Malware Analysis Report

2024-09-11 01:46

Sample ID 240227-wcq7gafg3v
Target 846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.sample
SHA256 846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378
Tags
evasion persistence ransomware medusalocker
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378

Threat Level: Known bad

The file 846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.sample was found to be: Known bad.

Malicious Activity Summary

evasion persistence ransomware medusalocker

MedusaLocker payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Medusalocker family

Renames multiple (7570) files with added filename extension

Renames multiple (6995) files with added filename extension

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes System State backups

Modifies Installed Components in the registry

Deletes system backups

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

System policy modification

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Runs net.exe

Uses Volume Shadow Copy service COM API

Suspicious use of SendNotifyMessage

Modifies registry class

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-02-27 17:46

Signatures

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 17:46

Reported

2024-02-27 17:49

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

159s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 5068 created 3240 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (6995) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\cipher.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\cipher.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\how_to_back.html C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\how_to_back.html C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\how_to_back.html C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\how_to_back.html C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close_h.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosMedTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-64_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_play_nor.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main-selector.css C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\personaspybridge.js C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\how_to_back.html C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-64_contrast-white.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg3_thumb.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-96.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\fil.pak.DATA C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\IsoRight.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Microsoft.People.NativeComponents.winmd C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare150x150Logo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\main.css C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\check-mark-2x.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\how_to_back.html C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\LargeTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\find-text.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\de-DE\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-200.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\Fonts\how_to_back.html C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG3.TTF C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\how_to_back.html C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\ui-strings.js C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\LightTheme.acrotheme C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\it-it\how_to_back.html C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.SmartGlass.Controls\TextEntry.xaml C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\edge_feedback\camera_mf_trace.wprp.DATA C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\ui-strings.js C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-focus.svg C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\lib\deployment.config C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl C:\Windows\system32\wbadmin.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{097E8315-8C5E-4D4E-84CE-92DF234F4C32} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5068 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 5068 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4304 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1392 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5068 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 3444 wrote to memory of 3260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 3260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3260 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3260 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5068 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 3196 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3196 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4080 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4080 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5068 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4440 wrote to memory of 492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 492 wrote to memory of 3256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 492 wrote to memory of 3256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5068 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1528 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4968 wrote to memory of 4532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4968 wrote to memory of 4532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5068 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 5020 wrote to memory of 3392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5020 wrote to memory of 3392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5068 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1068 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4468 wrote to memory of 704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4468 wrote to memory of 704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5068 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 3204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4736 wrote to memory of 3204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3204 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3204 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5068 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe

"C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe

\\?\C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe -network

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3488 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\C:

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\F:

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\A:

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

\Device\HarddiskVolume1\Boot\bg-BG\how_to_back.html

MD5 c9a7d60dee2c82eede6446b3bf941c21
SHA1 30731dfca6ac1865646171569bb9062c7d646469
SHA256 44d33e1dc11c53cf634973e85804866becc729e7a818645ad9d4ec1ba5f30044
SHA512 ecbd21827fdacfdbb30e6958ae2f6f911c3ee37d19cb8e0cc399659f8fd17b40c45926423dbc7758ab820599eaafc3a1747442a8a1151c968da8324d8d60c865

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif

MD5 f9ea8901a16e079af589aa120f18b776
SHA1 9bb31f80c8cc08cebaf4f1dfe64aed28ca3a626f
SHA256 f68623dd169f982f1ae45a9ee760564a4accd0ec475186e68f0484dac94d7f2e
SHA512 d3707430370be68f48a1a3681dc6864974822b072c3588d762ad927d14c258369d93d9fa692168f24441a1a25c5f20ae9e70c2dde73c9602ff0dc4fdcad4b8f2

C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 c3b2b47315344c06d2216001e69e2ee8
SHA1 6be469cea60be1b2f37f77fd21b5920882ba5585
SHA256 a8da2b0a42180e202fabfb9ac812b16cabf2caf07f06870642fab1578493049f
SHA512 e0ba0facca803fbe882b99da8fbc5fd695438049ad13b6af20b7f816abdee482e911cdabcd78dc9b263c19935f3ec7fa96ef098e4ec89adb96875257eb2ae081

C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt

MD5 9c5e59e2b631d9689bd88a0948266033
SHA1 eabb595217cbe01bc11e6a43a88910b98e49e642
SHA256 11b893fb6fab7ba3351e1ef8133250ef9594d33029e5096d2445783c0a9f2d28
SHA512 f1367a7f08a1bd28483046380368b378f4715330e5750d70a350729c309f64ea26776b54efb570ab21413098ee89bfde83e2bcf46850c20373bab720749e4890

C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_K_COL.HXK

MD5 f0b1c951e4cd9d77612dfad00d396efd
SHA1 384f275aa0fb98dfc9c4e2d48ec3caa4a588da77
SHA256 75c0967dd064cfec60618ee9e5eff6ddbea246ca9b030477c07ff39486c3bce7
SHA512 21146896eb8a9f385847132ebdf22b5536f2959c528f7219f0c2eabe0fd8d18e2859cee8607afde0cc77e3401bb004766ffd45296236d8ce40cba3b0812be7cf

C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK

MD5 20b8b797eee6c9aad71d00650b9c0776
SHA1 495cec269dc7250fffcc289e8e02716da7e3ff6d
SHA256 46f5d9dea224114a459da743e93d02048d8df912af7a6c27a58053032d695199
SHA512 da6697b664b15cce88a19293d4607c280445e1a0a199ae8b78c6ccf1c9aced4976f7ab47b42e4c932044b240a2778d29e90a89223ef1fca0fe505f91212acc3e

C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config

MD5 a506b4df88f63fe8635c64529ae8a8e5
SHA1 ec8ca6a9dfc1e37f374ef871e57ec2bdc3f6f0e7
SHA256 5b4a6d18bf1001e756a09c7b8290dce17ef525ad5cc0ccd1b2b78ba3ec043c83
SHA512 96e72e26c47d17e7e22f659f078ad53e56c74b4a7ffdcbe1b3ad0937ef6a59e6c8037b5f30aa2bb9bd45ccb78e0b031b25043f5c57b18816488fb8ca646132f9

C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL

MD5 dbde74dd2b3dc9209f06d113a09f1d24
SHA1 df0b8852b6121e181290274877846631959d8143
SHA256 53ff45a0a86abbd7be99fee23c21a7a23b4b9b1bd881a2705afe87a1ee900502
SHA512 11bbb6f69e8b7b54937368b8900cc1d05af62db3a314f7e50bb5a6e00d0693bc87fd4470edc7e39c24917ed37dc30548bce39fd5018f51463112994d3126a2ec

C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub

MD5 011bf3f68a8685aedeedfbd47b0435e2
SHA1 e5e99066e23b6233cba021c97a4c4b6184e9eac2
SHA256 cb263d8b9470e4c7f29525c6aced11b036d6f83524adb7cb694f60d6b771c0d4
SHA512 e1b588ea7ff037f8941aa98c81ed71205cf5ca8a100296253378cd5584eafe9dd86bb5c3c9a3ef5b97e398a13c642851fb9c7aa24a167c5301c8957c6bb4fedf

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi

MD5 bf833c6364de613e0e8cf9e8dfef2c3e
SHA1 37a675e55b00a1e91fc9d37f49ce02875f798a06
SHA256 efdd3f31a2d4bb47b97fcb60e3256d27394f992edcf300ad2c6ad35a5d34b0fe
SHA512 3079a027422b3a56d86cf8552d3182c43c82f5ee98f449f7e91c05eeea193b700ca06f9f4dbf241ed1ba91c20cf3ed4683def3e24d631ca536af663d06555b8f

C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo

MD5 363b68a62ff7856fa1a13ba53ed43780
SHA1 25dabe1109375a4a517c291d74fe773b5d4e5411
SHA256 a506a847c26062ac008ac3805dff079b368477bdff14bc4cace273669488dbcd
SHA512 4eff2130728c7ff1e677221577d1f61a408c8aad30caaa1576ff982111aa6f202aa0a6bbdb5b12c7c08d8e52526d268fc90aad67636dcf1f4c102d09ea61448c

C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

MD5 c44a6bc8d8dc542a38883f8a85b97e4d
SHA1 a5749d322c90f4b3636cac0908a3bc7c5e7a5041
SHA256 1b3c3038363f0024204a97fd8727e7898ef3f7c30c2f5cffe0e0d818d9ee7670
SHA512 23f81183b9bf91c63765802ef7ba320f3ba7735533fa4d8ad0c03ba41b210d1bb2b4bf5f578215b48703d7228e198a9232b1596140594df04c7702b3691ec48c

C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo

MD5 bce8242ee0b0952b5bf13bbfc9edc9c6
SHA1 fc2147e9457d55683cbbebedf1fb65a1880f800b
SHA256 16680dc8f03401eed6cb3f2a4844c4d3c8c58cbf53ac0cd9be2bdbbbc1aae6c6
SHA512 ee2c61aa09664b0b8cb4d2f5a6938f9d64b77dea6bfbbc48c339e1eee1a8690f66421cfdd94f2a4c2fbe4242d4015e6b123d73a370e8e7f619f8d6fbb1d81bb5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak

MD5 4759aa2574fe2be1238370e00564e2bf
SHA1 98803e10c4b7f487b4d37ac14f68d546643109b8
SHA256 bc563ea89f25f987bc0e4967fbf26ba7d9d31cf10a9a6599d5202f185f36c13c
SHA512 24fc302dce568d71ddcc83b3bb977592982d8878ed26244912d9ec155ab8d89abd88181afc6ddaafcb7625efb082e9ce900a495157aa9c2095b0131d60fbc2b1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

MD5 194eb7d84603cf0b0f6a6f61f2f4deec
SHA1 b7d3d8f124d07d7ab6e0559d6a2ef4649ac4f24f
SHA256 f10a77586df4be9147f3eee1ad403b720df5f9ba4b63bf90f18485ec80d6a78d
SHA512 4df91edc35e212bef6c2e20d67e0215ed1871df31c4e669fed1d88956d8f63c0f57f4cb26fd12fae11fa28e690a477ae32289eeebfc053934000eed669cb2e6e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_remove_18.svg

MD5 15558309a00e3673d05df284151bf08a
SHA1 f70fe9f35e735e3a794bf6c603ae89bcbed0d8c7
SHA256 91b80b3ea3ede8d84af86d7d6ddd14c1a2660fea96ecfd0b2e992d4f693854d6
SHA512 22ba583ea62c5a3b21e5a0593158e6314b605636f9c9b874932529fffcea65a2f23ee46ea20768d71f1a5222fe3456ea6a852b1bdeb116ef31b8664d7994804e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-default_32.svg.deadfiles3

MD5 d7a9e0efd318805e1a2ac70c25b515c0
SHA1 49c87df87e59935d7efa3003e9fdf35eebe8c8c1
SHA256 075d0f8a9916b1f099c874a6faee4ea865775c735ab77c18e74f17d170c06927
SHA512 9e7cff6fd03e456a5501dd6d7e5469bd485110de2ea3e3c7dbacd4b00416d88af4411aae7a13ba31807c476f938818a150e7a4f22a27e9d3e763ee181412f8bd

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_move_18.svg

MD5 94e2ddb014ac91c37af54e6d5dbc629c
SHA1 c3a7c0da0caac702a614579c8f613f67bc3e9b6f
SHA256 7db3e93e088a546e2a53b12dd413802ed5b95d9d9f83f76242616fc0aa6e19b4
SHA512 aa8169896e6ede9ed4b48f0dcb0937de79a7123cb42c8b0e638de12d1befaae4b58877ed742aca71ee8a549c1f51a05150427f88d8a3b7e63baa41b8c7ea3115

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nextarrow_default.svg

MD5 76500d23d1fa185c9c1d6380bdf9ada1
SHA1 2302741a28e403e7c7b0077d7fa44700320498cb
SHA256 65645ea77d877c674f790dd30d3a5d136a063e6a7a05799dfda2e5e6a1270a32
SHA512 fadfd57f6a1a962aa2a52cb4e5cc2fa260224a108a206683078e484ebac58fbbd6f6af316cfe3807f76c891afa7e0ad5515e15ee37d580e8f2327c39816bdd69

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_organize_18.svg

MD5 bf5d781c14cb5608bec4de5f06f77881
SHA1 b5d10841251d6bf7055a8fedc723ad1582861e9c
SHA256 1a121b36c1f2a6d377d1803d56b628d4e2c365f8a712931d756bbdb2ffe42df2
SHA512 79d87a59abb297fd20cb4425b6887c2649cf44c8df0783cc6668d4f45aa3f5ca7d7b81ca5dbe02760a732ddb1842d1db5b1550baa5a37842ec3e4a676453a603

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_rename_18.svg

MD5 7056a1da93b58c9a33f14c897e74763a
SHA1 c671687cb9c631b377031e4c19c1b29d256bdf46
SHA256 302687d2d38593e717ecaaba3d62ef6f31b9d93fef1d8bf32c1d3881244e80a4
SHA512 84bfd142219ac70b11c3b7e91cf83edfd54bb376f0db15928d95b257308c8a47ee064ddf5f87db59538ed73afcec19629143affb2709865cbc0ce42c039f8f65

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sendforsignature_18.svg

MD5 7fc9ca4b2e9bbaa2873c15952b332fb7
SHA1 c30bbc2f84803e93147686343b3f8ec0bba3519d
SHA256 2eec8786e389cc08664c89d3381611470a321b9b68c2f4b3ec321ebe86db6d6e
SHA512 e111ce7bc50bf35de98f1c4408f30350e1fa834b63e800bf8bbc9521080816e27af3ffa21662b126e489a6094a26b688a325263a416596fb75bc9bd1bd0dab0f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_share_18.svg

MD5 0e51ad9e7b177882050af8be3c8108b0
SHA1 e5644bb6de4288750bb1b88adf406bbebbffb02b
SHA256 7f5ecc9ce9f81ba30ab29ded875527a754b441a237b94d5c0cabde5d2d42190d
SHA512 2c22a07cac8776e0edb940bf78a5fe7284c10f7c05964fc0ecc56e3be2691e90f16f262a2139aabc59bb36e58cebcb0ceeb52a690188004151ba21d7d4107e5c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js

MD5 7c98f9b768a73be745306e078bb2e00a
SHA1 bf43ade00853386006c4bee4f13e9189506c9886
SHA256 778d3998d7466a0592999800da5ccef22211f6b661edf717874363cf3fafbc89
SHA512 990ee0e833c1747d7de9444bb2bc81d564265d95c5f395d1200a73e25b48ba8bac8761f411d353402de610ba99294478d2d050b23b66380f948493ec7892d69a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js

MD5 bd41b26ea3d886762b369e04f788f313
SHA1 e2ab08f5adf491c87a20008ba7aad0ae6eb9b1a2
SHA256 c87d4b2337f091581bc5a1590954deae873c1f20334224ef3af37a88e7129d95
SHA512 217d73d94144df51825bb01c33edd9e44debc086b56cb9121aa977204a3c0b273fc153cd7204cfdae00552a9a98e530745728fded5d07f6c241159f258cd8137

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.js

MD5 5c53489e2c87fc5aa9e90ee8e47b21a1
SHA1 e5d6b8de10b3652a625cf9150e7730bbebbc3a92
SHA256 fbe567ca38d943ba214a97e7682d415200c0d838b09d7c642378f8f5272cc226
SHA512 435120c8ce691e65749d81bdb59ace40fdb2926d75d9b3d4ee7bc6299cdd345a86c416bc009466faf158b6c0203b4dc0d125292f8b8e8d2b55292fb13452b725

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\ui-strings.js

MD5 b9e4dfdaabf1bb7ca16ac5bee181137d
SHA1 be42c4a0a417f97d5fcc0c2774f652fc2556361f
SHA256 bf5801832e11450f11d5a9f70ed4e7aa0748f8364a124560330e398145099846
SHA512 fb66ddc8b6de5b86eb5deff97412202578e2534568513d579a0fb7e015c3c0389005bbb13fd01c319507278da6d9a2cabc5ab42bbae69e9d04072cce6cc69686

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\ui-strings.js

MD5 146cc3cac4733df032545c6632484f39
SHA1 0c6b201a173efe684c40ee8b36bf9f525e4246e8
SHA256 fa101de7a6aeade7d2638b6f712a158906ae402b595aa525f3dd62384d5d9847
SHA512 63a05b3174c9a188453454da08d1496bdeb039c62f18f3ba3dada4ef0687448632c806b08f8154dc6e2e5373d6486035264fdbc7cb314854d50e23ad766b4ab7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js

MD5 53b6989c131323a0178bec156ec520d5
SHA1 14c023d5ce40c05d77706f08966c0959d102593f
SHA256 37c4f7cde51ad7df87ee7596815ed2b3e607fef4e180864fb1269e58d243d46c
SHA512 d3971c642681aef0dc872d0715e8738951376cc0bacf4792de8d307fd42e64ac6f55f6814251bb161c5281f0a6e04269e4ac7d243e0d57ddbc74dd7436da3e16

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-tool-view.js.deadfiles3

MD5 468432e1c0cba8aded9037236e136d72
SHA1 d4d9767b60603add92102f0b83387f97ae0bde2f
SHA256 1ec38c4692b03bedd2b34b81c5a3581b97829b1dc98239623ffcbeea0b82617b
SHA512 3c708d5e9ec89848905cf747da4f20b67f3f285a25b1dfe41fbfe63c47b9b29d76ce180f451f026ecc433dd8e1f52396d20a953288fc67b5e9efc3c34c4e961e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js

MD5 4ed8f721160c8f110a0afb2bc4d948c2
SHA1 5ba727ef8e1f814e8f5779f9141f96da0c614ae2
SHA256 7e45e3a930eac3da06501e9d8369e9f65f50f133f4173f53f33a00e2a915dcdf
SHA512 78e6bc367b378ec106569099ab4245df9e424d916db3dd1c5c1ca91a1b9150837a12c30b952b71152cf6762503d56bf1de1b3487d704a17b82e5f10f62e7597c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js

MD5 1b2bac3c369c65540b5e3e46fb1360a0
SHA1 388369d49b05ad99209fbb72a56c2b682716096e
SHA256 3520ac4de4b4692d7681917bf17b8e09feb63fffa58ee401c61da7b13ab9de9f
SHA512 875aed088617da3783e4799577b0a7be50924a7dac2d230930abbeb1cfe7f957690e237fd3e61fea83394e5cb87abee6fad165fa09c2694c88d55ae2c93be0d3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js

MD5 822fe0a2648b72f648ec1fbd51d84856
SHA1 f96f52ae39e915910641456ab4ca985b5635437b
SHA256 037c306d7510976218b31e3a8b04ecff3bfefe75f36765f67f4b6c173a2be7a8
SHA512 691051fb368fdd85cd97757aed64dca4dd265421ecf8c1c000afa22888db309150f89b4f10024aba5e639119091175cf2bae14500de66e2be85794fb8dd91d46

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js

MD5 b8123efd0115381eeb4a3a3a43906963
SHA1 735f663c09e86ea4b52523594b8bae5f3db3fd2c
SHA256 8116bb2bf8f393cee03a899aa6cf5f0cff3ae075693bb340c5a6265a9026fe9e
SHA512 1bbd5512a83e1ed2b20d4f6739a29f501ab254cb4d921b4ada76bab8e772dd8922d561ef32b102d4ea55c52b33b394486a0a8682a9922424217bd4cd7fa76eb3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js

MD5 92b6f6204557d16d59e3be7d94260e44
SHA1 a669d63179509bad5f2604d5b48a6864771ae22f
SHA256 d7ef73f4bb7f7b42e2ab657741081a132cdea95381543fb8e174eacffbcab308
SHA512 c157864603aee270ba770355d5b295007f682300570dd8b2f454fc6f3217c612af42a889c38341554279eba0380da0c2d1dbc14e872d4d3a3258c46cbaec256f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js

MD5 221d628cd18c5c665f5bb3c75c5578b3
SHA1 4494ea5297a726cda3a41ae9f17510af997c4314
SHA256 f6a2112b4158e06c0563e68deed8bf2bd419a7b7b8168026b19a5f14c377497e
SHA512 1def3bac967a40f7e506ec461109e89a34aabfd14cb9d9bc003b0bcd1f48d3a81c53d236fec2e9fec0fc3033e55d577b5b4de06f9ecc9aa188c89afde1f925bf

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png

MD5 664af2a0f50c6bce4cbae4c7dadfd96c
SHA1 a3078eb23b5c90c2cdc58d9aeb4740893149b0ef
SHA256 cc6aa22da3e8cd116acea00706f9f66af48236b245667e0cc613d1f34e97bc6c
SHA512 4215eba765b361f1af2806bacba12ffbf70dc534195af278d9ba646aee632b0c360f23a1ca7b00931f390869afae89c1e4f0eb73c003199299fdcae72a13f36a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png

MD5 ca29ba910e16cbeb30e7780871c381b3
SHA1 b3a95e257a6096889bea0655410acf5c96d78b7c
SHA256 3c6ecf0d193a2a5b9ff6bb3d4f7a7784bf9b7b293d16c4284d36f92f1b01b23d
SHA512 db20cc1f9ac996f02d38ce8bb197b3ceba54ae59fca3815bd7f980e9436b09131a8bfbbeb4af867d46b849babdbedfe4b9fa2c12ffa9a2ba918e4915a75b3133

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\ui-strings.js

MD5 461db22f016235eed2f55b4b00fec80b
SHA1 1e6ec671c6c2d71104845188b4b38b9ded8a0f6f
SHA256 7cfb6e4f6c784bde06009ec0588575bb7e50e2fc69b53721ff0b0c7618311e55
SHA512 e99087ae6dcbe62cf902c057188f4a9ccc2976e77cfcbb323bef4fea5ea2318c150d60aa366ba178a9c2068cfe8b864faf09826573b63963be4692965c045506

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js

MD5 7d6fe175156ba7d53092fa40c3effd54
SHA1 31c003416565c76f54f21cb3cf5c147f3d63d749
SHA256 086c95abaf529ffb683de9de50febcb088b89d73fd0f3a8acac95986c946e2d0
SHA512 a8133715cd138e7882e64e5324298ab341da212ea1fdd29238212616a86abc51b5a7269699777e4431b4823c8ab77c8c4b951e187303a51311f6dae251773b91

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png

MD5 aa1d954244505cebaf260910dec37918
SHA1 79f1fea9dd91477f1a169ae3eca488cf7b223e04
SHA256 78c3c09330ac4401e09f20ee29921a4e0a6d03cf82831d0cae91be6a2cb17181
SHA512 0f0308ad4b01d42694f1b5ca9ee49e39e3f3e36b612703a153298bd237db3c7289a82775a6f10108bf522ba571eb9d773eabea6d52261efde7430e370b0132f5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png

MD5 b2d142f8e730e26a29bcfda2332013f8
SHA1 bc6a815e9e35b4f94606d53046df1daabf6f9a34
SHA256 2e5bbc6c07632f099f24100cd18ca30a5b632739334e88a1d2dc32b6ab77aeab
SHA512 28c4ea54fc84ab255e060748a0d1712cf15f82c40521a76e4fb068f68eb2b57ba4987f8cb14180c1217611261e177742ce149a3581f6127fe21b74bb1a640ca6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif

MD5 59bf8aec56fbb485e6fe62ef8687bf49
SHA1 8632fb0a06d879d9981537d61851e20c110bbf9a
SHA256 6fbe577b0239476c5d3f759e1e45db00c5f9b5c47d04c203c8105bbea724d7ab
SHA512 65b1f8303421f05acee8e11e796996772f0ec5251603ebd981b1df2631b1c123c8a96e1eceb3c2bcaf5295b12d3e3064cafff1dedd91b06fd0fd0668a64e9b5f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png

MD5 a2986503b89efbb7fa144c4edf89ab5d
SHA1 1e44eefacaaace62a8c54a8f6ca41fe67307316a
SHA256 f67af1474f76197a1ca88a6bcceee8beb1f5f27201c92ea9a72cc6d11bbab1a1
SHA512 0fee60e3fcd555318d753a2480bb4b116959caa0b400ce1b6b43b6337a522289f13a39772fa1b9f5238653338e8457495c3e4c38e02855a41e9ca23c18b9f49b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png

MD5 36d8501fd03f5d1486125cf0e2f1cacc
SHA1 55acf10c36876013b851b6ed07f13752c2e3a00b
SHA256 ca327b4871cdf27dc5a0bb9d5b100d0e520e8fbc6e3c3fb9b5d52f5a4337b93b
SHA512 dc796a5c6bfedd419775faf992cf0369a6c07c31c6c2d111450abebde882af48bfea6c2cbd94e5c53f75cb2daf0cd52e9944d35f6317c34b9e97085b2b539bbb

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.deadfiles3

MD5 eb8d1a461da241fadf146d3f6863a2cd
SHA1 4fa46b1ce5e40ec2c1259e516d4bed1aa3be02e5
SHA256 8c7b57b7489260c99dd06d43c78936656b599455e62b6b249be82832e2f1f8a3
SHA512 669cbca6eb16146b1605d843f8843593e111b24ca10dc40c2ac6b572e3eb9c4ad372c46bad61c4a690a5be251ea63748b0b0e262d0326fa77993017123ed99e1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png

MD5 8ffc5b0946cef06576710dddf2235610
SHA1 1236349a5c8f072e4d7c9ecc790072821bfda9aa
SHA256 6da0266b7e888cfb38c81a301d04447e122b2ebd559e68426c352f2d9ab8021f
SHA512 e2d6909a807021bb503c6e77679d34012ca7270e9a2ebc033c016453ad1ee0805cdf196fef5a935c099625b2a2597a39fe4898bfe57041aaed184d00819f4094

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\ui-strings.js

MD5 315de9650928fe53d28c5eec65ea5b18
SHA1 439104f4d2a4018e9fb8e5034757dc6cf333d071
SHA256 11c44a845511413d32e6b321f25bb7997222ddfd17edb3744f38667e83a94115
SHA512 1b85ebff6581414cf92ac35c9e92530b58fd89dd094e060406f64f4298b056df120413d1686f20d8e73edae3a60b2b8473e8907780892cdbbe40d968ac3e4219

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\ui-strings.js

MD5 685352f5f461309475b5453b06de41a4
SHA1 05944807e5ae384a93e716037fedb72692e9fb2c
SHA256 57a9b6f1a7c3ff8127c538f2543b88b7d8c7242911c42894b6bd5402320c0ada
SHA512 5714d7a769769fa7f8884ae4c9c6e52f90fc13e5cc0c66c40cdad4ddadfe4a8414401605cbbb7e7c7f8457e2657fed0c83205a5d5a5ff35aaf857add3a5d73fd

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\ui-strings.js

MD5 907f8b53a0d53c854e7ccc25a9823d4a
SHA1 136777bb4aaf2002517a673006ad966e4b813ac8
SHA256 a562b6ce428fc92c6212d3a9e60470e7b626f45d884e9093a880826ee20cc60d
SHA512 b189cc67d362c33260f11360031d8da79965b397e16f3e3bfa0b0435932718d7306eb77fdfe069f2b212405617e9d51e5940fa3c967fea9a2a2c3bb085ebf9b8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png

MD5 b8eaa41c3b4e0f9154c119e3f5f6db77
SHA1 8adec0eca967d7ca998b848f7eff2e6531ba2bda
SHA256 df336efcc1e445af2e020832ace562c314354cb20d8b2cdfbcbddfd0459a508d
SHA512 91349c042c9553be8789c27e8dde190d614a8056a6e122912423a379234c79cd9ec6a24b5a9705a67c0b55ea748b7d95abb9af19a9b0a6d3139dc111a0d029b5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png

MD5 69cefb98958466dc3f929d2553a528df
SHA1 307c766213d922ebe483594027654a1038f57482
SHA256 af1fc4564814cdda6303f1c73e67694bcc09cfd382a20ad1a3b4c8c60f99a9e2
SHA512 f1f7a5c932e5b62304abfe5804e669023208dd9c3040a88b141158ada563374eb0b56e935c85ba5f524036b5d93a2b1c2302a48eb695c5e3aaf5e150cf09cd4e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png

MD5 c168ec89ece90a43e54fc8931a8a80e8
SHA1 9817179115b9cf8d730cf7998bff9f9facef3754
SHA256 d98546f680b738d6784ed8c0972d95f47ae1a295f588213b14809abcf75fc7eb
SHA512 a25b595a8c74f06281ab2bfd0afe1e23d13518e3883923529a8de099720ebdda42f22d4805b0303b3585c37419bef2cfac25d0c9d031ab79d9ae1b3d73ee8043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png

MD5 83b2db9bb9654d123929f0bb1f12a615
SHA1 9726e36f54014a681d843ae47a74d84aaed7520e
SHA256 01a5fa6f92f1ad4e022d9ca59d5bc609f2413708c156ff389efc84ad8954dc03
SHA512 cf4ca50ba06af185cce957ea70686ffe3d9cf46ca224746c68aa565d7a9f76546cb8f91d460a3af7c7caec7b1b3505935c32df27ca248027dccf55e7beaf8c39

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\main-selector.css

MD5 b6bf02f21e54907e789cfac42ffcbf4a
SHA1 0532b8881d3906a77befead4b169c72252de34d0
SHA256 eb9769f77a3c063a98ce715d71e3a2e34b71df3ef988bd6bad253b914e71c641
SHA512 5ae27a0b1e353c08f79f58710a5c9051e4290e158b2cf90697ebfaca92d6c7a110d281a2c67387c3dca652aa66f1e2216fffb419acd8a08d3e3c6f60087760cd

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\ui-strings.js

MD5 8a49e5158d4521a98903d7ffca152386
SHA1 32e9aaefbd6b9ee083dec7d98a6647dcb61f9ed2
SHA256 640a17789361b3110287f12b4d37e3499896c28ebbf99a511f6482e833b931df
SHA512 0cd5a88777981e4de88871fba653fe3767fd9095aaaf03c88bc89cd065db089fc85f72a16fcafb562de3f2136ab7d0036296a4ad56e53c49d51713f11fa132c5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\ui-strings.js

MD5 bdab2bf4e917706e29c7a7ed827590ce
SHA1 a284842e60ae48703049cfea20f92714f6cbf81a
SHA256 aeca0c91c65402d2676ddeb60148d87d39363f97bfc34c7353668c1b2271e9fd
SHA512 0f68240d6e9eaa9fddeee2d536e2a34877d0b707d0addf53b3cac016cd779e59030a4114bf8b26cb4c31e19f206499105b78d5311731fa3a400f0be858399cf9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ui-strings.js

MD5 0be77601c0957e1fa36e5147a2bdbbff
SHA1 4586e213c3db1857aeb554dd0b8bf422b8e9ed96
SHA256 7cb61726b3b61bcb72cacb0012ec31b7e1330dd3e137546482ea54491ea6ece0
SHA512 33663da6c4a0b62225848460f3c1f3d25e8be3f377d8452d73c67f8f91f39c2cf7ba8ac8c336119ac91128c82b19bebf15bfb3f803020acc65a0ac4dc1ebe87e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js

MD5 c457d6db08175b212c8a515de6b13829
SHA1 a90653f844a1961f671a8bef5c3a5d5586e059fa
SHA256 d51fa7b183aeb5153ee7a711c2e8e95e13342f4e92dd16c1f148f95a1e024801
SHA512 8c420500a980eba24737b1bbe8e4773a715d82b53748a0ac999b83f9362c264eeeb8b874a196176a70c1d56160bbe88f0de7299dbbe86156860d3325efb34710

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js

MD5 7e13d6f4109f57665407d1ce834a6bc9
SHA1 3ff70d5e6c472028df87dc9f7b8967b18a1c1bd0
SHA256 9d7614b4d63b3b7e37612fefc5a2cf735faf88e4a35c6eceb6134346cb0ea973
SHA512 3104c3ab04fb21ae448de5f5420833e20b6cefbbfceecc9cd3bde93335831a11ee72e989fe03c5cebe28945c842481be460aaa5177b991716388247ff782c4a4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\PlayStore_icon.svg

MD5 04ae6aafad559d088da87a6a8b91968d
SHA1 54e063a3043c5389d15eedee60cd07790d2e725a
SHA256 8589226a82b6bb6e6170600760c55572c302dfdcdfb4d2108714c4437e1271e2
SHA512 68f7906b1a48696d53e8e8ea1dfa1d0c79307ee831b8cff2333b8f911f3bf90cd4806b6116224366ee776218255d5d1fa4eee7ca744c56d0f876431ecfa7b10c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js

MD5 f614e16816ded53dfca13ae7ff81ee48
SHA1 5cdee8ebb4b1897398b251826586cb3c6d9a6663
SHA256 f6f0bd04c57d36ea6c100acf17bce0e6316984e7caf7996413d5fe56f3cf345a
SHA512 264f9201056abfc5ac4a949ea867ffb694a7ef2ca058635ffed497b467076407c3757aff2471c22971b61d13c8371bf6d4a82c549add2ae047dc3ae177597703

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\ui-strings.js

MD5 8262270df88bf52d029c254f28cb988c
SHA1 651ea0d5b79c3ca391dd7f273b5cb85ffb9b58e9
SHA256 a2e4fbe9b0445b7b662f21eee95ef3b377bf033b987fff73284cb513e09ccf0b
SHA512 5cd9dae002f7d5ce0fc73d098809838ed5f38a915a4b66845ade3982ea16da00a35f57810c6bb6f3d864641dffc4ea8c6f701c31010203932995237cf45043ba

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js

MD5 b6df22f60c69bfc4a811c88b9a598ea3
SHA1 ccf5567a9ae148a6c2d394a10e65f8389a14bf18
SHA256 3b2824204fe20e559aeb121f126319f1ca2066bad317a792b70605f2be130544
SHA512 11c4fff051054e0e11aa520dd335303acc92a3a8dd4a9305e39a49cef9bd5392699b2c045c1eaff1b1391fd6a26b9daaa0b5b32ad42e5ede045e12b6328b63eb

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_da_135x40.svg

MD5 13b445c0ba9d32e0104947a16c584dc2
SHA1 03f75478adef50714374406fbde219ad5d6b0cab
SHA256 3e24bf7a451a91a2b93749b6c66654aaf63cae7f52c0076e468a555b7b488f8e
SHA512 c478345572b7195cb5c5766ddd4796a3d467d0e810b854c115a4a56debb95f5534177be36233ea3e22d8ee6ae37a58173d38e57c43600ba2cecbddbb10e15d7e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_cs_135x40.svg

MD5 cac4edeecf67d0a27c383caf35634403
SHA1 9498f7f3af34d232bfebe09c5f92df7cdcf87330
SHA256 93b9b9584d9a14bd6223e3c7ff071b2988b262c259afe7f697e5fc7d284654b9
SHA512 c68708f310dfcd3eb0e220be5141cc2ce57bc026d719130b47e89bf09ccbde68e3e22dd5f6138acc267ce9def75141d1bb3ed0ec0e430f18487f94be4ab5ebfc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_de_135x40.svg

MD5 fecfda1032f0d2584bc3249a4519401f
SHA1 6ae3a2881ba0758d1bb8267ba0fe1e47e838e11d
SHA256 d7b9e9b135246deb5dd4cecba797108ca72f4c13b2565cf27013716e83cba204
SHA512 e08d4ab995ab76d24aa5ebe559beb59fac2aef52cc0e3129c9d19c11bd3eb842c272089fd604baf5b7bb0a5c1a7ffadf1df61b920d82aaf553e34cb35059c991

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pl_135x40.svg

MD5 ec369aa0ca0c5e364720381818a28a5f
SHA1 ac2a7ec9dec0f10b5177e9b3eef1db8bdf4fa152
SHA256 57f508c8b47355d80b5501cdb28ecd81f8bb40144e5447463fa11097e32afcbc
SHA512 e9793cfd2d6fbbb5706c38982b2feefffdda144cc90282d866b8826cca57df24a19aa7a4d55af7c1aacf8f7bb14653eaf8f7d9c051dba9fea27519eaebeb26b4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_zh_tw_135x40.svg

MD5 215b28c6ffe581f5b3a12f9e00b8673f
SHA1 b9190d96ca4723b8696d9992c6b1adce60863fa4
SHA256 6267252329e46482f329814d9fe105831fd37830f7ea3912bb42bb7f772efd76
SHA512 03fcbbe2d29f73a44ce443fc1a541c28844c99f196a0e371e1e48e09283efe4718b44585ef2f9fc4c9f4cf0f722394d226349e4fa97e08b3179e47cfc94c2ebd

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_zh_cn_135x40.svg

MD5 9ffc5fd7fbc885c6d909b04601672d5c
SHA1 5fc77e0c3d6cb0f8ed449b6291117fbf886aa210
SHA256 3bfcdd481ac07d303dd5a80db213ad7306d365f8d668e9836d80562fa41e0407
SHA512 68f67114da5b2445315794f440ff2dfb4f030ca9a1e611027f8da1800daa3743437bf3be69e0ed0e49f86ffae401de30783da2298611f885e7651749918fcb3d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_sv_135x40.svg

MD5 24f3aeed302ace25521ed1001bc72255
SHA1 eb778ddf01138e0de46cd838c31297cb0055d2b9
SHA256 1751a6a6bb41bdf78296480e224a7c394194f8c2e3ccc4f6c7416fb80f311f0a
SHA512 8181736a0c067d8157a8a24aafdeffec216e393f95436b461fd66c7ef2a6701d6ddff93798163477fc8e5590eee639d9b1a3a7ff65fe0f221bb40bc414774b05

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_tr_135x40.svg

MD5 71799443df48a349b6627df7099d61e0
SHA1 7ead92fb2285a9e8199de79decdc17258bc5ab61
SHA256 f77aa0c0958ebbd24e00a0d41bed54e8b34db7fb69ec7bbf462e810b185cf6ec
SHA512 7bfb9aeb511f39cd6fbe25ed150820fcae1b83918fb6e40056f80a862df0fd2704b3928e55825bd0433430c93b86d8264e0cfcf7f95769f7a4f2716899ce461e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pt_135x40.svg

MD5 21e18efaf39c61cd6f84ce9025e287b8
SHA1 5356e21021a6cff2c96c21f511617178b5a3c1a0
SHA256 31d39e9844b444febd820f14cbbc1c51bb50e180ce98d67dca6fd2526f735e6d
SHA512 03f4e3d593b559c5b9556fc35cc6b7cec3d4e35bae7c8ef10dc3aa4ea9c48f4421263e95638b3bed416fceb7d7a2a63ee92fb6a6d9b0e97822dc2593b66ef53e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_nb_135x40.svg

MD5 7d8ab4c9de9c026958abbd8956259f48
SHA1 670dd879c662c18e3497cec7b5d68df4b5b4bd33
SHA256 f4b3525580e5aaf8e6476ea08529598a0461c9b1fc7f3bff2ce3f70e127a52e9
SHA512 4e33031c4cf5944f9fb831cfa1f0a12bea8a343a9fc20dcf811abe1630c659b09e9f59d0278b592cf3a8bde60c1f412701e6ba1368684aa9b190e10d04cceb8b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ko_135x40.svg

MD5 e5112edf5a3bf7eba20388ed4056dfef
SHA1 4158bf2ce005c8207f52aa9aa23f047f7c2f7a5b
SHA256 507f3c04f436d3b5640c1b04547313df2e630a691df7e283a11057b3f0c30b33
SHA512 803e22c02e0258247cb77a72af39c33da2b768c065dac16cef846aa92b5a61baac4c639926a98c9b8430707a31dfaa25fa6ab0bc1807a65b9b1ff7d660f411dd

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ja_135x40.svg

MD5 46b13608453923054d172db1414ecf5e
SHA1 b1e04333c9ed322f7296aaad9712877eb1d02af1
SHA256 b63a11c28e43d96b65a64947570626cd98746c111c0d434eefdcccc47e8adc6b
SHA512 e8b5e4961b2362f598901d62a47118c27b30bdd05c3ca518c8d1c5868ae23b69fb31c3e54487895850b5f1a9c725d1bf6f855bd534c4d79d8a6efa0013568c3d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_it_135x40.svg

MD5 987bf1ca8ab2df096c316f11451dbcd5
SHA1 915e80ca9332d24caca718240006f4269d97752b
SHA256 1819bd43a924dae63c5f27d5015f42defffcea26bdee629fbf0299e088b50317
SHA512 4e7c864959d56023229ae29e40e86786724763a47153aa5019cd249e500d630149597e2da80a954af8bb01ae50e6291a66950242ecbc918e13cdebb4700520b5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ru_135x40.svg

MD5 d4553309e115194260921b565f453831
SHA1 ed86ce0ed71ca6e8b00e80d1f4bbde4e5a49bc68
SHA256 165ccee19f9b1513c93f8b8136ca712c896f114e102410e545986b296ed71a1f
SHA512 a209688bee8a2bfd4c152c4fbab0dd7577fe98f8e7ed6b35eb27fbd04a7576d251f6bdaaf2363e8e3ff86f0d7fb1016358cd3410a7301fcd30c84850a1f4754b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_fi_135x40.svg

MD5 720392271c65f16f56ef054b9dcdb899
SHA1 a1a8ea09d184cbda33f6c1b48c61f1dea52f607c
SHA256 c62974bd02bf627a2b07656e88b788c00102fe8c33aa0d95af3a1e97d9dc574d
SHA512 b9c6a264087e2d9f70ce895ef6dbf183607717ae4d5fd88468bf05d948b45ac8d4a320acf8f848f458ad876d91f33f614a1b172c63d2b9247d7ffd0a021535e3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\da_get.svg

MD5 15fc5f0da2a04afe68e8f133a1855dc9
SHA1 09921add48692636ec35df1ceb34f4e6ad6a2431
SHA256 5c47975486a2536462b0b5e89089c8a2b5448fda6a3d62220734cedc1855f46c
SHA512 6907f92f942c5ec381e627d177527653fa351a5f63248bc96187c0bed79d09e473d866e273aa97557d35f09f677e510c56c84b6d1fe9542119faefcb09c7765d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\it_get.svg

MD5 abd5e5b9c1afda447cbf833c0de9d15d
SHA1 8cef74bf0c554691bd01d217aeca2513683d3f9a
SHA256 01c8a79873a32834d9331b6e4fdc6bbd7acc8b503ab1d4570e6930f2bc557b93
SHA512 dcf47cf4824347407d1c08d36d62197fc65668529b8a031f442ab58989a11ae099a0cec10ac77e1d596d4df011ab9a7b4a1ed4fb6a6f0de16818ff273c59933b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ru_get.svg

MD5 c40c734c3dc92f99689e09884c65291c
SHA1 a319edfa8c073de8b000addfec6fe9d9811183ba
SHA256 04174de271dc7f084c1266e4f0774731c0420b955036871dfd2288da924cce71
SHA512 95d115ede283308a306aeedc825b45068f86160bc37b54e6b388a3be07d749889e35b91d6e26d2bfd7931fffeaf103ffbafe48a79b58e52b87d8a15b70b305ef

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pt-br_get.svg

MD5 d2288b25ef5ecdbef8d8b3463d7292c8
SHA1 054e6e3ff3e1df568d8066b1aaf2b91b06e3ce6c
SHA256 22a4bc00188293d3627bde83ed5e738fe3722c9f350787722b111008dd651154
SHA512 5dea29d117fd42508a123c39ef780fda9717ab881845c965bd37d3ae8e676b068910d09acc355e8c2506f8b065f6db160cb4007147626f49b2f134c0269413ab

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pl_get.svg

MD5 6bc3f9f6585f83e50bbd6edf47c46ab3
SHA1 b749bbeacda04e2851912f09e1ce2698c26c3e1a
SHA256 7e19abfd8118f75dd75373a20c246428575ba8cf2b91de2a5397a626d10d3324
SHA512 ba67fecadb46275f8fbef5644f32280f9b6f1dd8ace289fc47475cfc7ddd9fd54cde11841b2124d4afb820212d350bb76a2f38b226e0ef5315efd817b50dd162

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\no_get.svg

MD5 77e6a30813b32b18ad8f3361a1887ac6
SHA1 4748475dd49947e674a64d89a4fc4e44e9542ffb
SHA256 8201729fed378214c37f229f08072bc7ec2c94cc636bff385b83caba5316ea83
SHA512 ba03d5aba7833af90f1e2beb0a4aaec8ff172fa9597f19df6056cb497acbe8ce2ef11e9a75c215d2b62bee24ea3aef698996022cf4182289abd7a554b09b7e08

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ko_get.svg

MD5 11c03328bbe2a780b6620a31744f4734
SHA1 af1f233fe5879f7cdc69389897fe5304f27b0ec2
SHA256 8724d594f97372a6fc473901cf27cae559ef9698cd00fdace68f20a2492bf0ba
SHA512 9a00aa5fb44aa6c072037ffc246be992dc8009c79057b98eb66178fde07ca6d5ecc7c5870e5b8ae9d35a8d7954e72a8417c715dce88a090600c89bbd4a995001

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fr_get.svg

MD5 1bac3a1f1e606707c031b99270597ea3
SHA1 862454fbe9ef421293ed2486aa170442ba231e98
SHA256 c82753549011692ee7ed33f601f9b95c3f79467a4bd332e863d8abe387593c8a
SHA512 65c4af37e360095381e15774a5e4386865b9b94a9581f17800d894f92a011ce80aba9636dc82f0d1d2a1a0fc8aa2e697ccca7e786055a92080c51e59d975ba53

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fi_get.svg

MD5 e5d24d4b6b3e2a2e781f4a63b778c379
SHA1 f65e87ecd8990b11f17019d1bf255da879165a1a
SHA256 bb169e2c796a26b2984db68ee5ebe849a22e72e96710bda8caa9247f6abbc0b8
SHA512 3ee48723e0eca5bacdc6233cb8b0f097252ce055bdc4547f929f299045d0dfa52ffd1a3f38fcb60ab74f90bc9fea580f5b5c52206bfb4296cc4d0479b18234b0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\es-419_get.svg

MD5 0e1f8a7582ba19dd82f5f998c356c215
SHA1 dcdf581bd139ab6fdc2349fbb6c5bc357dc4de15
SHA256 9667771a313d2e806573c7a8d8c4a658006adb0ab5f2e59b86a5d871c7b2070f
SHA512 d44aca17c780dba86cc2760facaad8ff374449fee847a04487e72a533547d84dde3d3f8f654ca1586cdf78a152f6079d1b3555a3d1e8d85ec99175d3fc0ebe2f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\de_get.svg

MD5 da7ad71f9cf1234b8448f4a06c4a3a8d
SHA1 552582c73a6323399acc086e852ab4c43b19e5c2
SHA256 57998073758403acab31387ad95dd6fc0090a623e21609d7eb8697539abebcab
SHA512 1db918739add62df0eb504cd78668c7e3e8ba44f78275aee8b65d1b5a642b68ced4f9df8e46365f618b2f58ad524e3f4b5deaabeb272355f786681b84e35b54f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\cs_get.svg

MD5 8173e9454db1b2bfdbe56fdee243d8ae
SHA1 b14ac9566b9ef0f49d6fff1177cf231ac9aa782c
SHA256 0bfa1e9f6d72f051ded646ac1cc39feaf4b7fc3a1cc72efacdacd12063481b5c
SHA512 ff3dc696a73d67dd2171a10507798060ba024ef7841b5731cfcf538588eb8c770bd510256b744a5a0fa6d8f3a3cd40f009db95f9c3e640e361853be238789015

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_fr_135x40.svg

MD5 285f6fa9a6486cd07c2cdc77fca32e83
SHA1 ac6526e7c6091a57b510e83f65a9edc7e2d5e3dc
SHA256 1dbb7844aa968212f324a06909cd6938a841f888582666f16efec93a9764a249
SHA512 891487ece290ccd2fe637b138e48b057b82c9e0f4287e3b19c3ddade1ff3ff27fcfaa982a08cc3ff0f13c63bc12df97d48597b6eff399ec26c98baf7a892969a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_es_135x40.svg

MD5 c7a7aa97cd5e795578e2faaf308e627f
SHA1 d4eb94441ab4a252732abc93ee83a77466dac430
SHA256 a11fb7cae177419983b3882e6148331b2ce92a535cb7ad1003d75aa6d71ff018
SHA512 f73950310cdbd96e712de25d944347ba8c58e95b489a70af7b8cd81c1f1a1d0c6a2a9974321e8a73df82447c549a5b20cb96d42c1353a4ad7ff5aeb41ca164d9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\ui-strings.js

MD5 41314dc120fca6a6a3c7ce42b9dc07d3
SHA1 441fba238c58ff164d718627c77493db84e28892
SHA256 95f1df2f9ca4d1a10ea9201b932cb3ce57d2b960bab1ab90edd1542c83c3713e
SHA512 9010b2565cfe03e5bf1baeb3dd402f58f758d55c657775d1c1f5fa4e4a47aa20f76b3bb885d40afce6be1740fcd0cee1a87c9e7239f6a8bbbe957e6a74d45cd0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js

MD5 888b216d752f4efeaab6ef3c6dd51b1d
SHA1 ac0501818cd76d33a1d668110ec23a61d9576126
SHA256 97ca541489688608bd02c813113e7b98fc2376d30d92b8f68a74fe824f969438
SHA512 7e1d2b7d5b6913e8ae5445fd625ac963ef7d5efbd52da3d8caf9d1c2611663a0ddf9c414c83fe56c8c8790c4286275522a186228fdfc51b37a20dfd6a65b39bf

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\ui-strings.js

MD5 1eef2bd5e22dc04a96dbb471357b67c9
SHA1 55f36ca4aa955da53eca07e750a03c6320e7ee0a
SHA256 d88d43c5cf4573c6f78a4961dcc8be866e4772972a7446ea4f09995172f8f623
SHA512 4c27a718677cba20bb9184c4d82983ca3e934283c2ec31c092f4a0151f6af4239a4dfedb3ec7c21720734435bbc165033f76349b46a4ea11f0cca5d884b8732d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\ui-strings.js

MD5 f2b6fb9c3e6f0cf40329702b530e2a67
SHA1 4260ca386fb637eff5ad4237e0cf5215232a7244
SHA256 c75b0522ce27d73e6d3d41c38a90b8e93a7aea33c7757a8c9600df064b78cb94
SHA512 81ea675265b12c9468b79fa82ac34aeac1ccc6c0bf7c121ffd1b5eecc63ce89af78352953f19c9e0211798bbadc81b3752f67e42e264f568e23607dad5803903

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js

MD5 bfaf7a839075bce06a18795cd2cacaaa
SHA1 777bed8a63264c78d641f1becee04bb5479136c0
SHA256 c724980d0b2614f8461984e463d6135ed78c3a9ee91f2a0ce0fe18c03ca17f17
SHA512 0074e87a18dba7b97c6dd7812e4b0b262f0182ae827c6d6bfa6bf5e392831d32460e6318d9aeb551e5f54e37145b71bb68e4a672e7a7c32565a7f10693b4193c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js

MD5 1d5047958a05520b471086ac5a50eb86
SHA1 57a322efd1a3b03e4e64879638c757f34e62cac4
SHA256 74ba26ca6a79f80f068494479b4bf5226b58eb0bdbb4da04a6ab8f05c45a4e6f
SHA512 b486ce18a777ce8025034731333d56f9cebca39e8ed0d351adaa554f105ccff1a86811158dd0fcfa43694505fa0df51db487257ca5ddb20c4b096fa9a797d02a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js

MD5 40a60b3433a61531dc7eb46a8fd0cd5e
SHA1 fb009f4f94fecd0f075be595f099501ea82b1815
SHA256 726f464cb110f575dc7a7420bb6ebe42de1f3292417ee6d5f11119becf0f0b0e
SHA512 9a58574f3b4122cce259d521db704ff4367e07366c5a162fe05aef5fbaa9bdf12640ae36bd3314f002a7f082a0c2b18227944643607f5442183f31ffeb77fae6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js

MD5 e975b77307a6d93793d3b3b23ffc4d12
SHA1 9c8999cc19e99ecf4715fad30fb1b99a8a06b57c
SHA256 ffc508954f615ea16d6d94f26099e71af4462d1921bcba823693af17da8346d6
SHA512 88f7e9e518f168995bd222f9301a8e002ff397cb5dcf23dd3893a05613e6db7b660bf4d0ee0cc869eaa93d72fc51712304dabba22857f3bbeaae3209725440ee

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\ui-strings.js

MD5 71a85a0b200da79586ec9ba52382f1b4
SHA1 31599504372404604cff0821548d8b25a9fe7ce6
SHA256 2b0d814d103236db36a3c9fc5d94bee3f833a92d54419e95f57fa48ff78f2d09
SHA512 6ed647daf3cc3937482b35aaf0eefb26faea6c016e270d50f397962bf672c50249ed60a45bffc4affd76f1f1edba50385cd5e1993ef9590fa342eaeb6424276a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png

MD5 ebfaf58ce2b72728425abcacb1bbc2cb
SHA1 6970ec0126ddc0f6f70b805b935fd93004da3812
SHA256 4bddc1d9136bc8834dad154609efb390b379e377a6965c204b96fb1203255119
SHA512 baee2aedd74c98e901a6495c4d4a5d014e36240f9851431a4f7651aa134da8f4d08a59bbb3df96607e2c56bd98af730780de9415a6eb89e7baf070ff0f530234

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png

MD5 282ff469985199bc207e9f6a5e0f1b15
SHA1 2c271c894ecf3fa46566a5e749446535f7dfced4
SHA256 f94bf8750623491398d4eff8fa90d480725f0bb89de5aacb986df0c8fb83cfb1
SHA512 352544b0498fb29d3ef83ada22e150e184b910520638e8890e12ea0b654ca3a4fc8affc92b280237dde90c36b903bd93236221614c2a6ba4c19e54d792941b9d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png

MD5 a1700ecd4716872ace983e224115e9bd
SHA1 8a63f98725d2fb0ad6bf1d37d94b2305b5a4ed5a
SHA256 8cb9517dd949cc5821231221804022777e2b1db7190e8827b0873d1389a9953b
SHA512 967f3729f24325c16afafd76d546c7143aa4ce976ebbd1c91eb8f9eb347cdfa2bc798cb3ff2fa132841208d5c18231e0c69cee4081def80a2c61a827c0911c6c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png

MD5 c0875833306958ae2e9ffa6e669c644a
SHA1 67abf309e1b8f27409099c57a0731a31a57372ea
SHA256 cb0a23a07fa405c12a45f52a930618ce4bb10c2720409064012910b4ff7cc0e2
SHA512 416cee04a5fbc26b59f37d88bd783941cc6cac07e7ebfa027d82300f1dddf8542f701936f7ad3c990d8a367d0f01ccb97a7485a0456d8ac4479966629e43ac38

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png

MD5 e9115f0525d692930735b3ae0feb3c8b
SHA1 949d2a7fc2d149811b929911c1bcbff5ff16fedf
SHA256 c6f78295ceac065d6a1bd58d353b836514a204dfa4c7741e15da5e9a3c42f987
SHA512 9b84615ce7690c212561c2af5e162aa0081789b024704a73d9163faf450149923446b7e5ed0a0470503f043d64562e97af632e8fb2e76914354a756662f58572

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png

MD5 d404f1c98b9eb48614dba04bbb0a0857
SHA1 8a67d84cbc321e22b4c039825d7dae0c0979b871
SHA256 c5525a781c6f37ef049774620d570917351cb1d8fe7f7e91c864176e2f557059
SHA512 01bb621b43bacdab57f89d6ae4629ea1257bba7bc24d9b8ee8af5f298fe90d6f86bbcf6cf87878a1315329ee0467284f3782729ed86f52fefaa565dd90c28c74

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png

MD5 ea32dd503460225d46ed229b1acf76aa
SHA1 c217b5fdb5ba5ed407fc657da700671929a78633
SHA256 7e9c71529f30ee9833dc8a9be625d64efb072de892e22e2561b230c3bcec9f86
SHA512 79481cdb34b3d85722fe73a5954b38c0d361f01e95efbfa474ef718fc734129d116a0486ef9e60005806087d558b0ee98bbc4d660b2b1b949a739a7ccc2621e1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png

MD5 e291a87f0b90c0b08c6e1c74b38ed9a5
SHA1 1f373b8c0cd2ce83da6685cfe41064c9eae3acf7
SHA256 34c2a71323f22a75786e98959c602ee42dfdd0ce63686e1aa1d784bad0579863
SHA512 36c639168fd9783981646f60f43c0a43a7ad0193381596f1aed39f287d23cbca3938341fe710a84bcc1f1c4f7553e20dbe9b560ff399119310bde5e274983993

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\ui-strings.js

MD5 d0d1abe9651af12cc1d24544d0f5a44c
SHA1 dffea897eb722aff05810dc99f0e16bbc5ed477d
SHA256 19650870765accd78a6abf168ceeed30dc89f035d4e854d46c5febca73677044
SHA512 3212293af630b2b2bd1fe16f0c47f2f3b1eced5146ffedd5ddbc5207a3d5699294807a250c32dccf3bfe4aeebfbc8eaa6f9877b4653b298d0f8156112ecd847c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js

MD5 170f0985dd405ef53e27e30e842ad629
SHA1 20b80e0545402b3e2bf01bbc2e1e167e321c45b2
SHA256 5259d0d094cf2d3ecb905b5bd1b22ed1c04d332f13d485e0378aefca73355782
SHA512 7568d3f9c9db0ca1ca9f6b15a22c50a4fdd405987a52b637bb18322c2042fc08e3be691f73741e0e7a93d843befae41eb58ec6087d368d13c34e1c42cfd9d23f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\ui-strings.js

MD5 ff387119dfc6c54987ead73a2b3cecd7
SHA1 46cad8f44f5fc37b98634dbd5d8025d423726a33
SHA256 d2babac3ab185355cec7a3d9cbd8a2c3b37a670332197e0cf9082131feab9896
SHA512 5d032494aac997ff56e7536ee5582c3e13a4717e7e7e530a3a224ef83637d99332b3fd498c0a6ce31da4ecf43676d1ef041515e5f8573d980c3bb1a07b37c70a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js

MD5 675d1bd88dd509465cfbc14738ff3a05
SHA1 99e84cccef50074a5707134d57fca54bdf59cb4b
SHA256 09d11342e1aa02959a369e6fb7996d3a5501a2fad1dce6a2c14fd10e3abc0459
SHA512 de10b179446d8b56d6e77752af6a65fc82bd3e0dc481f21491757cde998449f201ac24aa8028d5f77446323484ecb9d86b4e8df0a9cdcd8889abae565f2cbaaa

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js

MD5 20173eee797955f73899c97211a88684
SHA1 990732e881d7e3b752a65adfa78ce12ff5e47a68
SHA256 66a119b6006d41d21658da4304164202e898f9d790de4ce90dcb6023cc495f56
SHA512 c369e24997ba5ccfad1f6f77a784920c8263c0c412ea2c6138bf5f22eba7220cf3874349a712b7eb7ca33dfc613266457f4ecefd03a25733ea8ebd5ecf5a16e3

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

MD5 f590a5b6da6991cf1137a89174a4cc21
SHA1 5da674c95719e65874d97c9bdec5fa7d47932044
SHA256 fda3beb8feffeae19b18d17221bcbfa56299fd5be160537fee08d29256a28cf1
SHA512 3af4a1567e89210db88efdf65047c23319daa43b573cf6accd3b412906cc2a9fac23014ed4163db278eeb8c1c1066467a78373f2f36fa2a926531e8a5b618d9c

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_proxy\win11\identity_helper.Sparse.Internal.msix

MD5 f4a7e03a977a827e110e338d6c3b5d36
SHA1 fd79ce21e38d37710acf15411627300b953a0521
SHA256 be5345bd3158c4112a7dd1ace0341dab2f35b31b4d256d85ee17c6e72c7ec811
SHA512 8d9b453096f122e3505b4c8afc81dbf1525b858fb2cda3ba00d0663b1df8fc89d7f4d87f507d3becbba204fc7d544846219d7e19d0ad8df399e2adaac5c722ab

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\identity_proxy\win11\identity_helper.Sparse.Internal.msix.DATA

MD5 a71b4f7e6214568346a607972c26c3cf
SHA1 a7327ea9a7df6cb117f3aa02c805e1579632862b
SHA256 d397286a9d51560ca70ba909fc3d83edda428454e445b2002888ddf140f97805
SHA512 4b2eae589543e6bdf47ad54162ceab373abdf9a9db6f33c5bf91715489ce3a39b512406dc2c89c146f7edc1775e059fbe5f16066fd76354291813a4c3853803e

C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\identity_proxy\win11\identity_helper.Sparse.Internal.msix

MD5 880024859c76c0c76abc29fd955f0889
SHA1 b97870b5f0e4921a548743264e04b293c27be2ae
SHA256 ca6644602acfa814f188ad0413ad7488b447c6f403c483d6bb4921e0c8358117
SHA512 14daa1649d75ca15ba58205eaaaf5b1ff0aaa3afe02dd37ae584a92bb88f0450f7214059f8b1b1ab4337cd9d476f2cf723b23293be40782836b74d2b76f6e46b

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\identity_proxy\win11\identity_helper.Sparse.Internal.msix

MD5 e0466eae696e51d3be5ddf46d8b1dddc
SHA1 282e66b6fe615f3f833a295fefd1efcfe77de697
SHA256 2fcdc54f67d3c694d096a2be6a836c0652b3314d0d7246c0217eb6fe2891a79d
SHA512 0241cee1eb8bad915403d58abd8881b32cca5c227d376e218e8ffd2762317f4b272057a354472998d68b7111c3a7019cfc2e7bf1a8557171bb098f03f252347c

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\identity_proxy\win11\identity_helper.Sparse.Internal.msix.DATA

MD5 f47e1f70fe30e055205ef709dfa48dcd
SHA1 b03f1844cd5dc68cbce5327de6acc979106c2b03
SHA256 ddc23cf2ad82aa0ef65a0e4420f754b96f77a66c2b751c934e8fa015d9dc0021
SHA512 c00b71b6e6a3d05491f3eebacb92dc4cb2c6f91ef44b41ed53258e398ecd1f367c62abae1e795f11ccd206b965358c0ccdff745245ec056207b53607aad33871

C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOCK

MD5 9e05454721cfcd1d7eee10841779d673
SHA1 010632b62fa73e020fdc9a763f9bb670dbe3b764
SHA256 8b214b647b8e42ef219c253e089b6ddc0c21bb3b2743c701c64536d5db327557
SHA512 530059310f5bc69686fe976dd2a565dc489503dd1e4da3f5fdd7398d5025aa886bba52d748b3e70e838cb2a0a51f2a4ab1aaef16a4e13a5f2a4c51b83a7b34e1

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

MD5 217bfb0ee7912d5db9497401a1ee3434
SHA1 1a87a41743e9eab72d2ab00a6199c2e01bec07a2
SHA256 6425191a90217c69010b7de2c7e9f9a461fee5180ab0a48f71362762a82a7dbf
SHA512 c692d5fdff909da6417b15a2bf32c8fdb3c605d99ce78fb7fcec5de3cfb14214a384a843172d266c676e567adc7b4293847f62419f0a1a474414c455d0d041a7

C:\ProgramData\Microsoft\User Account Pictures\Admin.dat

MD5 1ae0208537f6b76acf47e12003c928a5
SHA1 844f99037fafb29b9530ce827a20c08dee3291df
SHA256 bb2dd7cf91eccba0d03d0e02913f612af00552c8c68dec5295da34714dfe1643
SHA512 88894e0493c74c953493e52e5f168fff9cb58ca7cf6cffeae0594e1f9b9dee3eff9eb8be8dd9305a518a55cb6e03a86dae5af0a5b43ae546f569e8273242de3e

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

MD5 58e596438a04881b597c96013460d030
SHA1 e3a93e7f1d37e0793c79d9596000c48b2bab2405
SHA256 c5e1b0d233809d4453e8690fa67f1465a1c064fd83065d1da2a27c10d6b63d82
SHA512 7bc4f39d0f0cb53ad6034f2a1e2707d0f1e6b39e281b6fe2570fd493e4371747381fe3155a08c6935139d8095ff9f89bda22347b12d3f2b316461306c8580e00

C:\ProgramData\Package Cache\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}v48.100.4028\dotnet-host-6.0.25-win-x64.msi

MD5 c958a5f7b4cee3919fbfb1d59c0ae941
SHA1 b540c2cfd23093136fda66efb3eed1cc7408fe6c
SHA256 b30c895f4e478c7ce26282aed7bfbed2a6333fc64424276b9ab0241042e236fe
SHA512 b3dd815e11566c4e3cd30053e475285666bf2a63c21017150751991d60c8532a6369401b9f286dea35f11b119f92beadb1f2735dd9cf9f0425b434fd57deb66f

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.deadfiles3

MD5 d07630f87147ece243816ecf4de842fc
SHA1 776f6a1aedd805f2f7e2ce75da9da9ebf0ca6900
SHA256 cf61be5f3e52222e25888661cdc0006037351a548b3f4ec52c6843458fe318a7
SHA512 f18726079122b1c2934b7c155fa92a056b70ab033d5da95cfab4c23ee9297631df27ac76f8e29fbd6c8223391e77fb05b3172dd287a1511dc2106c2cbbd6f18b

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 17:46

Reported

2024-02-27 17:49

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2196 created 1212 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (7570) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\cipher.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\cipher.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV98SP.POC C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Settings.zip C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_over.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01743_.GIF C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\how_to_back.html C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\how_to_back.html C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgzm.exe.mui C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Northwind.accdt C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\EST5EDT C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\ChkrRes.dll.mui C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-execution.jar C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Danmarkshavn C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\flyout.html C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0212661.WMF C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Earthy.gif C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_over.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_disabled.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\chkrzm.exe.mui C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Clarity.thmx C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.dub C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\UnpublishRepair.mpeg2 C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_snow.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18191_.WMF C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File created C:\Program Files\Mozilla Firefox\uninstall\how_to_back.html C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\how_to_back.html C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKUPD.CFG C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\how_to_back.html C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_play.png C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\how_to_back.html C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\ja-JP\how_to_back.html C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\CET C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15034_.GIF C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\settings.js C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.DPV C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\how_to_back.html C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04235_.WMF C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200521.WMF C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.PPD C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl C:\Windows\system32\wbadmin.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2704 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2704 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2704 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2572 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2572 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2196 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2440 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2440 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2440 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2588 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2588 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2196 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2472 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2472 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2472 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2428 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2428 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2196 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2720 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2720 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2720 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2196 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe
PID 1324 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1324 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1324 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1324 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2640 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2640 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2196 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe

"C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe

\\?\C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe -network

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\F:

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\A:

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\C:

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 636

Network

N/A

Files

\Device\HarddiskVolume1\Boot\how_to_back.html

MD5 b84e9868b00f7fc179bbc1c4b041e08b
SHA1 e00fef9e07e60bac2d2c9fbec2092bfced121393
SHA256 66d864c626476d04321912ca739c2b15519b7bed2143c2ddfd8c9f4ebb01e460
SHA512 3d45fc27ef1ad52f21d54de138748db53d099f89c5d1440ea68ccdfd57b0b5a86364802bce3840224122649b69848c641018d06f622dbf5b7f66229d33a1b8ba

C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

MD5 1ec7994a093a46565240989f757d6f88
SHA1 5d2e4acf9037d3ce97b6660f052df9c60f1d3844
SHA256 ba7bae29525cc508119da933e3f5c62a941659d8ba588e3b1eb97493ccc78e1e
SHA512 4676dd5b9f8dfc72b72bcec5f6bdb07d2edd34300b71ad1b459225cdd5b03dca5d7527cabfb6fd8c8e8cd9381e0e82cccbec96bd60b3a73d81b179ad92e4c2ea

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 3fa60490c306b472ec431f18948d618b
SHA1 9ce169f365841f3fcabe571a9d9d009d4b3db5aa
SHA256 47992317e0751f064ec527a7a893d2eb5ec4cb84cb9860a8391fff5bf469674a
SHA512 5e551f81d32b72e1088669dec9e98bb92f1b29729c9c46810dc4a8dc8e2f615b65d86025cc641662c3c6239062f8456cfbb5e199693f6f612b9e7bcb9ca88c80

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 3544c7af92a43cba043f2ed63060c630
SHA1 88dd7858b0b218ff898b4488e9c94683425685dd
SHA256 807a58ace4073057c26ea7ea584f75752674a8a0558559cc1b2204719354b7ae
SHA512 a968ba368c5ce8f6b3e7c93c95b4a424dde9cb91297091f48fda773f7469e573cb8ce5f1b444e84f3fbda1822152516cc3acee748c5ba1c8b16acdc5d4789775

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 d7d781360f6313bf63e12381c56945e1
SHA1 634cccb47af0d9851db4c0b2e7ddd438d13ba3c4
SHA256 28432e89f6784006301fbced909724d3f5597cfddb5b6759ea7678a258fca5b4
SHA512 454cf6686368046baafc4153b42268e9886ffe6f550f6e4e127a69bd9bd13dc9d7cd8b711bb55bdcbd92b1477eb2e6057654fe80458e5e875b86fd0b4476630e

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

MD5 3f01e4afaabd91150aa74c2ec967c03e
SHA1 bc17af04f8fa9637e245924c37c5930843cec6a9
SHA256 3c1a71c2ee5734ca392b7be9f5c8c0ea72357eb60c3789092ce82037016424c8
SHA512 a47e681d79df21e6b3f3f99f6c84cab0b129e6fe1aa4c46f2fefea3fc9868451d7421ad4bc9d7a4c338792a4f19e3c279e2f2ba1ad2986037cea5750d1343bd6

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 25a214763cd8880a74f0d81690cd514a
SHA1 b964f127cc46f514a60dbe066b58d11ceb6f4c5c
SHA256 be4df458bf77b9496fd2b434d1dca6d22303a3cff8da38f043c083e569818548
SHA512 15c9f62d642f288522f0c0278ef926367a5429b63e504cbcfb7ed23ced5881c886d60a427dced62099a8ba3277993a648042acaa9a70131ffdc50d2b357bb42c

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

MD5 fcb8cefe489cb1279baa694186c17f6d
SHA1 12e936f18a97c369bb0db4b23f00f5f2f7692b1a
SHA256 a3b327e4db5f84ca16d42762d55684cf77b940861c675467124b66f9a3410bef
SHA512 d8cf8a7dbe55a51cb9d6abd53a3bad3029ebe48ea87ad27dc72875f4ea7c643283c281943ae9322516555e57e0d090e9542a1bc690c1e84ed62af68b0eab23e0

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html

MD5 0b26384f9535b2e566edc8cc918b2908
SHA1 82c8e19106639eb18dcc806984ecd9bd1374b447
SHA256 26fb5ff851dbce8e3df8dc0d61e7f6ffeafebccf49e6d0dbc7c4cc76e078f3bc
SHA512 8c4c9e805daec25cae3e4dd3d9c497ca82d08c6abcac055c22ca7182c6d2c0079a54c7db2a8957998f68649a2307b69d9fd20734f58e57d962a6b4d33ea70d35

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html

MD5 194ebab2c4193ff919362c082555dddc
SHA1 a9789ac6c74fc27d38107d9dfacec673fd64367e
SHA256 c8da1593198234a3b8c664e004a350fd9e4008f2f0f8951187efa50e535790f1
SHA512 bd301b569f0f6e720c797bb3f0ec75e0b8ad8c53a73346b31486b350cdf9920089f5211b10436cadce3ddc9b24c516c1c0bb6e6ddb1cb89b93c2f4bef3b2e552

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden

MD5 dd13d2a68d8ae9d9c8808474318ca5ab
SHA1 f5e617390554af1e36d5d7bf1fcff5f6ab8904f6
SHA256 92429d64ff2dc2b36dcb358a6ebf707ade95025341c1c1f62f7332260739ab65
SHA512 0fead7f56c6a170e5d14496ffb318d7ca2a9c9bf60dc05913262aa45c30edacffaea69189eace2365c056746f43c00ffa26126da07c8209788e104871fe8c323

C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 d57bf96645c7d3f7576dd3390fbe6e7f
SHA1 1065b8fd96a6f89b90b5abe6aa8669eebc3cea5a
SHA256 c3a9d056bf6157f8969b885de0c84223459d03989ab52dbddf6deebfeb333f84
SHA512 a1ba00efaed769f79c2566a8edd3eecb4d5f94bfe3cd7ec472ab84ec4ad4c12a8311c0fa5cbf87f66fd5dc85f0e34f24c6c7a0d0638d2d17d59cff9ac2cfb2eb

C:\Program Files\Java\jre7\lib\zi\Etc\UTC

MD5 fc1c3f197be72b083c7ebdd1b57bd136
SHA1 3ea4f9f837b5926cfa8ad0ced38e60d1c3590cd8
SHA256 cd713efacb49d1650f197ccfd08a191bf21becb15522699b38d742caa10bcd6a
SHA512 0aad7a3c2fff99f1a687b6ea8a6d06cd0441ebe1237ddcf13450929596958d3cb9ed18ce62ab2f2b8341c7a2762ab3f8cce9bb7fa8399fffd1a63fda7a8ada24

C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

MD5 6ade6ff4d187bc2ac873e9b0f76b417e
SHA1 8b533644c7a13943dd936c5b30d6a8804899cf0b
SHA256 00e93af0ba53ad537c15fdfc6acec0927b4ca6597ebac80b8bad87fe080312ec
SHA512 d5f8f5ec423b1265a69328e3539cc700ba28c345bd573c82d1e04ac9dcd2ab49b2b6a5c99add62d657349ab80bc0c6a88de279e048bc78f0596a4b0d3868623b

C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo

MD5 4162c65ce170f244f12d16b604549226
SHA1 1a9cee7dfcef51dc6167ae719c8e16c7876ea566
SHA256 f3991472ee4325a4b73704c9393364f924786908452451947d8bd10afb99d2d6
SHA512 62c26999e7c965337bc80e34d05bf99ac6104976c84a5973610ed529f67d500f133241788a9a331af013c8bc3174cf1d6bc00852298750230676239cf91b14e2

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

MD5 d9c8492605cb6b592594fa5f0f9806f3
SHA1 10a24fb6f837c9236f2aa4eedb359afcbb2feffd
SHA256 5a8938a039bb6ed2ebbd76dd8107115bda1e2a4ba79b35c8d16f999199c822fd
SHA512 a59bb651a63887b8d25ea64d35f61502b2ff017c7ad5d63945d2ebb4eeebfef8c61900f7193ca8970e111129925c0e713a1026c154b0c405ee15fea620e52ac4

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

MD5 4425d6e1c4ad9defc83e993ae20bfc86
SHA1 e38a4b7daffb2f3d2c39b58e10526c08d68090b1
SHA256 f61568085544ee9c79f49f1730bdca13a0abb50e10beb509a4c27dfd8585b737
SHA512 491c8916e362f61d08280d138b0ddaa2c193347a4a381e8079fcd92ae5107b8cd723f28004a1360be3d3a00b73dcf35b6391c93647e0a9eb3ee0f72650a0ceda

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

MD5 59ed3738ccce1886efa2b6cb593753cc
SHA1 7685c534feff19f9ab5a62be517c5f2c9bc831e7
SHA256 cbd677b8563a20c4b2492db3c66af342769eac1675dee959bc0a824bf2b6e0cf
SHA512 6c79852ca4ff300e0827170f6759f3a79538d683d603b98163d4b488036fb52f0c65c8d51f4a4f9a8a803e55fff254dd27dc19cf933e83af8f2eb62778a22209

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF

MD5 cd52cb98191826cd299eb27f68dd77e2
SHA1 877b99adcd595ef0d15e353270183291bd7a00ad
SHA256 d6781ca9d3212ad1cb967bfce3861ccacef2c157ca7d5d787a4b5762f6eb016f
SHA512 30aa54e2ab0cdd90300e7ed49e796d983cede4fb1507aa606835cf2faf20f0a7df77ba703069511916cf241a234a9ca13b2d933dd2fb8366ef4b5fb01ec37236

C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_F_COL.HXK

MD5 bf3ece6e1e75dd2065177dbe2870478d
SHA1 f6f5958ecbb49e9021f00e155e3aafa9307c448c
SHA256 e6644a172279c7a44adc4189cdb427510a294669fb3bb4cdad2ad95a9e7814b1
SHA512 32acb09c4a3e651b76294bb25833a6df000c4de20e473f5144ad0dd252b827cfc265d8b7939fdb07e00c9ddb487819369b0939c230f99dc4ff23bb12c84134e2

C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_K_COL.HXK

MD5 30b0bb3c7c4f9391c20e8086b5f70811
SHA1 8923389fa87f7f17727db5973ed4a04f564cd372
SHA256 84ee11483733ab46b1eda215c4a254bdc04a5fc37d31aebe3ed4f2be40e2c6d3
SHA512 07cf0d7f994b5d554a4947cecd01e20e6b6c9e862b8519f05250ba8482d0027cd0f9529c8976c967e5ad0e4face00d7ab2047bb754a437b3d88fe430c42ffe21

C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK

MD5 d9c95110620bb33fb941e300f7fb9074
SHA1 8f4dab339c1d2c522e81ee2578ad93115597f67a
SHA256 1c2d87d7a9907835fc7cd34d2c2fe6a7c1bc1a32a736b02f9016c6cbfe1c9992
SHA512 84f51709bde69e5aaca0c96c96e5f295a52e55f0a701f323a4301925285eefe5787cd4c195ab461a1da9b3b3750312f63198169be0f0069bba402d6ebe8ba6b4

C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_K_COL.HXK

MD5 19b7372d12485aaa08fe7c1f637b20a1
SHA1 3e3d59244605b9942e14ca947f01cdde3ada40fa
SHA256 ccfff78cd9784f49640c9d13f9ea83398394f39cd0dde1dec6cfe624bcc51911
SHA512 ed520385064558086f191d0f85d8ef80ebb9e0126b44f5813136aa4ed8d29339fdc01dfd403e2d51e1cdb7df8c91482328319348eb28ccdc9dcf1499c6117190

C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

MD5 29849adec16d46cde2a73c3379a37afa
SHA1 69b06f2681cc8fde91c571cf20de531fb91a57fa
SHA256 b43f7aa44e684b9a6a492ec6e44c6a925426960fb1c2ff504d726e425b97ec45
SHA512 50ca3ca4603871db491d22f08c5930b0a3fa07b9fb6d9d1b684698a4040181dc5e62e54d99291cc2647b1a070cc2e7d7a9b93a93a7ed952591486881695b9964

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF

MD5 38f06bf6b2cbaa47260ec70f577a8f42
SHA1 61f15f9a7dee369ff3a8622b743550644881fd55
SHA256 f728e4568103786944861b8953f5cbf0b5747cb96497b455ab3fad036cf6a7cc
SHA512 f81877a642fa570f81832b08dee20d68733bafd7bf35d2ae78dc077486746c9149554e89494940b90de0b7497ebbdc13a856add1de7f3ac3751529b944d999a5

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF

MD5 7cf76ab69f7b5d0e77110fa9d260e869
SHA1 aac775eab52a8a504d46e1cc9108029f3e808a1d
SHA256 eb0ddf75b82b3453f19ac188fc9df872d1c8d7cf945ef7a868563e59e208d717
SHA512 2c76e14ececcc29de06690fb98e617029c3ae504481789d61dc7e9049a0cd9def7580092ae29f5928ad632b35f5557b43a419ceb3c99d06b8eefa0d3820f9a5b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF

MD5 4a3a34ce0f6793b2e765e1f2861016ca
SHA1 9c40bfac8de35fe2fe81e6c3478b2b805a5fa9c9
SHA256 cccaf0a480a098f0684d6af91532f05e931cba16931f0dacfabb3c564da2adf1
SHA512 1701b65a02b12269a9be213b489d458f9ee25f53641c906ac88866fd6c709cdba3eb4fae9886654cce970ca581bfd70bbaa191f6b9f1a1b58ccf22a2e7c37274

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF

MD5 7c45993516f5a48564eabea9b7ff48fc
SHA1 c9c2cc46da7edd2b25d179dfa4d9dd42cc3afcb7
SHA256 da4b0b66532c2333dfa88f69082066a78ff462de81adf317149dcd8e6cf38e28
SHA512 11318545d78f432176e52f239b4008f645bd7e5a9d2303735944eb9b8c99b530fca5a40ba2eeec2fddaf433a0d4147c786bf0ff0b22e63a04064e0029afb8fd2

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF

MD5 d37e732a5f040b151e066ee6eca0d594
SHA1 18388365a3c22332f78742dda777c7ca68302e9e
SHA256 8aef9f0259ab11dddf536ca25251cd5a20dc3f3a5db14fbd3175a62dce88c325
SHA512 23b21ea658140a6d8b8f124306e7fdf0c6df2951315eaf290328df7484cfd8dbaa40f099cfb41b452582fa56b8affa85c43a6d1e9cfe81ab4ef733102696e2fb

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

MD5 7241df7fac29c0122bfb6c545c36fa4b
SHA1 0828a0e22cdf04d87836cd7b6ec8dd1da0628bcd
SHA256 e3efd093de29808e0c2c1ed14f8c850253232bc869cc3f14ba328ecfd0df6832
SHA512 351362fc1fa2c21f4a49eae3dbe81b4cca19b5f27fcb86faf8a525f69fd02b1434c01c5afee3033c642e834af032358c6df65ca9480cee7237b0489fcfcf66b4

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

MD5 56974684e89819b57eb01c79738edeec
SHA1 41c85215ffadfea79abd50ac348419fe96ac1b84
SHA256 ada02d3ecb5240167ad52c1e00e9abfff8d14e4a1eff3fb87a642db723aebbdd
SHA512 49a5785be5f60cde82802c67e568c501517d9131d43e8957c41673c5f96b55bf0c471c189f9eacaaac688263b832fd7ddeb727f42580c28307f522dca8ada6b5

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

MD5 f40ba84c204af10c6f1316647d81480c
SHA1 4bd5afa3666d9926a04ef3266fed4ad342ad87a6
SHA256 27f02b765169b2dae81475e31846cf486ba80d20812532f29cbbebd875103f52
SHA512 456881e8eb820360675b372e843a1b9188f9ca5db35c38f111de9aee347aac62c298e195ef93748a9fc40c62e66e4d6604a5d5bea18d8a00e16c10dad1702ea7

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

MD5 2876be1e48ad0b53f771950c1ed130ae
SHA1 f7a75f362f64bf1a9441286f54ef210e791065ac
SHA256 e4dc322b93a475a4f81563ddc1608db857865574a428bb211d9e3b4f4e5acb41
SHA512 12ae8bba9dfe92e16950433bf1abccba9fb1777cdc790f3389779ad0545ebc40d9866f28931e84b038897e5b7bc0f74f6a5c539dbdce4656285676605fb62ec8

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

MD5 87522f39ee50d988651281bd18c0e149
SHA1 76f4af3981a0bddea1b3f192f3d754e6919bfd94
SHA256 7fb0da772e215e694c897d7fdfd4addefeb4f933b51701880c922d41085a677f
SHA512 b86c6859eba228c6a75632e53d95d2eb0612dfd194c9c3c429bd0afef5ea60055ae575408b3772eb61dc36eb37040cdf31529d1851ebc99e239313c32750b8cf

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

MD5 b0f4ed362c8e85f2e1e9e7258579aff9
SHA1 5e0459b39f13e193ebd25f193883107962adf0ca
SHA256 3c9ebe45b935a5a87e06fa7eaae422933138f89078569fbe451c0b271f2f932d
SHA512 a7f6385aeb2229085cdba7f71732cf88418c1a5c816d4d74f77767c316e1cff9601183d7af0c89d715681d32c8854833f8488e75bd6ef8a2f8ebde5f2c090cc6

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

MD5 9d5ff0dacf9e499c6f3ca37825abc50e
SHA1 2254fe277bbc0f7afd652937cb8110ea8f262972
SHA256 6d80881bf278aef9ddaeb04b3a5016103ad71b7425f1710c26e11154f69b707c
SHA512 358b35687a0f91fce00953de0adfe57107968c4b8e36a3cf597e56340c85936a1bcb8b84f12ab03cb2e80cf408ab9b5edcb702df20d8392fd4169e45d0c39db6

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

MD5 56cdc8c45fb5b87f3d8eb927609a04f1
SHA1 e3a7b2354ffbf3a1f488159ff07ce38c31557b77
SHA256 0a9b5d30ded9a357a5d935ae893c5ccb5a88e1cdc0522be765a260f1f7189119
SHA512 50b4f6b3b2a32c7601079d814098e9d1d69a612fbd7f427e82da75aba8ad1d07fbfe63a695f7b77d8fa4a3f1d430687e438a3c3c524229ac0cfc235c4ffe04a7

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

MD5 345419c07f7a5d379ce92cde7836dbb9
SHA1 89d8bd4c797d7c6626e468297a2722592a4cffe3
SHA256 6b379eb417ef5919bdd1a5ece7454e9dbc8ac443fde1530f17ffa6d5cbdc0eb7
SHA512 9626691cc813fa3cd114838f1021acacd1bc041e022df889120a4a478a07f7713a80c59e94a210eb889b6cbbfabde2b03d7a2968b535085bd5547cae45315378

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

MD5 ab68b577f749c9a65d1c45ca7e5196b1
SHA1 3c563f035ef5dbfdd188b3e62255f09c85ed7f40
SHA256 6ad75a66e3048b86b22df029b687f795ed8a29c2f680ef26e1edf0b426bf3588
SHA512 9b5d006e92d6411aaf8cbc271d752899fba418e45f08f1268353c6f77226ab9af1b60c8c1386f8cb157225cf451d6146dab67f555ab5c5b2c38236d93f915ab1

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

MD5 450244434fa47bec561545040a65e297
SHA1 304eefe0ae9ee5e29d4843d6705849671f2d6c7e
SHA256 41fcc6e78ac7a77b9bdc9d7eaacfd0a356d48534411d743bd66e72c114a57a1c
SHA512 67961f5be18d92fe3c87ee3827603e23ec12669e8527bc0af32c56f99847cb60ebc941a65fd3e1b6ab405c4a8ba6b938b137919fb00fd90628ee665f8319b69b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

MD5 e3da8bd8354eeffa26a2436289497608
SHA1 73a5a4aa0f1ce4fb030daa425a2f0d488f74050b
SHA256 e3ddc05b5b2edb85320c013e06905c9f70aa7182d22b027c00d100810a1e1b83
SHA512 59234835c7a632be8c691a17a369b8974cf1a0683a6a4d81fc438f61528eb90f00c9add55f65d13f9b9204c0f4a0e1d6b72a1256e89b3bac52a61dee8846e40f

C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

MD5 162410be3ccd158a3275cf186c6b1fb2
SHA1 5714e754e46d10c90073f028d78894ffef39c06e
SHA256 0b8bb7200f7ae9fe9523879a3828842dc2575e2f0c0608ade90ebe18c01a8681
SHA512 3084b58b668219cdd3dc2542195c378343fea1d5c5d0e3dd98fa656145e042f00a068d8d79ed7544565a327f5f1ed81b6abe66623f0efc48af4e3e49ae1bc35d

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

MD5 ccbef2fc15b82fb956417bcdc0903317
SHA1 924776f66ca79986d2868823fd9a7e0a99341725
SHA256 e4e99c0aebd91f5f3205b0b641d0d8b49338c6e0d631be1f53a419d08b2d064e
SHA512 e97fd85c8cc2727c0bd43e7a76070a9cf59255e987562e330aa54811ac8de5191936a3c1c3a76eb8b11f9d7c9fce2b5dc209572d672ccce631e4691d4f2989fe

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

MD5 27761cd7c76738d02cf59cf46b7c0a1a
SHA1 7fbe6a12c6c8fc116bf049337fc9c6d22d64cec7
SHA256 b7644a8dfe86c0bbf32146c8060d71375400d881669aff7a1089ada575098cc8
SHA512 a4586b376450da4286966bc80bec6cb21cb1118daf7525d8aa6e0fa8364482dea93005e16fd6dc660074cf40c2809dff782eff7b97db0e60034361c65d14413a

C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

MD5 3080836f94921ddeb3860123d15c9266
SHA1 3b8f2fb94390683f58b3a445380cd4235b03c4a4
SHA256 b34631b568fd08f8c44e61684032d898e599a561989e9f4586521cde9c569f7e
SHA512 79cd78bdf3c47100542d8c2e414f0eef1c154c499c65ffa4fa3b7e533deadf5bed924133a02db14bf209c056629bfd1b0b0169b4605962015dfc4ff2a15397d8

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.002

MD5 38a971689a2c68553a370d338b8eaadd
SHA1 87246e7a16bdb25cd0819d0a5e10729e84474dfd
SHA256 a08a2e089d112abee20dfd183b7dbd50a1866e7d149041d63a78bb4536bb832b
SHA512 15bab55c895c65a1366eb51710e526ca475e386e80eb683fc8a655e21a4eb173c63c80ea6233b5f4ae42f93c04faef2e7e94bf744a87b70bee0236073efd7c5d

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

MD5 b9c71e6ea36d7851fae7953fcf1076ff
SHA1 7597a08d879e8019c1ff1741f755cbe7576af757
SHA256 f5fd915fe5e252c1bfff8eecfd29d6240d13b5fa531b13a8a0df4b63cb57b75a
SHA512 201b0abac2e53aaa3993cacaf9de8ddae89a8782143d415c4a567634797e998843db945b37590c22a929384686e98c592bfc074d27e24b414c8589883f319ae0

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

MD5 a6235bef7124fbcf593cd7020bb59498
SHA1 2bcf68f77856d3361b531bedb562a8177db34868
SHA256 ac86416f13cedd5b8849290158099a7802576663d4b7fe10c522a4121e6a81b9
SHA512 c49434cd045f19f2669695bce0f2b089f0a4c283e908f109f91f067afa8ded7e90f190468bca752cc2c173a7e45852f57b518ca7aa581f04b520a83da276606e

C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi

MD5 a111657be1055640f59f80d8d2c70d63
SHA1 0f8ee6ed657b83d4216f137eeba72fc7fc220242
SHA256 9d5a89d99baf380cdf1cd3687f6fd3a95a3aece04e0204201caa2628ac83adb3
SHA512 63bfc0a48441608d3da6b8137169facefdad1177497790a4498d661758539ca2e15bdb748bbd0e4833df1a233859cc18e5fe8e634fbefb501857064f260f99b6