Malware Analysis Report

2024-09-11 02:17

Sample ID 240227-wgnbdafe69
Target b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.sample
SHA256 b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f
Tags
medusalocker evasion persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f

Threat Level: Known bad

The file b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.sample was found to be: Known bad.

Malicious Activity Summary

medusalocker evasion persistence ransomware

Suspicious use of NtCreateUserProcessOtherParentProcess

Medusalocker family

MedusaLocker payload

Renames multiple (7279) files with added filename extension

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (6530) files with added filename extension

Deletes system backups

Deletes System State backups

Enumerates connected drives

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Uses Volume Shadow Copy service COM API

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Runs net.exe

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-02-27 17:53

Signatures

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 17:53

Reported

2024-02-27 17:56

Platform

win7-20240221-en

Max time kernel

164s

Max time network

136s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2524 created 1192 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (7279) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe\"" C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe\"" C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\it-IT\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\et.txt C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Messenger.xml C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_K_COL.HXK C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1AR.LEX C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00343_.WMF C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\de-DE\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Danmarkshavn C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\WET C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1 C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00417_.WMF C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02384_.WMF C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fr.txt C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw120.jpg C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ado\de-DE\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02282_.WMF C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OMSSMS.CFG C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBSBR.XML C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Windows Media Player\en-US\mpvis.dll.mui C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ru.pak C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files\Microsoft Games\More Games\de-DE\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01161_.WMF C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0300912.WMF C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\TITLE.XSL C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\CAPSULES.INF C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00270_.WMF C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0197983.WMF C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03668_.WMF C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21323_.GIF C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL081.XML C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\BUTTON.GIF C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl C:\Windows\system32\wbadmin.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2524 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2436 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2436 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2436 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2592 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2592 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2592 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2524 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2444 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2444 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2444 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2524 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2496 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2496 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2496 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2888 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2888 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2888 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2524 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1564 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1564 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1564 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2524 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1432 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1432 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1432 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2180 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2180 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2180 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2524 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

"C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

\\?\C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe -network

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\How_to_back_files.html

MD5 416031de705f5ee5d35369a99be69a0b
SHA1 a656189f41def5f5f8cbf55a1d378033685e7946
SHA256 5e158d468151bd9789f1e505bad745cbd7face86c876576b4cc4bedcae8a6b60
SHA512 ce27f14c3614d5b0e22a2cc3338d8cc6a28156fc89014d7390fc9c31fc6ef6aaba28177ac99f2928bda8c73c23a2be17d8b8b3421130b1db2c2c5ad513943e9e

C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.busavelock235

MD5 ab0f5954f3140ecfbc36cdc617f9c6c7
SHA1 5de1c1449e7b19c0b552623374c100a01c09c0ae
SHA256 db3dbb902687d731628eabb8d5f7985b13bff8a304ff503ed15707e9483b1281
SHA512 ac6ec37cb1d8d4549e71be49fd060ac129d375130b921090d82b02c2036ea145a79a8ac967c6c72e2519716f71e02714aa77769f845135171b75635c8249ce5a

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif

MD5 76d220c388379732f6f3dc419e703fc1
SHA1 6f12008e8c92b93b997135c9fdd33ad2b43b9d9a
SHA256 1b58bd744ef2cb5824ede70973b93075e5ef279858f28c9e3fdb03359d5842ea
SHA512 10da4524431edd16eee6b6a7318425bdb63f1a0274544e58f86e83ec356eaebb6a0ada97dc4d9d65163606989bc0d412f0b74cbb8961a42fce08a15429d2bf51

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

MD5 24bf5e4806994d09a1be6ccf54513c5c
SHA1 ec6ecaf584322e22dc60861aca5234b902039eb1
SHA256 13c070390de3d9eabb9caeb1c287329340f47a95b965eb309af4bb3cd4fd3c30
SHA512 e288497e74b586f5db1d0bb70ba7fb1202319903a70f97a95d535eca3af1a03bfcbe310d90d6bf0edafa31908cfb8c9411debd56d4390f854a0f6ef8997bab74

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

MD5 84b8c71730f60e964290d7e1c6814162
SHA1 a942f6e079d80694187c317dace665cbccd763b9
SHA256 41e9f2c6d619e141784cb556ed527b88b31b30f60ac464bf86f62fdcee1d241b
SHA512 293116a30aa49738be11a28abcb22d06e40497edbde4411fb80227961f0026657a12eeabf45541574603f3c3336e85c42f3d5a7f86031024c9fce134546f404d

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

MD5 00f696f9daf92790122ea01256fbf17c
SHA1 2df112d7d130e8448832864b6f869a3cc7d0970b
SHA256 2c23f7d67d3f01ad0b2d8fc989b2d2c244554cb62b48ed50e89cfe49a6670490
SHA512 0832e2ecf76cddd92fad05d7bc06ab9d0015fbb51e9f901780f80b80568488dff0611e19cfdba3515da7d5602d8c9259b0b111273be66b69ea633cd433a8b755

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 1a6e8d2c3c01fa56a14a4e6d2b800c63
SHA1 8fb14e078b20a454f7a7bd5a2b8a3e27976e2bf3
SHA256 587cadd3158a9b4c08e113ff6503de81a7b6b185a1a7d32669d7c48f0ed755e5
SHA512 40617285fdc197a76c29f30b815e3c97a0e9b0985403d65441eb5c97458607a27721fd732e025e5437be5d72986261f57f45efd1bec5b918cd903c223fe8edbc

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 ea1984d74b309f9521c407dc5d9e8f0b
SHA1 ae59277b8a2c708b8768f4c6bc2af12ae1e83843
SHA256 b38c6eeb4a5cb03999de11787c41ee30c12cc005565f4e13808c66ae92db1733
SHA512 e7309914277e04cb829c6c6b656a98ab3a0942a7db6d235c8f0114f8e3164679d0737a3ba9394df99399de3b71ef9eaa598c6482dc5bce540d1d425eda4a6d95

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

MD5 417cdbf0d2d199e287fa7beb61d772dc
SHA1 b039558d8984030105035677c71323687ba3368e
SHA256 32e1f7e22147f3752ec75ffcaf0b65e2fd368286175ef794b97751bbaeb6cdc8
SHA512 58045423bf36c99bf3bc7ce676f25c9820bfc2b2838d1f6b1a36f60cb71b7babdba9dfb2e26b4c99cb358589cfdac9ffc6cebdebc6e45fe90597e88e7c7caf68

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 5b80d87110775db910a75fc9f8a5c1b2
SHA1 af44efaea66c6390da91c532a280783015a6506a
SHA256 e09b37d7b23cf2d962d81c0c22632e356c1fc58f23d4f749a0965dd6626f5c9b
SHA512 f11e2495244d14cf44a402f767a8409dfbbeb911b150b27bb06f7a690eb46ba61c414daab3d929ed6722a728c802627cf883e70dafb6962afe98d87d93a7c166

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

MD5 d5a4a45015a1546def8f74881325e2fd
SHA1 5f70b619f731bd28b328d0df29cf334ca2b73ef8
SHA256 e210b37edac4ec1ad13e4d9722dd44ccba85dc724ab5b1a4610449d3701cfcb6
SHA512 dee5f49a024cf2d18fbfab22e38c232fb2671e2b503576bf39343460b8faa020c349166884afcfef3cbd8b01db133c6a46f0aaebe9f54cc6e5067fbd342f030e

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html

MD5 b2ff6fdce42cea80c2fcdce1913a0358
SHA1 e7f141d329d7a45bb16e0c74e6d364ae18d6b26e
SHA256 b0d1a7a64a0a62833893e4f9e82acaed2d8c08145da124ec81c2a8d1ab7aa08b
SHA512 812f36c67b845d02393f5c3dcde14807bb9d4fd8af607deace9a011d5e0c77d219bb32ca7aa7ae7d5a89a76ad85b3def5aaecfc293a2a02ac39d87041bd5c9ac

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html

MD5 8340631f493653a0121d348912be8731
SHA1 efaa234e2b0f9ee425f7bd7d30d43d1b5b973c21
SHA256 d2f6f25d3ea3b40d4575aace9276ae3eb32efb091edbb57dc8c9939c9ac8bc69
SHA512 11065a148320b9fb10a12bf1580a47020b72d80bd063c31ca39d0912d4c3658ccd1e7f58d7833924ee9bd3566884700acd63700ed25ef068ebdde3155727d389

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden

MD5 4d2f69e1b5acd796dd3a7784ae80816c
SHA1 6740d24cbac9addfd7c79732c8ad7e38b6a665ca
SHA256 4bf80c3e5bb9a143fc639a6ee3d2c660effc508832ffe5647bd6e3e54e3e99fc
SHA512 5a97d9597ea9aa17f67e0e85bc25e2a3292f231a79318534e518ccc3d98104691574e1711774b43a888dc0c684ce87c7c748c9e40e3d50f020439c36223fbb01

C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 3ff4f71cbf4e747e3b824b82ae5c7589
SHA1 b8e2cc3db9af5df8c05275f385e830ab8f2d7831
SHA256 4ee2f9c078ecd3d5b65af3a82b9d61587e3dda4b79c32d3d752c45e368636885
SHA512 7c1c370d043cdccd07b6d23fc805a2302445f97805bb4e61e22e420ddbb798a1dcdb3cfdd9172efb13bb03e2caff5635a461b3d3ca68f724cd186ab0f3950568

C:\Program Files\Java\jre7\lib\zi\Etc\UTC

MD5 9cc59bea76696043e3beefcbdd8e89b7
SHA1 e4ff87aa4d30f30e10b92bc7e9048db7cf74248b
SHA256 008b9b71fc5a5e98dbbc085df8b940d5630607c53dd3e730eeb1393bd7477ef2
SHA512 9af5a8c83f4c6a17e0cf0fa25d93b0c9129e272c312bf30ab7812c42198f1caa71b24c951662e4ef05a821805ba3970093100d72264bb590b355978150824134

C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo

MD5 814d7d7fbb94619ea9f4921e8678947b
SHA1 5ecc00de868ecdddcb7c1d19583f51e19438de1a
SHA256 b2e17be684b430a0693a694ee61d27ebe00be493c8f60f3a0129daff3a82bb53
SHA512 95b555244534de017dcb9d6930da58ef5cef66e912212a7644e1c2a3b59caebdace3d97acabf00b5e92fc79929d8e6f0b04c095d1885c5673bf3d6475fd9a70a

C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

MD5 6543c5fd72e12e6b145c906dccb04329
SHA1 5ff0bc2475e2d929604bdbe78f4f7a3b3edc5b58
SHA256 590638f758accb91838ba74ab84b71bbe97d6dc5d2ddc3541d31c08189c27836
SHA512 b2b928d1c9cd2d8758699267e48d64b7c671577124f74dec5fd83fee4588d1809ea3be9f9205d330ce9c661a8fccc56bd9b7e85136816f81ab457bd857347332

C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo

MD5 694ccef20e547a6b158b28f20688d84f
SHA1 e8398610a41ca1bc581364577db780ffaee00ac3
SHA256 2a7f39e803a275a1eee7e057669d18830a1a78ece91caee1d79055c600400233
SHA512 ed00fb67cb55507823019d6f69e9a44cce106954edb7801baf310e93a88eca64a3d0a6bcca67439d45bc1a5fa01a8e8c0083b33666a00ae1a7016556109bb940

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

MD5 6f273f80b9ba9f2bf992f556531299cd
SHA1 d55ee3e09165c04a16ebd86bf89f0921b6939304
SHA256 4e86bcfc6eb7d0464a2432edfdf4b4b75c0b20458815d56f5a8399f67c393f5f
SHA512 4f0eede174cccc230a11060c4a16a946edb3d8f97055a9827bda3809045510b2e7af23088615f9083a181cc6e330fe9b81ff8c66fad24bc33650d2566a07d145

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

MD5 bffa3d4332dc13c5d5afe0aa5845613f
SHA1 df26307637fc591e4bb019ecef44832a2748de30
SHA256 95694ad785f9fcf3054fd3124a50eebe893d050b38bc284a0a4cde4e3a02fef2
SHA512 c8bc5dcf0ae0de2efaf3dc1e72463b82ff8a669a58e6621fd9d61f7c25a130486a61d80fd93a1e314727bcc893d7e6c7039f7972cc0b0d75bc36c68d304540f0

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

MD5 dc20f151bdda653297f0a4a4faefb863
SHA1 7bbeff5d3a0f23a253a4901c1a49ce6c23547499
SHA256 0832df2ab8cabe33dffca215a76bb6446271112c462867ed10d589789864ece5
SHA512 71bea35d59db46d050808c2ee29860c3443aae520db673fdfb7c7ad0b1f6ca99bc7a2e264592f58886e112908227fdabc3e32b9edcbc886fc5fd7d7842d8c835

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF

MD5 488352d6641a46c393cd8177513b6e4a
SHA1 938cfe632b2def804349eda7ff297373deb7b166
SHA256 3271d0274f541ddff05c2eada76136aa973a0b9998bd0bf8415beeda574b25b7
SHA512 c7ddd0fc48a22066281d76c950ff3dd69a2506eee5c3fafdd7579df635f2403e4676c83714bfc48ac8f3df27d24ddc4cf5080989dc39543c398a8a5daa9a456b

C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_K_COL.HXK

MD5 f2fda743f55557dc18c0ab863649b90b
SHA1 7fd0c011a048650bf689adb166ee461e5b543661
SHA256 c075f115f8dbdfcca99d150240578d357cd14178f81d465a32bed818b448389b
SHA512 41061fceedc8bea06cb7659dde97fa55c22144cc86efe55cd9d2bd56956667f29fd8a0eb712448e78c38316d7c9d2a4f2f7fdd01a3a97571d73c096b45b2d28f

C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_F_COL.HXK

MD5 60e495826ab10079674c5a953f8e5abc
SHA1 b342ebbe1c775d8876ba78351519a242290f0a66
SHA256 5dc509695b6fa2e2de8bae35dc3f41b3d88f9bf0bc2b90237eac9428b06ed1fc
SHA512 a75cd608b860d4f9002485912bfc50ae0170b967a2c4e9015c21a472755da5bf49c8d07b16c9753b484fc2ec9a875d69b100439ca5a0b70c12680f381c4f000f

C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_K_COL.HXK

MD5 9c0eec5bf41c77eecc53d3ed80e1889d
SHA1 782943692e42dbc44c4360f3aaca24666306c0f1
SHA256 271fcc857665323580e02ce6e6e0796290fc50c8ac18929974d4d0505bbfcb53
SHA512 909666916e5e6f72e74e70670ac4e5bd3be160c27f83e8a29d0b37ab85452b4c18348ff0c3f04b00e300d6a64d3a5af12cc820d0013ed5c5447878c5847a77dd

C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK

MD5 6e48a8573b8a5202fd31c9732f584ae7
SHA1 1efcaac46fd62e7490d034f384ba6bd183012511
SHA256 55f8877cd235c7f4462feee2dfc60aa106875c387ee40e9e53b9688ca9fbf217
SHA512 b7ebb145a2ef7885d9f3715e62ceb18965e7b478affd3c255c5841e11f0806e1490dd4e3e0674a9738b8c9f21201f135ba25a9b44b4c60b0f407675d86eb348f

C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

MD5 786a9b18ca60c448cd32494342ee379e
SHA1 17a572c523117c5f305b2e178a481b04c7f83c0d
SHA256 7d48ce41b2795f67a0b27a56f9a90c424500a8a17c7f8fc15d8882cb2bf42f53
SHA512 94563d3a69c748c8c3b188ade1fe0b5714423267bbfc0d077d40aa4e07d7ea77b5d63fce81aa2ea758470d8c2d2fee81b317569250ca8f68b1c507cdbb0e527d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_on.gif

MD5 062798fd4f1c935120ebda94a7e23b0f
SHA1 44994d921e4df686578ac3ed4c16c8fa0d293902
SHA256 38f712df83c18d807b844fbda9b05e848eec61eab419d53584fe29ab47e20abe
SHA512 a691456fe5ca37042ae0376f4b91ab6caeedcdd7f2674def2dad50ff5a67c7827ab5b8aff5d9d604f435d640f46b7418d62c53779c34fd7f029c56535560a271

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

MD5 f279a92dd976612959e29f8860469c02
SHA1 3c74e8960ac21f6a1cca8594abea4551367bd144
SHA256 60785e3c0d4e14490d5a1041cd0f144fe7def3fc62d623d623738e6a97b522b3
SHA512 1e0cdd48e24656b87ada3bc7673f7b25282fb0c9a72c0503cca62ba22fab72c493ad73d936dcbcf9b16462fb775f6ee504309e5416b80ada3514b569a5f6bb01

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

MD5 1746e1e4ac4068647793d2900ee4160b
SHA1 796dc57030f055745d2f495280243b791f549989
SHA256 c23dae96235a41ca0a8d7cf1d8cd31fd17e206984ce603f5629cfb1bcdbf8b85
SHA512 8d98dad0129f55398c644df14c62849d5a1bbe19d68f49e7af59fb55cf1df93dd36ce1555176698e1bba877974b57db18bf090f389250e498e4cefe440b512f0

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_ON.GIF

MD5 b91717d87d1750873b40cb3010b9e0af
SHA1 a3ceefd88f33098fc0cb112bf5d9cbcba792858c
SHA256 127468af2f52ec3c1efd26817473e4b5be7ae08a24c2abf40a40cc7d9a697b39
SHA512 2916dadc4bd8a75094bac36a3a3ad3e0b3dd445b8c6572559a258f6957973eb83e0d736ab8204453c4b5dbdf3606227ee8d2c05ebaf3dbfe9ea58ab09a555fe9

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\TAB_OFF.GIF.busavelock235

MD5 cb0687cbae4ce3493e4e29014ae510fd
SHA1 4aae2889f766e0ee5e0b89be132db32a48ed2b89
SHA256 f58549322073d6e28333734d17930e0f9c5e03f73b9717b74c486d4c26736f2d
SHA512 710eb270df69f701ae0e60483c19d3b1f198c690d10335a760dd7ee217104babd408c6c7c8694846755fd3ea899fe0a7301767bf7a400b892bcb0163babaf0ee

C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

MD5 c2c803f8840cef49039d4311b3bb3806
SHA1 3972fd340645f65b8cd9902992151fc9972ff295
SHA256 139e929564241fe5f2d4c3d3036b3a12719435fa4df435c190088a1761804390
SHA512 a47605cf58d4a9ab12a94e780b201535b8e25d40d8c2c4e307f4a4942b61c18a02011e4b8e9151e7d4faaf280201ef44de5698e7c89db45759d622ec565d9b98

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

MD5 23d3e912d441a18d1cd440a1a98efc63
SHA1 4ffc009bd049313f368c0e990452feb5a063bdc5
SHA256 702e3b2ab1b4e63eaa0a414018a4621c29ab6b6dd74ad8d0cd87675175632c43
SHA512 305f6b080652cb69db5770d7c28f1986989d46a7018a4520c17bb72fd8e455e9510c391c6f97dccc4ea482a493f59bd3c9bc62256c0d2c25db434979f6d0fbdb

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

MD5 5f02e4a1295de9f66e9b3794ebe9ace8
SHA1 90ae1bb5605ebba0c777fb40500cceaeca7d97b3
SHA256 2042680fa9326e88f0f5e868a9ec6194247dccf8c844069445bb8b5b45f388ff
SHA512 cbe1115d3b10c56ca5cda4f8f9685c79cf47cc7448b6536cf72a45b8be473f15dba65d57d410092400aed8f666e4e9fc277af88ed9edc3a4b20f018dcbfc82c1

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 17:53

Reported

2024-02-27 17:56

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe"

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1104 created 3552 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (6530) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe\"" C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe\"" C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\cipher.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\cipher.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\it\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\flags.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\9.jpg C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\PackageManagementDscUtilities.strings.psd1 C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\management\snmp.acl.template C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-72.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\sendforsignature.svg C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-200.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\8080_36x36x32.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\MediaInkToolbar.xbf C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\30.jpg C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pt-br\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Mocking.help.txt C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\ui-strings.js C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_th.json C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\CalculatorApp.winmd C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyShare.scale-100.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Spiral.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\cstm_brand_preview2x.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_ES.LEX C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File opened for modification C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Configuration\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl C:\Windows\system32\wbadmin.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1104 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1104 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 3340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4488 wrote to memory of 3340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3340 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3340 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1104 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 3548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1752 wrote to memory of 3548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 1896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3548 wrote to memory of 1896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1104 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3928 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 3448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2572 wrote to memory of 3448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1104 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1268 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1268 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1104 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 396 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4596 wrote to memory of 4184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4596 wrote to memory of 4184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1104 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 548 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 548 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4684 wrote to memory of 1620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4684 wrote to memory of 1620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1104 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1424 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1748 wrote to memory of 4104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1748 wrote to memory of 4104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1104 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2468 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 3124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2356 wrote to memory of 3124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1104 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

"C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

\\?\C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe -network

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\A:

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\F:

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\C:

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

\Device\HarddiskVolume1\Boot\cs-CZ\How_to_back_files.html

MD5 7aedfb5e99e5d4453e951ab7ffe4cfc5
SHA1 c3fe37c9cf76cab9b4692d6a25690fe865ef96ff
SHA256 f288a2d16bae24fb49ad588da9fe7c216ed2dca7aebb78b7eb256fa101dd5080
SHA512 0118f3ddd969dcc6da17f56368fa3d6e2031badea82e48b2b81788959f9bccbb64c7d573279be4b7a03f9b7dd46da9af1c1bd40c54fc9ba4788caaf5231e60df

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 23de259afa032e5fede2bb3cdc34cd73
SHA1 66b0dfdea26b6f126ebb0ed68e54999439922a73
SHA256 8e9afaef9c520be614b467044cb8060b5ada2b60a17240d52081ffeea1b3661f
SHA512 6e1bc002c89b497ccc0302f4827aa29a7a64aa4be6ffc326a342821921b85daeaf416b0428c9f239bfecce4808878a5c9fe5c35ae794f3eab9c1e45068add5fe

C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

MD5 df166a1ab3c41890c94888abaa160b41
SHA1 4882b1c2b8395ed6630257daef9954d7b29e00cc
SHA256 6169d0d294b3733cf2eec8e8d568de4657989364caaf15f1e440549a1d5bf8a4
SHA512 a0aa192953ea727476973bc973e9c3ec52a4eb73497ec9963a81e63e7a16e0e9ff382a6747c860463d3a997324a5ff1e36f56a5ee0e9916b60707d8afedeefef

C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK

MD5 d6fd3710ab1a0a1df980ef70889d8745
SHA1 dba459f3822ee7aaa325d83a05fbd24ec1991f71
SHA256 e44a8be361fe6844a178dca3e0d022899ca67567dbce469d9c88948e736b7deb
SHA512 078b2d340093604b2a0c18ec3d6dce70bf6340e4c0b5f0974cec0fb8b3d0dd332fe1220f4acfb0f063cab6dbcdfbd11482310ca446f277ade174357ae2fca518

C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK

MD5 9f7607245b16e92f65c4440acca2ef9d
SHA1 a2f3f49379afb7f13c5e645600a9f6435afb9e38
SHA256 0b71682fb336c8e52af44824bf122cd80ca8dbda3aaa6214ef9007f4304b4ff8
SHA512 ca793b9b83c9f5a333ab1e0881a1c2fc7f00f6173d7a8b03c2a945765515a233cee510c52dc1701384685d44bfca90d1f42a4a2a6b6faa49e0790cb56a7a1b3b

C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config

MD5 98bcc313755335fe61606beb5a5fd445
SHA1 cec0f627b78a3b3370452e540e81e7921788d593
SHA256 6fdfb7f3cff9eb9f2f6dcc271169c1248be8e1a3c5ea23b2336fc236cdafc41e
SHA512 50d0cdc08452aef9c258ddbbc35bf8560d3e80563f2b7257b839fbdbc152b1961e8bf8664eb8595572ad7b77d4dc59d8f702a4446dbeee1245f3589ed326d149

C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL

MD5 da320926d4b93da71bc0e0d84552e3ca
SHA1 e8b8482d1ec7d8bfd408de3b231799b079465e3f
SHA256 2794895b63ae28b3fed0339266018335c02942aaf0bdd6e1e6ecc86142f54ea3
SHA512 83a7bbd70a9a413a33b65ec1f9689a5c4633c6b1768c2229c74cdef32133b7c8d24702f3a5d0e0ebb6abc4026ceb241012e35e75d3aa1ed9c0b138e627eeecc4

C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub

MD5 64fcede54db127a28474e0dd7d7fd6b3
SHA1 918e75f8d5b1b711c993c6b22a8d6090b1ba43ad
SHA256 fa2a402bdd4d81a5613f7d9a68e3cccb8651be19e3967bf8416176dbd19f2871
SHA512 34928a9152ecaeec45db0a6a1b245296d3ff1b4589051beada9cffd5c14809b55b80d0e93d6a4e8a01881b4e15e67d7a30a41aba1530f38de5304baee6a6abd0

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi

MD5 0eaa7b141b4d881667708742ed155834
SHA1 a2ef957337ca15d6010794df8ddc782f4d928129
SHA256 4d86017efeb3c670ef0bb80693d92e0a57bd226d6a35e51a57a82417679e153a
SHA512 a08c3e5315cff43f66eadb2d8484437142c209218db18c796333c4c03b027d9fea6a962c95ba1a697363132aa64d00b2b26b3ef28f0731fc0908fe2f82cee20e

C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

MD5 3a8f1e720b1d07a9b34ee6d06f7e8090
SHA1 d5070fe0f14b844547b4e9cca95d754c4dd5648d
SHA256 0b5672337602ef158af4b8ce48a4b7afebdebfdc073a53da94cf71f90517318c
SHA512 07f7960249cd7c3e2cdc442ce2e68427fb89331335890443f97bc22866c02f0ad9ead4c3db2a1f7cfe6e18ea4776e8a2c1df2057c753395f975cc3197f4501c9

C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

MD5 0ebabbda7ee1124e414ec82181bdff04
SHA1 35a4734ed30879a88bce2da88b044dce91dfac4c
SHA256 a32acdfa2621f139b34dfbdeb81f6b60e39464c9cde0e6565e243e447909af25
SHA512 7a53499e2bcc0d410d1976cd20469161b4187c8f1c0cecbc9270d3a67f096bfa28abb58da21985f287bfb6c3be4cc726c398b159afedf83ac7cd7d3d5983a12d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak

MD5 a232cdebfdbdec87a08fdb84f0109627
SHA1 ad36083fc98edb4361d16e0a6a21e89e1d3e53f4
SHA256 fc3a44e338a97c52d0ea2adb22be15632fb6e77cac3cc6fcb84f5deb2fd883f4
SHA512 d051bac7b1061cddec2eeff81d58fa6fb721f06f8b921c62eaeb61a7100c31075701f7376888899ee22f90f53235a94c78e6e2d2af9e26489f8930bb45bb4d36

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

MD5 827f4d9bbed7cf3e25460c94eae57e51
SHA1 a42e662b8cbf49b64ba0905e11d6497cb3ce606c
SHA256 24d738865a3f88a5da8d63eccc42c75c1c50d88eef213ccad877626420dce0e9
SHA512 df9c5b790b8edc42f232ed9cb7306373ac90cb7fe407d450df846a2beeee0e470d7e4132cc50e598a6ae531ff48948e3e1ae7f9b23f6640eb3eb472f35ea980c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png

MD5 46f9c5e62ac2d2eb64010d9cd3af527a
SHA1 b73eb458236b5761e06518c8341686136e938265
SHA256 c214f73d8ec3719d769dcc1f54f90714760ee9df415fc9330605cb70264137ad
SHA512 9395a46eddfbab995cd9eab782b9cc64eb36914664a88a4e50bf26f949d206ed56391e04706afd2d5b8b2401fdd0130104035efead8404b25b919c3e6f662219

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png

MD5 009f4d080093c3f2e92504d8f5e1b761
SHA1 8c2165f471388560111f786fc596c45325b4d7f6
SHA256 e7010a3d16cabf3ec5e6a9adf978e14f81b14f9c05717b50ef0c58f0a65a17ea
SHA512 ae80607fa661380dbd4a14fcd9b7bcc17fabdbcd9d1325a2374905f6d5fabbe49af7e38857bf4bccfba9f0dcbac193e8ac6d4324be3514650f2543425221034b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_remove_18.svg

MD5 4ddd3bee6c9cd8978efc654b7aba6f18
SHA1 8081fcb4be51aab50507e8192200e6700be40566
SHA256 17be285feb9a0120be90abd2033d243b9721d169673d3a5d709264d177adc46f
SHA512 e2cb61f56bc94ea6513bbdb2f08618a9a12baa4d238fabd8260e60792e37630a8f52dcb3f989cb583a3304c2a90ef6a35b59a3e9d7e6b90744a94bf1a98335b5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg

MD5 a07fa46e03b23f43e63fa92c862af5a0
SHA1 17b2ee759e16b43e8a5ad116c0d8692b54b72e5d
SHA256 d1849e18fedfad224f5bd9768f6cc0442dd205130246f63ae53ea2ab53f46f24
SHA512 4f855fb3add2072f4d140e863a759356a1730fb47a36994bcda573113eaf7bf0e44b116708a9d4c72d242595206b356afe6e15534542fd7bf9d254fd30811a2b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\remove.svg

MD5 6ff8e51ec80c999d43517ba52532e531
SHA1 93f4d327479e68a3add01a94430d7a92853dbef9
SHA256 3944421c2fe02c836075ac8d7717428a2629e24b175a5906fb9264d7f21f8f79
SHA512 80c3f36eed69ae4c7802a35df4897d8cc2360b9bcfc1395e88ce6db780e06f4b7361f3116c20f2b3245e0585145ddd375c15eac9c09da75f777e865c39abc7d8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_backarrow_default.svg

MD5 32e93016539c0f881f78a2b73f7e87ce
SHA1 0e4b567baee6b7f61e1f72abde3521c11db2b392
SHA256 6293b9cd795f5074a70d19ea652cb2b1b9b75c0feded48e1bcdfbdc819315baa
SHA512 8c88d12298b0046537f752a7013ba5f7c7c35bfc7945d9e80f7b0ac85ee309a01ac10c1d63e40f14b1320d7d3289c79025b2d28de7c7f173653475b5a973dff9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg

MD5 fedcd5a367caa2a79a7049e2dc1a6652
SHA1 88f6821f2a593f8d935b02a2f29e7de60dc67496
SHA256 b4dc4c87dfd73d7d6d4bf1f20c277dcfaf6a7c36107822aceef14982b2420cef
SHA512 5fd55771f5a911adb6c4c472b6cd5b33786c2fa1e548c0f81d661f2393c296d80955c69f748a83f63a040a428de368dc8d211341752cc357f5b5ccb8d399a045

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_editpdf_18.svg

MD5 60c3518fc9ff65bddc0f17f7341c8853
SHA1 1792b5e3428bfc1663e8938924c3c45b2d1047ab
SHA256 ff7529402fcd9e834d40abb41318e7c78c100bdc3bf4b452c6d2edeb48c9f36c
SHA512 5d00382522da875e92974a9e9ef3d65e5cb54809bb16e1287157d07afec9b0d3d8ce9a50f2c7aef6ab0ca5827cf2e3872b2781665ddbc65898036f8ae161c139

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_fillandsign_18.svg

MD5 dc7c355b65013edf12a196d4e216610a
SHA1 ad165173c0a4699a17310408596ad78d0344ccc4
SHA256 1716e38ea44c0cae4f1414eabb0cedf90f035da345b03e17c0d993ae7687939e
SHA512 d352612c8f541d43035fc7380805b1475fbdf5e177ee8888f8d188225b8aeb6e71685a461826776dbce878ddcbb4f3771161502a7f4af831b9ef2bb717c0a9f2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_export_18.svg.busavelock235

MD5 a7df920de3a5f806db25e3ff3dee8ad9
SHA1 e3921d089fbcd50779a9d9f396867f1c18229c9c
SHA256 5095404f39ccad0a67e7b65a065899e5531285f57c1249adcd17c03cee48f801
SHA512 e64dffdc3beee483da6849eaed691d2a50ffe45423e5b306767cd58eec4255eea65c1c89854070e904b26379df245e470d65916e5aa7436b67bcdc5db32eeb4a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-default_32.svg

MD5 5fb71cff41d581d565486bed5062ae27
SHA1 808ad8f7276aa652a82c3a02cecae89dce0ea345
SHA256 30dc487b5a3668de21592df9a9165b49790fe68a0aa79fe618908413270099b1
SHA512 42c5734d1ccc949cb1eb5241982d0670b651ec4067b631f41f71c7a88342922ced2709847f24ab899bb939ed8cbd920b22e82c1e16711af3a5ab907793ffd05d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_organize_18.svg

MD5 208ef379139b17e022e4ea49fc7cbc26
SHA1 c35eb562f7e648264b1e1efa7afc1fb71d66fad3
SHA256 f79835f61de76bf576c4e7615f3fc380e9b01c6a3ecbc6aa33728a280890af95
SHA512 0f596acd53074e2d5e961f00b060a9c296d4bd9d83b196e2f6b968f02cd996bb6f021fba121afa069149feea19123bd261ca0fa3d7542785179a618a6f193ec9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nextarrow_default.svg

MD5 f2c7ab2ca3f7ded59d16e625ec61c931
SHA1 9237508333ca1ec884286dd0afabc49ceb43aca9
SHA256 08bfa2c11560d58c63ce6227103605384de3a98ac6b49fffb991096bddc7b19a
SHA512 9668a50231302d92338c705c65652ea72a2bef30ef7d672dc998959051b5ef7c87ab39a7f37321561c5848fb397a078f1c7ef948cd8e2c9d36cb9ad3ea98b779

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_move_18.svg

MD5 44e84b4aaef5dde6d7802d5abadfcd50
SHA1 9753ad56e0ae748e09feb6466fa76ac7eb3c0a33
SHA256 eefb4ec636c461814bb26c155229413c4280215ee2bb30c4534ad9c67362a3c4
SHA512 e348e6f3826218008b7403902e7ba75aa9fbed7ba52d1fa9b44c5f63890c2f77683f73216ba1ff167b432dab407c4308dbcaddd46a5802adff3160bdd17b70c6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_rename_18.svg

MD5 f92651439accd1ed157caba25fccfdfc
SHA1 d63265100743255c166394b61802335fde62382e
SHA256 77eb85c95fe97da6a4cbc29eb9ebc0592fb18ec0b88126a7c83baa41ed4f68f4
SHA512 8eaeef93f0820714404bdc5b2e2581ccaedad5d65343b945c914c8ea4efa9523ab7db32921a20c768bd9ac7f68596ae710acd561fb669ee307b08e94742f2138

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_share_18.svg

MD5 50eb982671639be7562de9ed2efe9c8d
SHA1 b1a798041b97d3e44934bdbb8639aee11276390e
SHA256 7095cee5e6800e95ea96d277384bf65be337f1ac1ae331d7752502ec58f5ba96
SHA512 ad69778fbdd337c95550d30cc51abf07c20b1669191f2b999b843f8deb357b18adee283deec769912865a0c4ab5d543a01fc3f6f53d2144b595c3fa90bf6d016

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sendforsignature_18.svg

MD5 afdc1410df2dbf23a0786fa96f8d04c9
SHA1 79bf07534228ab455a96a0cddee4edc958177c60
SHA256 9abae8964553b1a19fecc5144accfdb0485d3ff6e4ae8f9fc5e3fccae557515c
SHA512 e792abeeb0aff6569a49e322d09cf60e7caf9da10cd1ecf803ebfc95e8774ebb35ed8c0c01f34d9f9f63e90dc9b2030bfe778bfa8035c4cd2901b450094128f6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js

MD5 cf0f4a4cc1ccb37baa91dff53ec5570f
SHA1 7258d7bed00ebf1c056a25cfe17eeb1166580e11
SHA256 462a79f82dee21f29234ad9355fc7326317de9412cf7e568efc52d27191116df
SHA512 40ef0fe2c3c2a5cbec791b3c66e6eae151342adc439585002b1da28f44747efc1cce2311bd8254c313394c47d0f3fff249a8e2accc96f495ceb8f593de057c69

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js

MD5 90121e1b788635ecc943af51017f2397
SHA1 5876830b5d3c578c6c96216e46989b8b571f7030
SHA256 ca65fd85b45bbb27be747de58e60bf424adbe5285536beaf9a32c599971a4b38
SHA512 f2dd052a2d2e58987f0eba02a8ffaf6683775af260bac38addf85b983b882fd0a0c01632fd4097f6bc45df32acaacaefd0193d09e443f3a9ef75f16fd7e9ee2f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.js

MD5 23b9ac4a44911f64b7dcfc99f9956d44
SHA1 46c699ccad3699da9512c8b106cb7b6c74d72cfb
SHA256 5a92094309cd20de97d54475881982726b8d9325daac688c2baeb1e63bf07f7e
SHA512 39719e45f11dbeb69f0ff15484bca520e188a1c675d085f655d78a145b64a1606e093eec5b635e51f3bb42e06c12747e3bb5357afa9c808cbdfaa111d6d97db5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\ui-strings.js

MD5 50c5affdeef2cf35c6ea38e72ba7abd3
SHA1 9f50a8f5c062c3a70503bf104847f4cacdd0d747
SHA256 e7c4956844a6aa9a2012f2094432e96a34de3b49c55466bc308485ac50d833eb
SHA512 47a1b5cf6d4510ffa966578226dc67cdb1ae5ac51fbf50bc12d5db3529a397b598c0c58936dd6a267629ac6ba9dc62a26834333ecf698e2fd88b414dc759c1a0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\ui-strings.js

MD5 eb01283b1ccb1e120f99581747e9bcea
SHA1 dacb3ca3b8d2023567d975fb60222ad6acd07524
SHA256 b3047b36a47751c018496bcffc6887ccd833562a814ab955c968f8c1dca3adb3
SHA512 f4676d714e77daf102aebad428fc6a3bede52155ac188bd548527d89b803dfc11d1ba40c8a4fa1febaed1d82b04628021f10d9482c171b2a595666ed38262de9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js

MD5 fba83743ca88773780b15a06bb74ef18
SHA1 f3823b61d642b8227964ddb9bbe8baea7b933b25
SHA256 f21eddaa2b67dda3934a5ce0e2fbfd3c9d2f31d2fd86de7902ed0b3ac2ab65c7
SHA512 5b280846ebb93de1294a680602deb74ebcbf6c6f00bdee25b83340517fdc4152cad78042560cc76bb9786df19307c910dd0cddb1f89109c538a30dc28b13c1b6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-tool-view.js

MD5 ddfde8b65b86182d2d353bdc98a7d462
SHA1 0afe6338e67fced91da5e3afec1e263e3c0f4ae8
SHA256 4f43438451466fa251a959a29f7d84a3c62ddd7e97ab13a05d90a17ba2e55eaa
SHA512 fe0189356ce0164cb757ef5dbf94606152f4efe11ff86fab75df42cf34ce65a246b92ca111d486c1d43034e944ba81db6483518c37cf4e87d49e87c439f79399

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js

MD5 a603f156f3a41af0a20cd51dd3de1383
SHA1 483ee3b84ba005177b6b973554ffddde984006f5
SHA256 6b9dd9cd26b2e19be89edd5fadc43d3b502d181f4c68b8e7b66c3b0909359ec8
SHA512 733a31cf2d86cee1fa816e9b87e16f643dd67aa5d0503d9628828062681a4878be6c238cd89312ce458e480664a60d353239616c9abd582a6d28e0642e1d83c8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js

MD5 ff4644086a6f4de04f54b9a2b09ec838
SHA1 082e6f615f758a97d36f43f5cc58f174276b29f7
SHA256 0297f19e8cfcdb43199e6664d5dc3f343fe4002d33e4608a17984a3a3cd11157
SHA512 0c539dc3da79793e5af66ba2b4323fc7a2ec45cacd9b0728d6b8d5c6862a1b6142599ee775f180b2dc87c11a28d49dda3ec88f46c3586fc959053a8a7601ce04

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js

MD5 7ffccc8aa1a4d4c7d3b06a745a1ce4dc
SHA1 0abd46a5c8882f030306b7b61402dd323e7d8aca
SHA256 a0799c982a64f031bbfec7f7771e60d7a39e72bd9607bdd1abedb585d8f1ac56
SHA512 4ff7997b1853f8844279c4af7b9c45c74cbdd9cfea15be761f6570c0bc7650437fc8628e88dbfa9273d2bb6d62b652d7ea17bd0f2da3c9a3da6e67f4c2c7163a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png

MD5 41e2fd34d7be37ad620a59b939fb82cd
SHA1 099e64c1ad3dcd48d14ced79c827a1c0b81d430b
SHA256 8d93e38713361b51a72551c6df77e7e89e44c68644acf8d4b23b532fc20e1e32
SHA512 73ab65cd12598299945554f49d6fe6bfb2f938f1c46014131d858c9232d6047840705df1e786dd9a7d3f040df2c9e5db4ce6540665b5ec1f815913e65eb46e59

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png

MD5 1f70eebfa0c05c90aed6fc1d5d6a1605
SHA1 cea2c855c872f88da203fc0464d273f11b247ab2
SHA256 1d202b97ec78af696229b14abe926f48093df7b8452bf56a91084ff052ef3907
SHA512 aa605f3e255dd42b45683335b00e4054fc3a2a25c6062064f64b0175bc502090ad2a360c41366dcac703cdc7ff8a59e426dd100108fece27ada145061d94ad5a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

MD5 9015af56e420a03c6f4b316b63d866c1
SHA1 d4caf78d92d80c9e375e07aa0d06eb9ef52947e5
SHA256 ce7e0530409052c9f9ade4dbcc4f0e6869ceb6708e80e5ea72417488c8d987e6
SHA512 7d310a50033fa5f72ffc0e0092b23fc7a2c0b581569b1c86cfca192abd0b48acb29c2a5740b3424269bad437bb2aba6aac729ee9e916caf7d3e628c6981f901e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png

MD5 5c99fbfb0dcb347cd80ae556906fb560
SHA1 b693e70651c72f9f3cf8f8dc411a9687cf123afa
SHA256 c00bcd959338a46355d57b978d62974e97d33ab3204c3e51145cd9cac11de460
SHA512 40edaca897434950b31c500060617d3ecb5dcf44877e2e4a12b5695dc41cef21011e68b6a0c758dd6232273cbf862e29ac841f904caf3610dc5f421f8431e688

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png

MD5 bc8ded403bf2f24cddc148308c4de3e7
SHA1 b4a3780711aebc5eb4b91879390ae44c46ed7753
SHA256 a5ddc2d91456e5b9394ad2fcc59fa7d798f41596e3696bdbb91a9eeaf9825801
SHA512 3739d53f8b2685c69f5061e63565566b7929e6721b49e20974eac892e1f3a587adc2f12c31ab020b8c17a26c99342a9199709bb3105dc212ac3b648761477f38

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png

MD5 b45df7639cddb37c7aa33dbf3da24121
SHA1 26745f00b8e987f3f7b7a10a26010aa291d2e96f
SHA256 047f21a7e5836812c3021ec1405fa59448befdf92ed0a33435180caf9609580b
SHA512 d1f358a0d597026fddc1e157216f788404ba953f4d84b6e4186d2e4491df2b2fc8d3ef62d073c7e409a293c3d37b76d6626ba3df9bfffbc51f5aca040dd8356e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png

MD5 11fa6c0bf2a15c5010235457b2f35812
SHA1 3432ee1f2359deae5a59b785a5fcd61db8854c2d
SHA256 78d3b182f67fb1726ff27a14880a31d47973a0e10f8180eb2c7a65c27344f6f0
SHA512 dee60e69c8d3706b54c3cfdf53361110216d5eae4f3ffad4666a7d33c24de7f8625b7937324e955280c6ce73433f684575705a9c1ab5b3c453adc9eff1f7d908

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png

MD5 153b3347cfef32a477696cc227d73e4c
SHA1 3081a0750ab10c4e7db6da665cf2c7b7e85570bf
SHA256 b34b67c3155e4b1376d10f1e0bd80006f1703c8a8ab8cecaeab1c58ec1fe85e0
SHA512 5799cf52e12bc09abd0789cc36a4897a331734369f169dccf2410711255bcda7fcac05411d5c0069bd3ef8a95631d21fe7633d49d4e18e0541fe5eb19265383f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png

MD5 5b70f83c7cbcfe14869a0a68c445e7cb
SHA1 add37c5fa8a51dd64306ef2f6cc6829d8ba8e0b8
SHA256 126eb81ea1892dd248e037c8622778a1aa518c8de25e9b802e5b6ab79ba8fe06
SHA512 16058fd632686b5be86360ed367865f556f2ea756fd0e9742e54311fd7268bd23b5cc3b656d45c48e7e3566ef0e153e55da410339feb3ea3ba1200213219519d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png

MD5 d0580573dc8c870a57671528f43f95a1
SHA1 98eae26701182653097b64b57a8c81eb26988c02
SHA256 4fb0cee0a2c77b2df6e3266bc3bed6e28cb90c793b1565814a1dd1ca68c7b15f
SHA512 7451996031d48f095da97e57f08c8b87db4fdd9a6c04991045e68c6bf29e11d43d0b8fcf8a7bcb59140e659d0dbb587f05e3ab1ff23f6c89b9dea80c86446e7d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js

MD5 a3ed289e1f464ad6f3c0d9b3fa1143d9
SHA1 d913907f5304168070328e39485f08820e25abd6
SHA256 34265e6e0ac64f7370e8bbc5650e49c765b17373a361862dc4b05018a2a5116f
SHA512 ba16e23009715a26a4560f23a43e3de95215fad47a35940c6652bebfe36f77b69801c5240a787e714f036a7e8ea575b10a4803b99876d1d80774a460bbee86b8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js

MD5 cdec03f2f6a54241f880a2874f0300b6
SHA1 211c62c47ce047f8ea5de9ae576e590bf9f7c86e
SHA256 f8078603ed95240c1f9a575356243d6d4b43d8c75a400806c17fe3a009a0fb22
SHA512 c30ee2f8d931325496f8d570f88a51694d1003d719adc0b0fe950c6a8daf815f7e2faecc4fd05c019ebf47d7fd69a4304d4cffb4c916dc3ce1c202a664dad34c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js

MD5 ec44f7766afc9130fef34e36f3e1994c
SHA1 9a8891bb0a163b8676af37811e5990f1159aae49
SHA256 6265770ea5f6ed47b0333fddb9a85a0864e397376175110aeac0f99cffe98784
SHA512 c5233d0de3e1e391af1b1bb086f5bc03c7f722edbf4d2750bb0d9cae58e2917d86b194914d76a677986fa3d255ecd7c0e623eaaaca70a7121551489ae618ac60

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\ui-strings.js

MD5 9dbbf8ebe759b67a77bcc20c136752d4
SHA1 341e1d927a45400d8f9c9f4b676bb5a42e965cde
SHA256 b5e7469e087093a7c455c317e3bb4fee9cf478523a184ab243f6d86b793a43c1
SHA512 67bdc5fa5025355089e9cb4951f02cc86cec57fcdfce454ed11ae3a3d5d39b17ddba673658d98319dc55991f0d929172e725c546aaab01c6ff6980c8764e9bc3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js

MD5 f0b27689bcb8065a0f28b753af2dabf7
SHA1 d385b5954eb1483739bcb6ecba8e0fca60cf1591
SHA256 90f641c006b4bb5b6fe17331a22d360de5aa7d6c8fc8bc46d371460538f79328
SHA512 a7d2987ac0d047b44e660bdbb1778b13997aee99340a35f2d1eb0ab6321901468e5ba9c7e8d40a785a2e1988ecb2f0ce4590b9d46d5208b2a378728a0d908cfa

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png

MD5 2527d96098f98cf14ccb47d0f80193b7
SHA1 30badc65d234a03c20aae8c37374c80f9c3d1df8
SHA256 713f448f9bd76ec5d033c45b10c09f5b61dbfc9ed2cbe5456c9b728dd8f6830d
SHA512 6903ba7031368dc9efb1bc34c4b4d72a5c503afc8ae2ea876fe68d254351d2868c9aedc5999d93028bac0d65bc460aa0b9dc07e62834a45b723c8faec4cef631

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif

MD5 fb489b92c37931a7ace2511c77289ae3
SHA1 c767e7210916b12cc600f45e5bb25eff7a46c97f
SHA256 e3cfa179eed4fe895ba16fb692116a5c3ec7b2aec6a913c959fb899e7960e04b
SHA512 915b6cb80164fccb61ed3b078ed5b23ed87def0a05419bed3900192568c8afde79fc9c829e3502e5d4e9fe7d519cc0ee2cb70119e40f8333d029a01211226b88

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png

MD5 b3df1e2f6e7622ec27655beb4cc4e008
SHA1 ab581171b2335d40bc30a6ef877a988767cbf8e5
SHA256 540e9f7bcf0f9a6d6ee65308b2ce2cfeb0051e8210b105381b9dfad0087b7144
SHA512 d77a38b11444834ac1df8061446f8132f02a9a95062fe6a1091b4877edb539ccae347082f130e93558da572cb0ff4e161cada776634735a728ce38ac6d87db54

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png

MD5 80c5025e0fe7ff0c9ace493c347d5074
SHA1 d22b5619b70f2d2e618fdbaa0c2a9108ee4ee45b
SHA256 7f43fa2f97b06cb215aef5b0acb92ce5ed7db691338f6d775b0c8e05c2af0243
SHA512 cb3a368b21c8dbfac367b325bd9c25e1976eafea1c3d1f3ab28e1f0b4925a93e94bde89b006d623af63657bb86a1689981b9d1de8505d2bdbfc036e51fe7d63b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png

MD5 be1f1c4a35c146f474fe6acf872653ed
SHA1 b2c4cc3de5a348a1f7a8c566fb464e4971d36403
SHA256 21288e632aabdccc7bcd1189a9d3e27111052d39228c3aafa50374a74df893c5
SHA512 85f703ec239b846ea6ca2f208659dbeb5617e0b3100fcc6a0eb1018cfec3961ad37428b4721c49d46e4246ab311ec84c0a596c7eb01939ab0bf091a20a02da0a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\ui-strings.js

MD5 2e1a68be5ae63791f9f7a2f5efdd6c5f
SHA1 73f87df6ef148edb264a2843e7d63e23bd7d4cb7
SHA256 2d72b994eaa375bbf69318ec09aa1305ab7b9cc1d781414774687816a029885a
SHA512 968d7f323a36dfddae148e7264ff8c63d556efbfd9f9447f2fa8b71c5f3e5d9198a8eb3d9d32655f6cb8f905190ce141bc296e3ec9cbe6afe180f27eb57fae3b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\ui-strings.js

MD5 cdba32711b76651e6f8769028027eb0b
SHA1 396f3b4ac219525b2d9c62a960e9c232387b9c6e
SHA256 cea225775dc19a086c5022a0582ff23d91d25ee9262eecccc8f03f4e56d0208f
SHA512 3dca6b9ea86581df9c2f4ea1968b0325a2f755381512577bbb9baeab0e7ce887a68982bdd170a6b76a5f9c8bb5bbd300977ec9cfaacacdadfdf2df39cf6fc429

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\ui-strings.js

MD5 de6f94dbafaa3e1370be517be51185ce
SHA1 06174766d02a1fc4f11cc7214408c5278c70e2bc
SHA256 012a91ed0134770d6bbd0b60409f893db25474bc4588f01fd2717ea74ebec440
SHA512 61969b075fc839ef5f2fd01623e16ed52052c9dec3c9260b09683a729969233101fab0d3fadd017bc259b5c882c58b148800d71fc5b43f4f56a67164a6624856

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\main-selector.css

MD5 9eece549734363e99ff02956aced4620
SHA1 ec5a525e5f40799d4fa0056fca595047c65c17c3
SHA256 93f56da0ed0b1a6d6ac36fe7fe785000acafcb676b4f76a3ba1296be1ec303bc
SHA512 a1bbaae4f99042de10d94b89f4c2085648b9bed5741b3821b3489fdcdfc4ef71676e8bf7c38ebe66a53f26c67ba8bf9a76cbd21d21ed2f3986cf25c70942d935

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png

MD5 a33f69bffee65e9c5cc5b93fd3078609
SHA1 928220cdad027d552f17d276da09eeeb304d8b2e
SHA256 d803cbd8e061002f5de085fe3894b6a3d0c20a78aeacf57d4aa6ad30db6d0f8d
SHA512 70773919fcc933df46b007c53d78e1e8dc2c34655422589f68465c3e422a748eade56e186545774cc749b57bc64983454f44d1b67d32c6a7eda465bec888d2c0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png

MD5 ce36af01d1221740e6ee44d816c3584d
SHA1 f41812cb3f793ad54014ad2ce93f3f9c0c8ab2e4
SHA256 4c5e5d77cd044f7ee9867120bd8e0c7958eb0c82795941d2234f68ce3ce93dfc
SHA512 b767e1f8e168ce3808789a1bf2d54a6960c8e4faf3cc51fa8953f655cb85506587e24b2fb8b8b096b1955f173a3afaf14d4b6e32defb07d7a9f4e80e24df3d82

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png

MD5 186ddc2969f37e9e03409a58e389ce75
SHA1 da725453a90d9b0b22491968ecd0dc146a50be75
SHA256 cc02e405f4569ec804cc1351c16aa8d9119cd670dbf242b225f8624309e44e6c
SHA512 080590576e504af0f2d9ab6791a8f2007713e0d1dbb9cc97d5a160698643bdf0f873f12ec1d2fab967fab4b8e7b02ed012adbf3d850219a88fb5e7f6e3db9fc4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png

MD5 a14456176e4fda3ac21efefb8542a409
SHA1 8a24bc6aa37eb97895e090f414dc038689788506
SHA256 b1ce36632f60a134b95104056dac6a7ed07e102501e3f87392d1a425e792503d
SHA512 e556411d2f64cdee0cda08c3e59116b55d22acf83ae0548f77e44cb5814ba22ff63df54ffe85632037af8d927da2c0f958e74a1b3c6e2b991e2a83a9fbe6d135

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\ui-strings.js

MD5 29a69064d667d1ea6be8814d68050155
SHA1 6eac40156020c70f000cc780c5ad6d92d60c5de0
SHA256 0972b1ad3e1d0122353b47a7f5d5b0c499f66788da0813cdcd28f45abfc46d56
SHA512 d02faa045d3da5a6c5896ec08be77c384238c2c13712661cd03ea67743bd5c43ad38d2ca17b390b75fc4f81a221b78c0438cec97d54c3dccbca3b79226ed6ab0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\ui-strings.js

MD5 61396613c7f31eaddb280ef7ad58bf93
SHA1 5476ca791fe44c17332914d62b176442a9b34a72
SHA256 3141128b9086b521c9b703be21eb7dfc05a1ad0c34dab4e9611e3c3a7e7ce4ad
SHA512 45900b187ba7dc390ed074e9dfbcfca406ed8c4c7bb047453d6ca394707d9ec9e1443fb100d0c3eb9cc7a568e5527a4896246628465143550b3c968cb8fd4ba5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ui-strings.js

MD5 fe52da22cf42ae3f11e2a7ed6364c51c
SHA1 55af13cbb2baa5783147a2c96d36a0377d91d710
SHA256 c7eaaee92421b46aa195735d1adeed08b2b58e3f05056ecb55b21c2fa7285fdf
SHA512 029a4bbeb87375900c036ebe15950fe16b0efdcd768e5d4c2043907cd6440880b89417250479e7653c92fb68edaef9c0515edc58c36f29b7d43c22e55d846c8a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js

MD5 7289cd14b30c63f8a50f13d92d7250e2
SHA1 270b7d208864f2eb961382a5a08b1759e6624c2f
SHA256 847068162c32c1a9099fc7741de23a970fad488b8662efadb9cd58bf56ca36cf
SHA512 73816a6339f341bf08c852d60427c0c590a87f2bd4c1773c0338204e7803372fe48b80af9926c7e5fdb7dcc911aed8078e12a78050136f1b7e2e46055e5cfcf7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js

MD5 396ceda2f18a61821ea9518633cf210b
SHA1 d9f3b2dd61d4c166e2cd21c69c1856cfae256d1b
SHA256 d11769c4717debd7521206fa7c58dcd28c98fc7263a727ab84f9d75d35208a2a
SHA512 8dea0f7d3de51c61b6a29e98f8cf4f8217d2057aa5825208a2d3df07bfed1bcdeeffefc86d22b08086313a3c5a4fbf5b835f5d23cbc568f807a8c05a44664c02

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\PlayStore_icon.svg

MD5 57eb321a6ba1d2961a68df33684f6f59
SHA1 001d11be49f008c2849c781c8839e7c756372d35
SHA256 5297ec573117b6d898c2f9e1615b0c4e1b7883a72676ba3eb2e8cfc7213f8d65
SHA512 97723beb0cf894ee22d6d40055ae665bb67305ac74943ad4fa42d0da5ff733c8bf0a83c2ca6e1f74876dc04a12919ecee83375bfb4e4258ded0f67645d24f312

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js

MD5 7df857d6f8f8c17471a01dc1925462b5
SHA1 ceba7e288160b536c56e3cdf6381141721c08d78
SHA256 bfb6fa061a787903f84ecf0d8dee247fc2198d0b8b432e0cda532dd395645882
SHA512 76a45682576199496a3418f541663802bba58fbcee0d4b90cb6538289836d736e64feea613ef381e5bc0ffe72d0ceda91f27383dcecbce902d1acabea41e0e1b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\example_icons.png

MD5 0f470fb75ab2f07fc045d90e41e9bcb2
SHA1 fc53d9ee51e487c69e194c00be644e5df7aa045d
SHA256 db00551b2a1f29fd5d199f1fd275e5f80e4f008861cfd6194c9197a498fc7ad1
SHA512 04bfedd56fd8a3525f82495303a97bc26dc84022ecbf5e79f5ab3c470f70733283b61adbe747f2b0a74cad087b31413c6c718aafc55edb71ca496924fe2055a7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\example_icons2x.png

MD5 3fdacfa82029f242ec39cb2d5a265dc4
SHA1 0e1969b6d7fdaff9638344a125f0de306a3ca044
SHA256 99b91541a149180f9f52ea0f01bb42f8916089cddb22a499391c3ae31d40911d
SHA512 54b40c83f5b199726b971451c454714c989bbe2a5eb9628a46e76f9bd7fffd3440a94c2bceb5d81ab2cfc33749b64bb47864defecce6bb213a83d0817fafca46

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\ui-strings.js

MD5 19945f32c64be61f60242b4c567c8375
SHA1 958e961af85f31a20687d639c043be1ff34efd32
SHA256 9130299df5e1f4d509c1be1fb71a721cbbcb8c8aa1dc88d808f8e0bdad877375
SHA512 60c4b5a44f82ff6cffdb7df8b27f3d0d04f00d7b200d9acef9dbf60843a254e576e33a4cc8fe133e6093ef7704abbe5a5aa8d69648a65e524eaab94ecc033a17

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js

MD5 a2f282bcd416506905916e054214dd26
SHA1 3d988aab6eb1eee94b8a36850892288e3b3620ba
SHA256 3e95900c625dfbf0fcc0aae0d11f2658b8a57a2fcbbb459fdd48db56404b3058
SHA512 a2e01526eca32b94f8ce6191ec63be7602fcbe09e981d29d617e54a91ce10e19f4f7420533eea9b0de516bb08428bf0c34860c2855a09fdab9e4c885adca9e62

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\ui-strings.js.busavelock235

MD5 eebacee98d618d5bbfb050eccdf6100b
SHA1 6c4eff75600f40201c8257e4d30c595c4879e96d
SHA256 9e98ee3db30de0bef37135ffd1c49c6aa1f54b28186f73d0ef2887d6615439b3
SHA512 69e77b013b6e95802e8eba8d9bef60e61655087b391a7dfcfa4f5d386d7404b0c26dadb5a20a7f43fceb78c12fda019fddcf67de629c5ff40a2d088d3d8b7bba

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js

MD5 5281918b606c1d26c1393b0da107a888
SHA1 e4827306c1b6564cf5bb67944b1a272a6c68331c
SHA256 017744830c8797f8f9938686c8528dd008876dc444e7fdaf2af1e28f1e8c8fab
SHA512 15e997b5a3e1d5819ab7c5ca208285f4adcb77fa518479a8f7b60ccd199bdcf1d58a84c88e7eff7a988b7ad1eb6ed239361da9e7d7bb9b1d586889459deb7370

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\ui-strings.js

MD5 321ea24312395037b4d783770d312b6d
SHA1 95e1ad62894a3cbf3d7462c8691a622115d996ad
SHA256 6bbcda1dc67c49969c83b385226bfddca5d005f2ab83e91c8a1fab158ba93bbe
SHA512 3fa968db1ac7e732e9f8499d71b2362ab5b46c53d64f8f8310941843fc46171720e6269b03fa3d41401058ca3a77be8b3c0e40f7a701bdd6d0a811d6f6bd64f2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\ui-strings.js

MD5 56d8c1a62fc94d693f9aa5673c1c4c25
SHA1 8c7e07c2a7d48a58e11896ded38c4cd8c063e9ad
SHA256 f083e8a3433818dd33f3c689b4c2679b0da1269e91946b6172d8e3fc291249f5
SHA512 0cd91eb95315c5024741532ba8a18be155f8e56f4c4666c8504f2d6d500538dc0197739a422fdf3b4d30109c422cfb056c850b38c356d10731b3a82cfa4d2af1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js

MD5 d3afa2644481b1aaa9a182bef8f80457
SHA1 c4fe4d690b55dd25dd8ceef4ad327646e9cdd7dd
SHA256 0610744642e96895208962a63874f76f040696cb2a760d3abe04e0aecddf13b0
SHA512 b40147df14e4813c9e0211179f393e214cc18106536ff83dfe7d951674b38b096593d313217c3ec95dc286877f37704410df71e1875e03fe4f7623d3f173893b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js

MD5 d128cad21858aecf6834c8ad7cb1ab37
SHA1 f63f437afe506b95698cf9d79c8602afc4a775c4
SHA256 034bc710ab6d10960b81603c74923c512d01784ee72a3fd0d252bd13f9be48d7
SHA512 3cf2bda74bf2631330775f2aede60dfe6bae8791b40b68cd22f401fef2335e9041986d63b37bf98065b0f33c55dc45e0f613ef193ab84dc45a2bd70457850c13

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js

MD5 41036a419c157284d03b55c0aca7e450
SHA1 900e1fb16bad9860ecda0e4c508afa123baf71a3
SHA256 1239a22f95d769c8b58f7abb605862a5249396dbb461d07cb5acad96b0d07b55
SHA512 a015871d6e1d3f4ec29aaf43bdfe5a12a9d97f881f4b6201e8e2a46f7517c4c82ba8ec52fb4797adcc9bc5598793309cca628b30119b11aef9a8437046cd4110

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js

MD5 43dfa1e64d920a0d90502f9a8ef20c7d
SHA1 d9e0a2723a7fc6501d1d5810eb80407da41f8b1d
SHA256 d9288cb7b7b0ffc09be7f1f1fdb927b76acc2d57999ea700b723daf1ea61a44c
SHA512 8b7c0ac324eba63626deb431fd9a01c1bcb1cf3f506a444ed77a3c3c49fe548b9674f271417a7db9419fb157fb090252f2000c1090e22bb2e809b0aab6d72adc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\ui-strings.js

MD5 e0fedb4631c65ebb508c151b38f25948
SHA1 64806fb9577b4403d7dcaebbb17444c3a2ff0da7
SHA256 81153764abf6cd6c6af08dc0d2911196af9d301c16bb959958690109b7c4a4cd
SHA512 c3d778a34c8a2515dcebf015e2272027a1d9ecd4892b8d9a0ba35f1e6a18ec6c1e4378b9f0c463c07496d50fb5174d4009c8681cd296555bb95cd94c38bd0bc7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png

MD5 3e59fd3944b83a411724c1cf9a9143ae
SHA1 8f212346dabdc73d47713fbfc13cf70f5b0021a7
SHA256 bfde1e5b607011a6c2f8cf7935543bb3cfafaaebfca900a7d11949d9863a1045
SHA512 edfeafea3cc2441f6b7a118cfcb0775b06d8a18097215b600549b6c7ea60b3ec75ee066d12991c7c8e23f8c2d6b4c5959fa440d23f2f99d5326b970edd13a34d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png

MD5 2d889cd2358fcd5b60ff0b3d73258bf9
SHA1 9c1a68948b8038d1739023587c869af52df5c16e
SHA256 e232ddafa62ddcd9ba991fc67e4db86b86d366f8df6b6c150d6a5a21cf67761c
SHA512 a40ffff231574d87bd39a7e5fed1601a1d8c846c9518aef61c6f3e453ccc4de5cf42e0c0f97784e2e266dad104327ff1ed1a9a2e5a8082733b90200cd5ee70fb

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png

MD5 48d5fcb0d3faa3a522dd23d8821fd46d
SHA1 39b56d501feafb8f7f286e3cca422a68cfabb7c0
SHA256 d4e519a4040ce1649f687aa22f3c212f407ba92bdeb031a3634d7e5a496faf6e
SHA512 1f17915e8618ceb336f4411281a390c5c8521f765eeb8a862ded8172186a8f23871a90959c36766bb1c28f8d39f11f4bc14134b1914791ba8406c042604e28ae

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png

MD5 92df75770071b1642396420015eeb70e
SHA1 064ae744013de11908616c8ccf0a97bcf898732a
SHA256 690706438d709bb60b9fe41ac6b19b34712d865017a1d578ca3b0825e43233ac
SHA512 daeebed854ffb9900be121402ff678e793a4d39b9117e8a4490b6c37ceb26ab6ace470dbebf5415889d206e3e38be013c6cb5f255c5ae545fdd52fd86bf5101a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png

MD5 e644d9d74a2d8a4e0c6d733ca6cf567c
SHA1 f949abed62e5492e5cb5b935ff93836852aea0ee
SHA256 e20a685cab3c8b58e963594dda00e7eeb68d918fb07dae8002a7db2699c2ed67
SHA512 9e96d059ce6d58157fb643cbb68dc428b537fd75eb717f32282c94d59ff30a421d9159a63e06ccce33056c8653df29ac9fb63e8f83c29aeb3f56715165d5ca75

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png

MD5 59500399f70294c09dff974722e3ee90
SHA1 18009c0f6ff114cdbfd58ad57b5468493e982de0
SHA256 c30b647c9ae25fca31114d88c94c4bde77ba8539bf911d4d87e2211646a0b6ab
SHA512 2f6ca1616d013781346f67b7c903c1816f6ecdbcf7a7d519374309f1ff1c7abd5b3730518f71b3487cd7dba0ed371b13a6d3a9e1becf5eb2bf4c5711183d67d6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png

MD5 65e2729742ecc5018d3b9525a4a77b30
SHA1 d7db5bf64a9947ef1f877c81beeab5fe6a4d3bad
SHA256 9f3b11cfb29d125dae5e0dbb8c55fff7c79fbac91bdfcc4c5a30874187e1a5d6
SHA512 8d4a36bffe5999dc26f8eb62ef3a44dedd7718b46853453e4618cb126761dd9dc9d2194fd0306f7d31eeb3c6f5345de350e9d5ba7643f3623034e63a586d5934

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png

MD5 55604e21e46a5376fab54a86d7e0cf32
SHA1 ea6845199fb5a801d65be2ccb33997edcbd21a86
SHA256 f58bbe25dc1d1e81b07293de69cf331ce44e582a1087675c064ac3a29a144136
SHA512 ea83acdea106ac2ab03e7a266654868cb718d05dbac52f7e9c9c28a890b437b9445ad4b2de3ab80070710b0afec52aad28c0b8b528579c64732972f415993396

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\ui-strings.js

MD5 a66eeed0cd9e8a1822eb47153355cc49
SHA1 73bdcb095b8f774283878738114be31bfac5b9e3
SHA256 a31619d13b5c405ab6e607c70afce2558a64f71096253ba1cda9c99e202cc950
SHA512 91adf079640ca16f7421995286ff7fbc22f16eafb9974c849b9f6a6d55dd0df4700f7582f52d2a0ff8458203555238ac96ef143ec371d51d97069c4786e3f8d9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js

MD5 d057d94ee18dd89f03ae4313266f8628
SHA1 2d6045b041f01f995360494afe6bfd4effa63b9a
SHA256 83aa62b344c70c30400d7016c969a79205fb23bda2c58a21ed67c78870bb8716
SHA512 462038ff79bad452df7e71a81f63ff52b61d13d91bd3e9238b06230fef96743a11795ac0be2868b77ece7c386f55dd20f0c300b8662e2dfbba5666a745991665

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\ui-strings.js

MD5 213a804a0fb975eafe7506b2305f66d9
SHA1 1e8834c4cb48a4b9e1db348c7eb97794d7ce2dd7
SHA256 0e9ecda7dff08873f8e27e1dc224c5619976c991d4023b3641e6f6f9d69c078d
SHA512 cdfb105434db764d2ccc098f19387721226fff898ddf71598607ea7361eae75b8b24365542dfab26cf024859483399f58d95907d15755fa3b1d554e37ddd22b5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\main-selector.css

MD5 33f92f2fed5794abd48d94b6b08bd7ce
SHA1 4a98b17cf075a25179d1ec2be7bb911d22b5bb06
SHA256 cc0915fb5aba604e8b1112e01f9b6fbef8f8880d677df25503c61d85aa6fb75a
SHA512 501d27d11e8a971794799bdddaa4c8a030e22d4c187dcab00ffb9421b7b9ece59a7c694b40348800cd78aee951849b4f8d02351f47700cab10f1d1198d1fd029

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js

MD5 dd6b1e7ab1f6b8af1ee4e88a245fe2b7
SHA1 7dcd0675cf62cf9fd5aee2a2e152724f64dc0067
SHA256 b9031f1f62a56c17420b9fc19e29aab0eaf42f5caa33e386020c8417e57b93a3
SHA512 199502c151010e8ab06558c1fefd02ee73b626f401f5df2a8017f33d4c5a0bdcbf9df743edcbad9aca434f1241fce1c9b177360536870fb2bdb7910b5060dc84

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js

MD5 a14c095a7ee4ce0ad38981f44b574a8d
SHA1 4cb254f180b2aca761ca800afa4ed05b72e03a3c
SHA256 016e4674b739a53b77939bbd74a9d31d0ae58cdfea7df694c8af5582fcda9add
SHA512 38a96d691a7d9b61521916f42b53340fea6c7676604637f1c0af3b916d6bff6b263a4efe16f49cc915d14827295251577941951462f7d59a242b8d439af0239a

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

MD5 6375ca18c05104ddab12c33c0a6b6ffd
SHA1 ce8ddd0f2292993ca617ba8acd28b549960dfb43
SHA256 89c4c72ead1ef4ca3800d92569a6dde9158a221e5fe7d72ddb4f79947c03b09f
SHA512 88b1b028ea0b258957da8b5a6b7c25784645489ce4b512e209da4237da7b73d18a4dd21ebe720c050652777fd3276bfa348f770b79e1ac2d98f610fab5a26eb3

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe.manifest

MD5 fdee5c352204560fe0702e4e5cbe4c53
SHA1 4d0119de4262477c6b66517017c9e6b22fe2b40e
SHA256 0e39a74c03459e435548f0955405bc449472c5f382fdaab8b1655cd2204c3536
SHA512 aba639fae1f94e054a03e981dd0e68b7137bd330446bea5a29f28afb26923ace0c9c45f7579a9c4daf346f2028fd559d5891a97fe3e5833113a11855b5c6d7d6

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\identity_helper.Sparse.Internal.msix.DATA

MD5 50de4afeaa0405efa51f1bd15ad584a9
SHA1 686e6d40d810b70006e955d797b88b008105de6f
SHA256 2e55ba6a184cefd72b8ffbda34c39786c436ca2d15bf874645306ff26b92cddc
SHA512 5e1e5578f7a11e6bbf69142d1556f02d6051195449913169bac0071d1a92e12c4454769a279dff7954904a48d59071b2b1903a7c42f77ee3a0e76064e7de20bb

C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\000003.log

MD5 09eb971a0d419f27028fb92c8c4caa0f
SHA1 47a231a7f0d0eae09086b8b68f8d65719c59b5c1
SHA256 48beef5e56931b3685bdde7c936706e5bb6918f8ea06f44ff66c64a59b889c6f
SHA512 c09ade8f6f94355724c9310773c194aa057fed111ee4004204b69be77517fb62c2ad6f58b02b6cf52681878a67a8e01e40d43bad37654ef194145a95e2e00060

C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs

MD5 763e9ad82ea2d267dcb6985ce1078f3a
SHA1 ac171e6e232ac7a604190c3c5c7b765282195b93
SHA256 2ef3e3619c8a1b5bc8a20030bc078d51b6e09281bb133a9972423765de72eba5
SHA512 68f2fe6f698a89754311cb9c4a025cda37d33a798501fde1142080fd35081373281166f0810e6b34b6f227be19c020eea7b3caa992e5ef4e1ccdb33b75422a5e

C:\ProgramData\Microsoft\User Account Pictures\Admin.dat

MD5 3356b4673d22989d7ea53c79091b46e0
SHA1 b2fa23fa26f3ab6f060e95ca939aaeab4b0c3200
SHA256 b8f812cf7093e33c4f7c720d109f1b61c8abd1d437c5db44030518441f1dcd95
SHA512 41a6238ca05acb54867ff56b9b88e9a906a76250dfaf995a7e8aabcd8448a4571a9ebb7aebc0d7c92d0f9cc2739b6219306aaedd2112708986c34babc74984ad

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

MD5 c804174d84154b09a2ee062353f11fef
SHA1 0c5c2759beaf3a465f349a600c30660310adf9a0
SHA256 cd89eb4316acb5ab920ac04d89455f8ca927c134cf7b20a27ddb7d34eb985d19
SHA512 61be01804703d8665b067a6ef067c8068f86e4f7d2f1c9ff3bb157ad71e6955d67390313faaf665ba5e834510e0cf0688151a190efbdf717ccfbb7e3659ad495

C:\ProgramData\Package Cache\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}v48.100.4028\dotnet-host-6.0.25-win-x64.msi

MD5 498371c646a4a58a10473a1853df1d36
SHA1 c4befb4ee0fb7086d1c6f4cddf221567258c3262
SHA256 ee63820137388cbf2fc836feac4a75c4ac0a8557771715db7e7a7a7e510e484c
SHA512 30a22ada997394576c2509474ddb6926ccfbcf0fac4f78556da7ffbc5e96766d4e292aa5f2b72ddd1d189372fc2529773904737212629b28b028454438fbe894

memory/2944-16926-0x0000020152940000-0x0000020152960000-memory.dmp

memory/2944-16928-0x0000020152900000-0x0000020152920000-memory.dmp

memory/2944-16930-0x0000020152DA0000-0x0000020152DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\UXZE23G7\microsoft.windows[1].xml

MD5 cf431c7d433b1384d2f6df919483feeb
SHA1 f8ab70eb8a468990556a07731e8f4f698b8a159e
SHA256 12be83d718acf262c1535d1109ed07b917a3fd7d55f8a0d8f5d5bcdeeafcf626
SHA512 be8ba596a5c29006d5edc9e4089b63ec120062de8e2297b34756dea825b68a0afe361a9b5bcd9a8a9390308ddc97d3108328437b20cd14b89dda54a2991c4218

memory/3408-16948-0x0000019AEE700000-0x0000019AEE720000-memory.dmp

memory/3408-16951-0x0000019AEE6C0000-0x0000019AEE6E0000-memory.dmp

memory/3408-16954-0x0000019AEED60000-0x0000019AEED80000-memory.dmp

memory/2904-16966-0x000001F80C090000-0x000001F80C0B0000-memory.dmp

memory/2904-16970-0x000001F80C460000-0x000001F80C480000-memory.dmp

memory/2904-16968-0x000001F80C050000-0x000001F80C070000-memory.dmp

memory/1744-16987-0x0000029B5C760000-0x0000029B5C780000-memory.dmp

memory/1744-16990-0x0000029B5C720000-0x0000029B5C740000-memory.dmp

memory/1744-16992-0x0000029B5CB20000-0x0000029B5CB40000-memory.dmp

memory/4744-17010-0x000001CF45F50000-0x000001CF45F70000-memory.dmp

memory/4744-17012-0x000001CF45F00000-0x000001CF45F20000-memory.dmp

memory/4744-17014-0x000001CF465A0000-0x000001CF465C0000-memory.dmp