47addca06ba69c7
SHA512 9320a022510f180a109e8986c11e2d93d1b5515d2e87e3444b9e93451f3e2ae5d9f6e06e0829b56e9528e2bfdf4f80737bef0ab4950b40aec1f70b1ee51c3c88

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\ui-strings.js

MD5 35a37c89982d78f48c2edc2f0ffee1b6
SHA1 ab75763fd918eb48a9422dd90439e50ba3067b72
SHA256 d7ca40ca9155fdada0dbf06c5a82c99e1d574c1a07391a8aa43cf444eaab3ad7
SHA512 35a879d160bd506330d030593d464cc59a2b53ed2fa4ad77d398c72c93cb8a05e651c77917d09e5fe4d567698495a01472a60848aec7b2348a124f75d3f420ca

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\ui-strings.js

MD5 c188585e52c3994d6674ba46c1bf2ad1
SHA1 9c0df8ed88912a05a3ce76176b9b26002fe02835
SHA256 74935daf570a430baeeaf1709368fdfa0641c094f328a969c8c21c8bce0b5cde
SHA512 c45b9eb8be0ea9f9768709039c00af3a3659e4090c8942dc0080361ca66fb7483d1cf29d1ab5a0ca50d71a0dfdb35927b0a989d9c7c6fef3546e80ae124d80d1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\ui-strings.js

MD5 60afb2cbb0d07a738954ab8927360100
SHA1 35cbc355ecb589cc812204b6c568301f0a3c9171
SHA256 1d580e354895ac3e299f9a3cd7e4481bbc422a4ea0ce7760521439227c313741
SHA512 038e917c4276b2a219537f3e678da27755d0ddce43f439f8f88c5e891f7b2ee736697903e81d32687c14434c35258ca485555d590231e5f3c5167e00b1f9bb4e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ui-strings.js

MD5 643188fc30c80f6056676db2bd5109f6
SHA1 56da5f2407b62d99d32e111dc39d2465be1c257b
SHA256 c96c6fe8d65a2aa19eb3130c5ef14363da34845fdee28f4d0798cafd68778e86
SHA512 b1698bf31ef548e805be38fba4f6f8ed911c24f1f4dbaf9765fb6b0913be3b8fafb0d27e670c99bf3a646367c659787fb8d24f33dd8ea4ace1e0ae20805e0783

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js

MD5 82237208255bc0fe95e9060c8db85fd0
SHA1 23c9e8c30a1320753e4e02f6958e90d47a8a454b
SHA256 8febe1cff5c681126d8564c2e2f717abfa127a22600ca5024297235480231d1c
SHA512 54722c32f843362990f566b4c2f6942ccc7df54e909d709e2ef7a4173eea745607883892fb1a0ba0a0d298cf1f702a8c3a0fe835242d5ff0289ebf719457af8c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\PlayStore_icon.svg

MD5 f83b50f706dc43b8ec3a1d6e22347f8b
SHA1 1e76fd67266d7d97338886955e956d478d8e753a
SHA256 0ba5dcee76845b44a0d6e13a55fd72c30df26b84455a28d24aa9106b13c59a66
SHA512 90352602d237fb70e10e36014fc2b160e30af65af7d2eafebd7d6b79e2809dfa4f45784025b547698b3e9af64e18c0f2a21ed57e753980f4b7c8dad64b79f21f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js

MD5 e4cadb84a915ce4c57db3069ac9173c0
SHA1 bfeac464196f0bdef3bbf538ab888c04e1075553
SHA256 6926aa2d9aa48ef9de4b48cb04ddf56d46d0194924ad4b2929b6298ba865fe69
SHA512 23150522dae29fd1df0792805618325a268926a58792e4d0e44cf40d4963074ec89651cb11cbf0e1706b10e92e7c84e4bb1c6048091dcdfeab79717c4e96a293

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\ui-strings.js

MD5 e446f69321f8c1eaef07b6b795236ad5
SHA1 8f9036c6374f1e8721c8457ef1af26f60d50c10a
SHA256 026bc28d0a3b947c9b8a5f484b1e71ec6b2a96d48ba9cde5c29aa84c83696dfa
SHA512 7f91d1bb02e2130037078d2a85193df42a2391e2b273a83553830507079a2d4446ccb58dabbd6e9ec11130ba0f2ca94739d82e8dc0231eaec5c81892798f6525

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js

MD5 aed7ffeac394cb49ff9e9f87deeb8322
SHA1 c1a5a59852f271e9777d0c8ca8bbef8a51f0a69a
SHA256 8ca8dbdb5d59308820e80124e3893276e411c5046d82ab5cfd83a2977d59cb36
SHA512 f1b71e52a87fd4615e878d1462a3278a1f28012387e088d986bc53c587c80956a8952f8613594b34f111bd413df14d527b582818e473e76c9302591b7ced50dd

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\ui-strings.js

MD5 86661baffb1b7c13756444e25a429c91
SHA1 8058bcdccecf02823a286026bade636ac6c7b5b8
SHA256 e75151eef2b7f1b09f92d02aeb13a5e53cd65df49342c9182624137a7ead42c7
SHA512 fa65eaf930cac0d813bcbdcce62eeb0a3ab254399bef51afc671ea507b468b88c04cfb0fab9b5ef4a398e7065464308acf48b6c7dc571c14d39d991c63d5a970

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js

MD5 e23c84a4ab491d4a4a6d9dad6e03aa87
SHA1 742975b047c653344c9a70afdcddd257e969ad3f
SHA256 9f2c597cdbed41dea39413f8155f70adb348babbeff3483811f2ad819a05d697
SHA512 8e2f7c02fefa70c8ddd4853f502797990268bdf71642dd2ecaaa22313486fa1fcb74c53d3ba31b5bae415abec251f8576e9b1289ba499364748d9054edaadf6d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\ui-strings.js

MD5 a09d02efed409d1e0280c22e5746276d
SHA1 a7ce9cef288cf48c66b7db3b36255241a9d876b1
SHA256 77f0282f7b84373e4a879bed0e0399e3d00712eb3ba86453a1b601dc5fc15a7e
SHA512 324527a4fc651d0a9d93f1e589fe95996f7e6e6be740096c1dcdd01d4f58de49f4c6d13b4370ef3ce1fc40880773e8a9b005f4bae3a2664e0bdca61418c96711

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\ui-strings.js

MD5 f90c980199b6b830202418b66a169a71
SHA1 bb72be560d19166bcd99ca4dab53911be3ab7148
SHA256 ccca5dcb0e894714d7d6190137105136925022637701b2e53807c9942cd49dc7
SHA512 8757b459d881e099d0d2c2c1090c2d3730101b4e6c5fc7d30f4442b0f67abd5e9ab696820fb37b104808b805546f8962adb1180da7a1099fa02b70f300b62673

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js

MD5 f3308d94bdbb0909512ef4dba9cd3987
SHA1 7beabd243c83503cbe4f715a7a5e914dd2e71fb6
SHA256 d1ba5bfd55740eb8b5b5c430c5d9153145c940335653a5bb42c108c2a9019b45
SHA512 cd632b0356faa5e8a9544e18d7e3cc4407afa0063e9e5e2d165fefc18b35e3ef396165e951410a397dc3508744ccbdd2e0f078a4e529a5c0e1b95de112931f4d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\main-selector.css

MD5 9ef9b0e49ceb3dd4c203ac5b875005c1
SHA1 c3bf8a5f8c58ebe805c59e2bf63c4d6cd7557c7b
SHA256 19923bef0f2c7eb35eef05c614f86fa9c62268eae6a51843b91c490f5308f868
SHA512 d26ba23974c13718b0fd654490279c995621ca2283fe6e054f66f07f8939174794eb24ffeffdffb4365c39a25632098a3e50dbd2670f62fab79d6706da108122

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js.deadnet26

MD5 6bf03d33d4db158ed7576c92c721d916
SHA1 bf425d046fc1d873feb019f63c824df985be7e63
SHA256 4ce20b7c1cbb3718cf8dab3284ca5ac41c77d7a2854b982d70f748ad3d309b5b
SHA512 9b84b11387482def0ab522021144149dd0336c747b4912a30835c10d57bdbe3499006b7c20ad9c8cb930eefaf970e41ba33fbcb1a43b37776165a3d8dd762021

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js

MD5 b52a4e946ad58056ed49c46dfe9c9fb3
SHA1 b88b34980a72ee9575ac83af5f033886e85aad59
SHA256 31f7c8dbb63831660dc0d6aeadefab82162e2d4d0070a2faf5f4ecec44036d24
SHA512 a27e033e6451d14cc929528937b18fa1ac72e951f3a5407e5a9994a8e363b0c7390afcfd1ec4ed0a23ed6157616148af55b84b474abdcf672777a1be16cccdd0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_thumbnailview_18.svg

MD5 060613661afcc02aa38c4670154a40ee
SHA1 48db6c9fd6fc7dcc8388772f5d8689f058dcbdf5
SHA256 73e0fe3bedc8d0b7c5cb8f6622c4daf69f5888a7fe76625f77f3774ff6cc7ac8
SHA512 5c6d626b525763b6d2472977079a70c52f0a1f53fb2c27db1757e8ffe58e21aea39396b2d8bd4b19eda6bb6c07d6b861b782d48d6babc2e987ace2339a95f6c6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_listview_18.svg

MD5 89afdd0ee531d2353103e59a0e269c25
SHA1 f750517ee7e820cccfbb5d5f7b2ab3937a61b6c0
SHA256 a20f18f58d9eea36ead41227538531c8f9500a56e5af9706d801b01c52a15c69
SHA512 76ccef851971cee78eb2bb5c93199e77a5fb64696ec78f209630703c58e3449a0f8517948860ccf1d3f5ca8b711ee820f562097a6dfecde0f92fb51f940b28e3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.png

MD5 596b89d6f162fb94db364f837f2ead84
SHA1 a1293f1f82c1d86d09d2f2c132903c3186b07bd7
SHA256 718ab77d27bc9d06b5600ff2b34adeb10333cac65a0943418585cea7b77eb80c
SHA512 dcd943175d543a5adbe8f765c959c8951380c1cf5a5cea374b8a592662ff3ae8c3d933d315365f5108338c0e70cbbc0da764d51a2b3bf5da42c7dee070d6bad2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png

MD5 192c8c035c58f266a113ce1444498d76
SHA1 99f3c4c892ef68ac3e4efab7fb53b3d1efe4b879
SHA256 15c6d2794689de0dd0f550fe195cf833c28b6f1c8e91b09963a06bc45c9c071d
SHA512 8e3b69ba1ef8acefba6b096b4468901a287d5b2d09229a857bc5d5e918ab32b919d60472ce2802ed6a070edf8abd4c6cb41336c831f46aa8179615228c89697e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\nub.png

MD5 2b776f3f45c60c1efdc1a4b1fd85c862
SHA1 ac6b8521b580171566854b7561c6db36f480ba65
SHA256 946ab6e60ab9552c4451a5169025cd764667afd6ed46ade1ca58be8b4439ccca
SHA512 872334c66bfaa15f850e5ecb6479206eba93f378cc2d9fa9a64b829d8d2afc7f885f387db868fc4ffee9fda0e34651d7402b4b6645151fa997a068b3f33e1b7e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small2x.png

MD5 2c7b9189029c236ffeaa18ab3fd96a4c
SHA1 6aa565c62b649777f5a391b3e6451bae1e63f32d
SHA256 7e776237d53d44ade2ea66a2fe951b3d121c2aa581c5290a00b845fc6839a17a
SHA512 173704516a3ef83ec81f8995475feb426e154545797eb0302649c624d495e765f3c209db53ae97c2d4aac8a35069b9064908ef11bc146fcc1f838cf8f00374ad

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png

MD5 52e2b6cd38a992df203e3c517c247d53
SHA1 3b1ce990ed37b7352a2051556539ed4b186f2cfa
SHA256 e8ef115dd4c22db4a4e17e0c6ebe774d70a1bca5e87c2ae4a43ee343d06a75ff
SHA512 fd39f3794b399dd994efe6e3f334fa36f31e656f4402569f231d2ffdc826b97d47df1ff50a253f1887aa9f4b9f613a99e33c507588b8006243fb8f54ab3436e1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview.png

MD5 47592f731866840ea7b05ee972833008
SHA1 e5457d0bf4e59bffedc3a4202ffd5d30638a983b
SHA256 f0bdb3ba4b4ebdcf5ef4de58d8f34b33603dfbbdb45aa6bbbab7f15b590da9b0
SHA512 8f942a0e63a35e60593221901ee8637811c635c2198426ac1453c266033647498d4327509d344410f0099457b106721e8778a61f1e7e47689ca5f0cd58950899

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small.png

MD5 100cdd423bad91ad6476c9b221db9b65
SHA1 fea3bd9360ac63375e9381b1b85dbf85acf85632
SHA256 377e5d24f5a8252d42cb30fbc25ec3084eca359d6e35f64bbc2927d9be26819b
SHA512 fa8af84b3c1da68c4da0b5476463a50f4918d91ac9b4981990c05382388bb63cd025734f1ce40dcdb5190db4130669844e9caf191c08ee100484e127d2952661

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png

MD5 b9b9d472a75fef2b7c1287731ebbb669
SHA1 9a52f1738b8b42d901300cde0f1d5ad270d92aa2
SHA256 2b624bab48aeb1f4f12aff842f3e57d7690bda642a6dea97afc23936951dad82
SHA512 f1992b4d1ef120ed8da899e9fc3a8dbd0e3d5f86bc2102df78e679c68b79609d6d3dcfcaf5e3fa0c3d7fab6b319767a10b2e897fce78ed05ed862179b34cc695

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js

MD5 63ba7b3b458433dead00a4c18f05d628
SHA1 8bd4495c03a1957545081d488ec3525c4ff16e22
SHA256 4249a88aa28ca53929b28625e9b39ed89c4037d7ccf0d47250f23dd53b376f78
SHA512 e7370fdc2b0efc8d6a6561e048cce6f1c90521ad581a91d19bb4dd71c72a488f7657a70a896c9ac6ff213f6f2f7f0a7bf2fb6119f6067dba10958ebb328d9dc1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\da-dk\ui-strings.js

MD5 d18036a7c490829fbb407ae81f422d67
SHA1 429ec7152bfbea5bf30e5ba0ba587c8a80472e83
SHA256 c34e1cceeaadc18a50d5e4667ff5011122e3c1fecb71c21bfd08019101b9c2ae
SHA512 9b135c06be9519a3ae1358d398a255c5e15fd9f97086c200b2a31fdc0a067df53658c66aedb0cea913b15160d49ce433906de3b2adfc2a9b0878984d6f16a66c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\sat_logo_2x.png

MD5 74e73b960e925aeb46fb8d6ed3815982
SHA1 da4a977ec5d375ddd9fc0e26049f277c05a196dd
SHA256 2c46109dd969a881acccb21048a7298b1c6917719efd748570aa7a35016fdf40
SHA512 c64025cb4bf677cd63559be84adb732fec32e51fa796d32cb928d52420c9b60b083c6f155212573aeaa1e18d937a625ff09a7e87fd39470b2e7ae1dbae8d6ddf

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\ui-strings.js

MD5 b71c39b2943a6de3336df8530860b5f7
SHA1 3937e35fb0c64c56fa345cb9d93d281748902a95
SHA256 8025596255eb939d34312f70d4adb873e6224ea57fcb1aadaf9807f5473f6511
SHA512 6d34bb4bf2d6343214fdff441296a8c48ce30df2bfce3210f3d9e518da49b986b515b7b57766372bb6af4560c3df5c92708172a6df20b08d1434e99aed2dd587

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo.png

MD5 87bc1b90385aee5aecced528e7cff156
SHA1 fce5e38c36b1226ccb6433e61afa2a74391352e0
SHA256 c6fff8e5f747d87a7ab3d5a1739a8d1f93cb75c2ddccc851aced434ef0bf9d71
SHA512 f2826425139c79d01a86ef2fa70f6a632d85fac41c4c4ba28559a188aabcef9519889abbc52658082ed18e2551efa42f4884cf790979c8fd9804b63434e71c86

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ui-strings.js

MD5 c0d1272c6c61753a022e8fb0bf8df764
SHA1 48f1d10c5717cf07304d70f085c914fef94b522f
SHA256 5163e4969755dee0231d4fac4646da97d09390e94e4622e8935361baf24bc8aa
SHA512 52e4ad9b2638b1785ab49ad7345908ea92c0ac933d3ac62f6c4da9fd488f4bfe6d4a59093d571b75b0243bb126173749e57514cff053aa8cb20f24ca237b3c8b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\ui-strings.js

MD5 ecf3a221d0300a07a53991a8e29ce8f0
SHA1 de724b5bce6dc854b2c967e4ab5c5e82c95725dd
SHA256 ec4cae74878896978c1bd9a2a5fa3a64171c0a6e79261de7f728fb6f6d75d0a1
SHA512 8a46850fd14e31f7441349f47969962cc26275070ab0c00fe490aafbd5a297a5cd5d5f9de23d826cac124036466b8b6bcfc79c7ccc7d698e3e47a14e247af4b6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js

MD5 595009aaa05619498e5da51414235a30
SHA1 ee9027ee17566285c1293f21f40b45176f5378dc
SHA256 5980d82cd3e400c8f2af9bce881f2a6611fdc039484d5d83b586bb7b2949b771
SHA512 90cfa1d81de6d655f44b727797e3a48e249735f119c57da79b9cabab469bf42dd876a73b08415c013a7eadc2b4939d9ea5b335540b9d8b70d7e6fb0c80dfd203

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js

MD5 f47b72a023841de77d12f808bc65e3b2
SHA1 d02ac9da9d2e95e3f15eacdfc0e48a2d544c0fe3
SHA256 e9f1af8f79cdb83cd9a663fa1d04258d3599b8cba380a1fa34ee3645e111ff08
SHA512 8f5f66b898aa97263ed86372d1a4aec067c2ed6b46f1b4d1a11a4fdec771fdae0443e5e4cf03a734d0af13b15a4a52acbc722239c64872709a53e9af34aa2bf0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js.deadnet26

MD5 62153d51468a0c5cf6cf37960d20e550
SHA1 ed414c5bf8d1c610bea6671aa549d8dffcd01e58
SHA256 f344bcfad961e9e1d773b390e35e8a205212f9ca77ed77a88d5fcf0a7029ee83
SHA512 4a9f380928e294b2034d5078d6096c053d57a36e5b8ee8204a495154583754b9c025c4f023a711ec2ade1b2ab30ddc59f5876ab591c0485f225cb6efcefa1eb7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\ui-strings.js

MD5 cbcf6f8802d22da8b60f87e8bcff57aa
SHA1 93ca9a25f3d1e9667dd879a96da47c77944e2255
SHA256 79ededd3ff03d7255bbcbab294b1fdc64fa5a048f54f60563b27b7926af38e86
SHA512 d0997feaf8639c806904c505a49f621e9ddfc39e8504078d41a158dd496ee4ec6c526b4c20db48844c2c6be54ebdb9ceb6b7f0c14c77d338a0888b075bbf1db8

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt

MD5 7d0f44e992409fac56621a6de2658512
SHA1 4d6633139fc47c55fa594b8a955f24db20b26411
SHA256 301de9ea0a6c772a7e3bdbc52b5680ec7ebe08c87e0d354792260e068f5a55c8
SHA512 d7873e0c5f2d4baa0e554e244edc127d77bcdbf1fb6e326e9afced8ed62843baf9976fbbf239e8b1fde96c8aaf6f156e27adfc458078a2071dafcfd24d821c44

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe.manifest

MD5 af688d38c71e8034de5a5ca7f2e52e52
SHA1 270628b73866b04881f6ff986885fe0c78e4dbb4
SHA256 09a2723d95f85a68cbbe690c564e6e84059aa2d18a913a9934ee0efc655fb01d
SHA512 bd1b3da3d57827b79dfa174a6245a31fdbe89a10e6119bd6732ba60f00ab6190ef8d7e86cd75b0fb12b85b99de0c2623a7ca394f5540754a1fe362c93fe6dd13

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\identity_helper.Sparse.Stable.msix.DATA

MD5 7bf822a40e998f668acb0d35f883385d
SHA1 946bbc9ddbc5d2d88601152235dd86c8be1e4ec3
SHA256 28e47719894ca08b4b2ef1e013cd2a2d79529ee2715f5a0e09c75b0b27e73b8a
SHA512 76ec3f426d37e29195613b14b3619adf47bef7affc5bd2a1646b3305a94e21656ccaade36a5db7c4d8d07c3676b8f0829462a98836278a2dd1306a59f6d0ddce

C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOCK

MD5 26ecc18ae6b7fc2dcf279a2000e1dae5
SHA1 1254dd1bc1f63232d0c513d206d2c2758dfe90b1
SHA256 3d5c4fda684aeb198cbbe39fa0ae13d935efd63e0e7d916925d2b7db50605ac7
SHA512 033ccc6ed211454b759019553a97243b23f3685e06c2494bd44e70d08dd4857fe766a093cf660a90ae4924578cb967497bcc0f3683865788a94dd4c7b9bb810f

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00001.jrs

MD5 f2efadb8921bef10195dc802f1169a0f
SHA1 8eac0d46ee68742e9863e42b233c5390d2b11d3e
SHA256 de61e571369e1373070113fda3ba9fc8e3542de43ecc4b1e0d3a4a3780d7d8b5
SHA512 1d7c7f170bcc022e42f97479200ab1b1827b2052c469a626c1d6afc453bf325c20135d84801be7e0f1c76ad9b9150a9726ccf6693db8f9c4f770e3da53647f0d

C:\ProgramData\Microsoft\User Account Pictures\Admin.dat

MD5 7f0455ee832acf32e2d52128964340bd
SHA1 a03840447077338b44f65c32fe6ed64fc9240e27
SHA256 358c5217eb8f262dee9d6add29ffca5ea750ef1e82f0341f16e28eff44c14d38
SHA512 b22e7efef9c2e128e8fd672efa228cb74c991b02ac34d1b6d86cf7a6b24d9a02b57018c027555726779bc0fdd855fb5a3fd8f78ddee3b8726342d1813fdf8afd

C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

MD5 a82080b62325041165bb9302de67dc0f
SHA1 2b746a697eda56cb05c4c02a26da170bd5b97870
SHA256 4ed269d8d57be3a450b476a75191b335c31da48864e1561be7f84e077eb5d510
SHA512 b022c0302371f0ee21437a6f66c2b60e09b723597192719378bb5e941447543797b8be34ef7362a4d4d8007286c279ea6df20b90e2e33d8759ce406d5e93ca80

C:\ProgramData\Package Cache\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}v48.100.4028\dotnet-host-6.0.25-win-x64.msi

MD5 5fbb2a5e02379ae5c435dd4cbb5b99e9
SHA1 c68d43830252abb7f7657024ba7e4635da23cdb5
SHA256 ac084b2a1bb384b9709224fc0f64a9463d2dd9e93b7d0eb5fd0ad10d59344251
SHA512 22e20709f072be20b31aa62f1da8aaca52189b331eff08014b953cdff59904fbba21bbf918ed934517988af5cfda870d18c79460f4a79836eaee6f59700c0520

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.deadnet26

MD5 65257b39ebf52bbbff1d1d3b782856dd
SHA1 ac26ed6b171c8336266a7c4c74e7bc0ff3edff50
SHA256 87a5a5b5f7eba4de710b7237c9c663e989ab010524afae9cd0fe1dcad9cd37c7
SHA512 e39aae366628e517bb7f195ac9a6078b3c55582ac0158477925e21a2118ce751d4b8645af3c1899e7e13b9a70a9e8fe4f838e13c2ed0ccb49b512cd709055372