Malware Analysis Report

2024-09-11 01:05

Sample ID 240506-swj1qagd7w
Target 2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos
SHA256 8ed00160b03101b07c7c9565c25e745322b676e9ac0a6ad8894fc2a4e75391b4
Tags
neshta phobos defense_evasion evasion execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ed00160b03101b07c7c9565c25e745322b676e9ac0a6ad8894fc2a4e75391b4

Threat Level: Known bad

The file 2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos was found to be: Known bad.

Malicious Activity Summary

neshta phobos defense_evasion evasion execution impact persistence ransomware spyware stealer

Neshta family

Detect Neshta payload

Neshta

Phobos

Modifies boot configuration data using bcdedit

Renames multiple (306) files with added filename extension

Renames multiple (508) files with added filename extension

Deletes shadow copies

Deletes backup catalog

Modifies Windows Firewall

Loads dropped DLL

Drops startup file

Reads user/profile data of web browsers

Checks computer location settings

Modifies system executable filetype association

Executes dropped EXE

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Windows Management Instrumentation
T1047
Command and Scripting Interpreter
T1059
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-06 15:28

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-06 15:28

Reported

2024-05-06 15:31

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (306) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JWM3U1DD\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\EQ2PZD61\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BB4W7M7Z\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A9XVYA91\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2RM92H5V\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_shout_plugin.dll C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\glib-lite.dll C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\CANYON.INF.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Msgbox.accdt C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_down.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prcr.x3d.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00183_.WMF C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB2A.BDR.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBORDER.DPV.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_ja.jar C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Chuuk.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107512.WMF.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime.css C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR43F.GIF C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\ChkrRes.dll.mui C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00116_.WMF C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115875.GIF.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR41F.GIF.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43B.GIF.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ko.dll C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21434_.GIF C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.HK.XML C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01151_.WMF.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099166.JPG.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB5B.BDR C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\SONORA.INF.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18251_.WMF.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AUDIOSEARCHMAIN.DLL C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18257_.WMF.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es.pak C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Resources.dll C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21300_.GIF.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME06.CSS.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00141_.WMF C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106208.WMF C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00330_.WMF C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBHOME.POC C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\PersonalContact.ico.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.ServiceModel.Resources.dll C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_duplicate_plugin.dll.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00419_.WMF C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02158_.WMF.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02263_.WMF C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\HEADER.GIF C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Design.Resources.dll C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.id[44E22C9F-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 552 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe
PID 552 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe
PID 552 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe
PID 552 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe
PID 1700 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\system32\cmd.exe
PID 1700 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\system32\cmd.exe
PID 1700 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\system32\cmd.exe
PID 1700 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\system32\cmd.exe
PID 1700 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\system32\cmd.exe
PID 1700 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\system32\cmd.exe
PID 1700 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\system32\cmd.exe
PID 1700 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\system32\cmd.exe
PID 1952 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1952 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1952 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1828 wrote to memory of 844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1828 wrote to memory of 844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1828 wrote to memory of 844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1952 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1952 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1952 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1828 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1828 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1828 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1828 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1828 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1828 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1828 wrote to memory of 820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1828 wrote to memory of 820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1828 wrote to memory of 820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1828 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1828 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1828 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1700 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1700 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1700 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1700 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1700 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1700 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1700 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1700 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1700 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1700 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1700 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1700 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1700 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1700 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1700 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1700 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1700 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\system32\cmd.exe
PID 1700 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\system32\cmd.exe
PID 1700 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\system32\cmd.exe
PID 1700 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2612 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2612 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2612 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2612 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2612 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2612 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2612 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2612 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2612 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2612 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe

MD5 cf75ecb15b317f6777c036f252a1681d
SHA1 5085b9b84a863695c3e1a07494ef8e7bf7e58af3
SHA256 aec0eea085755d852262e51c7319c31b4e9ea236a5ef354a80cfaf283dac3ef3
SHA512 8c267609453292d086ea024474d7270e765ff1a15e8f068b358ee193a75898a5ea37ed00156da4160bd0d9143ad8dde2af418bd06b64e0fe0b10e8e8dd354e91

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 58b58875a50a0d8b5e7be7d6ac685164
SHA1 1e0b89c1b2585c76e758e9141b846ed4477b0662
SHA256 2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512 d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.id[44E22C9F-3412].[[email protected]].Elbie

MD5 e061f214ac71ec64bded956e42b90775
SHA1 dbe2291176994385143ca29cd24a43fd57c6390c
SHA256 6038121a8708acfe74c341425feaaed335f47fa01bc405a7296eafebf75b9f42
SHA512 d174901637b167d7dac3ad19b7904362e16c47d6e6e269bda31e941000d54956ce816cae111d941d0a0a7ed03ebb027dc780fba219ddb3d0e602f322b25e18f4

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d4d7af3f2c7ee5c7315c5c71b270ad9
SHA1 f59a44d5c7c6d6890e11864a3bee3737488773b2
SHA256 ae26b7d5c4dfc7db30363aefb501b83c9bc2df16597699dff8d5681d1b5e3bef
SHA512 a45008c212524ff403fc60550cc26cdcded0e7e11c935a0b5ff9251dc74ef4f44f233a219b1ffa9d41efee3a8dd7fa8eb03b080cdcdafde36dc447f541899b0c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

MD5 fdc710fccf9a2ee26236ae72efb115cd
SHA1 5a283c8ef0740235bed5deb9075ebefc19f73d4c
SHA256 ed15139d777eb5d22b40c3ff229ee281451032bc528ea7195ec547e0d2dcdbc8
SHA512 8be0fe49359ddd5749a9eae84305bf496b192075fa22a81bb616c997800d6315dbf1032ae01d3f0df2c751675eccf3d6466909fb42fd00008b4af117e5acfd07

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 40c8e8c5758557477573172e1a41080f
SHA1 25f67b9dd8cb5c73de0e028ac8d8b7b526adb27d
SHA256 a90f989f5f6b4f932feb14477d2a042460a944a0ddc5e2dd5d5d733f20020935
SHA512 1c99a7837cb6fdbede180a7e4646dc1880de85927acf1afd127322faa19a53633888c070eb1d2d7f423d0784fae5ef1e6f447a847518fdb738302d0cc2a04133

memory/552-866-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos

MD5 db10fd32bfe67918ed177579d4be9d76
SHA1 44ecf4c5a6fbbd1ace84d0efe91f13d6ba6bb738
SHA256 c936ab1da7ef4314182c8edabaeae90f8d51ed45bc48848d35670adf5b470d31
SHA512 bb574ef876e7529d4f3c4c52cc54aa1814f2c02030b83a5bd7223d4b31c992668c00e4a7e68d4f1caaa6493db4ac84eb649fe59e98feceb9828119cac1e74b05

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao

MD5 2b62a30906a2b8bf3b68abd2ef9d105b
SHA1 9898d25a214dba04ebd7e3030ac9e2e90ea7a369
SHA256 075561eff2cd3ad586776fa904f0040282c5f6a261f6a8fd6a0a524d14cd2d2c
SHA512 6db5955477a9bb5386c1af03df526496f9e64533e6c3071c8e5c44062541e91e9bb39096da947a91bdfa5e7de53c1e047dcf427c1dfde94554d7458f8f0862ea

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil

MD5 1ef5e829303a139ce967440e0cdca10c
SHA1 f0fa45906bd0f4c3668fcd0d8f68d4b298b30e5b
SHA256 98ce42deef51d40269d542f5314bef2c7468d401ad5d85168bfab4c0108f75f7
SHA512 19dc6ae12de08b21b36c1ec7f353ce9e7cef73fa4d1354c436234167f0847bc9e2b85e2f36208f773ef324e2d79e6af1beca4470e44b8672b47d077efe33a1f8

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana

MD5 71c7e24524aea1022361143d0a876c84
SHA1 b141efff466f27664599dd2aa91f0b7c50736f1d
SHA256 07a692cc9bc920ef8caed75ba9af60ad2d6b144c83bfde3b91a77b5bcce277a3
SHA512 4cd51849de464e0139ce77de3003af1ab1b6c639862fb7d5e8362f33ef0a9828f8af9ebd6d4b4ce9dc5a67084bc5c1106fd3b3327fc428e25c75b780e98d37ff

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Karachi

MD5 d13b5ffdeb538f15ee1d30f2788601d5
SHA1 8dc4da8e4efca07472b08b618bc059dcbfd03efa
SHA256 f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876
SHA512 58e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk

MD5 985f599bb4b81c01d5b5d16ad241d5ed
SHA1 a90b24a33383273378fc6429b95fdf62c4c2e5d5
SHA256 36bce57f9ab26334f370d700cd0a853618cf2051afbe561ba09b0aae5dc371a4
SHA512 fd8f3414083a7b4c75e9a5dc043f38db062971dcac022194c274d5f5816867961736dbf0e17b7da19ca9c835f2e11864e0f305895e8c76eee3d0c5ecdf3e0239

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide

MD5 0a876dfacfdabc170818581a2e6e6d54
SHA1 376fd52e52867f959cb2076fbbc4d214778a7fc0
SHA256 e28b98a94e0077340a3aece749f2d400c3f06890cec9447f4c2567bd1e7a5839
SHA512 766fb737e92fbd233563887cf8335c9aa4e96d3a970c28b7ddebbd21ca764dc85ee4ebd805538f697ad8b2d59ed0c53bd46d9fb7077d54c136f9c22bedae9cba

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1

MD5 65435a5d117aa6b052a5f737d9946a7b
SHA1 b8b17ad613463c3c9a1fe928819fb30cb853e6b1
SHA256 ea49aa9f6f6cf2d53d454e628ba5a339cc000230c4651655d0237711d747f50b
SHA512 4f85061ef6c66bf0e030af017af8c7154ed3f7953594ae2cf6f663e8b95ba978a54c171b01f212880e2711c2fd745a12b959ed27e7f6b1847273f70a4010ccde

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Bougainville

MD5 eeb20c9bc165677800b6dc7621a50cc9
SHA1 def5026103297fa44a2185104f2ee400cb93329c
SHA256 6a3a9301bb8dd782bb5c170bedfa73e9e7c60235e6e1840f14bd14b812127ef2
SHA512 d4e72f43c75de83deb0526233423726503354d7112618b44c94e695d159a02b6da4823a2c9a2be8cf71d2c7e42108d0db7edbb54a640579f853e6d110e7599ed

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury

MD5 335a7c8e767a2dd0ecf3460eaabb0bbd
SHA1 111ffd83edcb095d251067456a3a60b754b4c717
SHA256 a0bf83b3948dce6afe987c170a5cd711a3d65fcd5c70e3b7bbfeeb1578544609
SHA512 bf0772423bdc11a4029439acef8922c6c541519ce98bce97681d1a1da32bbf3a73f506138d494d9cc860b6afb3584094565db7683f6b2a2cb30e3e94430d1933

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT

MD5 b8d5d64c3ef0b30644898a80682f5121
SHA1 bbc7b3902250307a2cdbb314abe98e34795032be
SHA256 2f329134686a44ee0362fd0c8b5d071e38bade32a5389e31282f64f565e76759
SHA512 f1f90923769648e585f3f38724d203e4bf6a10cab7c6708f7791a83dd6348b3b9948eaf481baa7bef31ff63d75b6fe1ec00cb888dc1acc8b65b90d96bff39638

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf

MD5 ab9d8ef2ffa9145d6c325cefa41d5d4e
SHA1 0f2bf6d5e1a0209d19f8f6e7d08b3e2d9cf4c5ab
SHA256 65a16cb7861335d5ace3c60718b5052e44660726da4cd13bb745381b235a1785
SHA512 904f1892ec5c43c557199325fda79cacaee2e8f1b4a1d41b85c893d967c3209f0c58081c0c9a6083f85fd4866611dfeb490c11f3163c12f4f0579adda2c68100

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

MD5 b85026155b964b6f3a883c9a8b62dfe3
SHA1 5c38290813cd155c68773c19b0dd5371b7b1c337
SHA256 57ffc9ca3beb6ee6226c28248ab9c77b2076ef6acffba839cec21fac28a8fd1f
SHA512 c6953aea1f31da67d3ac33171617e01252672932a6e6eae0382e68fa9048b0e78871b68467945c6b940f1ea6e815231e0c95fbe97090b53bf2181681ecf6c2dd

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png

MD5 a2bb242dc046bacdc58e7fbbe03cce85
SHA1 052ab788f1646b958e0ea2c0ef47d00141fc1004
SHA256 486a8212c0d6860840d883981ca52daaad3bf3b2ab5be56cdc47ed9b42daba22
SHA512 d9bb4c0658f79fbcf22697c24bc32f4ef27ddf934e8f41cf73a2990d18cdb38379f6b61e50edef8ebdf5a2f59a0f8fa40e000b24f1c55a06cfa161db658326ad

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml

MD5 118db038cff249fc1b96f7a8f2b27620
SHA1 6f804438c7a4af3c57191138510a644d24bde92b
SHA256 8d43407158818d7f3e03cc0a6ae6d789e9e393467ba847a998214eb4e292b989
SHA512 4ee3a5d2c49d50ecd97193828389d3339661f90d8b8d41bea5fc4ffedb26578c738016fc772217f3f5049adadcf744273f6b9f60ba379a8e39fc60188be5dde5

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml

MD5 ceb1e6764a28b208d51a7801052118d7
SHA1 2719eea8bde44ff35dd7b274df167c103483b895
SHA256 99d48b66d590c07b14f4cd68adac79e92616afcf00503a846b6bf4599bfeabc0
SHA512 f4a2df6229bca6c6ef9ef9f432847683238715eddcb1f89c291da5f5900c9a3461204d8495c3450c8bae1c1a661424089554d316468ba1b039a2c50d6e69bf29

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml

MD5 f7c78514872f9cb5585f8d69532cd2d0
SHA1 ff9dfbb62a3b48c85b6434ee831fb33a8dba9526
SHA256 5f7bcd85900e62abb00ce739eaad53d80170a4a6152d951b6825110d2fc17965
SHA512 50ee6ae916ea0e806b73c2e5bb727f6ee4837a696c5bd8559ede78148b40a5d5cdd135e28c8b5153a8fef568fd21ef0708ca198ace89e7120ffb84fd9bc91c01

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml

MD5 2c16868331f82ff43059dcb0ea178af3
SHA1 983589535e05c495ffeae4b0b31ddcfafe92a763
SHA256 be9ceb4464b22203feffd3700c5570b7d6d44c5d0d357148e1e6d5be5e694376
SHA512 184653d3e40df84cd0052e5d9477201f276ce0e8cbb5e4b7bfac86fc7da325eef476982910be24c20725a6db6617fffd88998d6053c1b694718bc7ab0bde9ea1

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar

MD5 8b550761ab80413c9c09f7fb472dbfaf
SHA1 67122822562203c17dd3f762194e470f90ddfa97
SHA256 f5ea79165516de2e7e1efb53d016983f5d18c3184413f044a4002f4b751c918b
SHA512 9546013cf4d45a2c4c609524b7ed4adecc7dc2fecded7c3b7085415a1bcd1c25db5d88bb591ac05fa5a6313763a8e8d5d8fc6ee6610b454cf7696b647e7781fe

memory/552-5711-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml

MD5 a75d7d422fd00bf31208b013e74d8394
SHA1 3d59f8de55a42cc13fb2ebda6de3a5193f2ee561
SHA256 7a12e561363385e9dfeeab326368731c030ed4b374e7f5897ac819159d2884c5
SHA512 af3a1e15594a0bf08ae34a5948037ef492e71ee33d5d4ac9f24b18adf99a34563ab40ba8f47f2adff5d928f18d8a8cd60fc78e654e4d6cf962292d2f606def66

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml

MD5 d7d2fed9b7c55fe72a6cda66725cb7e8
SHA1 2cb154a1c4a0553658801a088edf87b5816cbbd2
SHA256 a6df5cb2b51fa56609c7daf08d28f0e41801b96f9514a9d179992a63afd516b5
SHA512 0ba4d570d624cc5aa6af629260668ad805285fcedd61002999734fe04cae47016cf52022c327cf22935ded99b30c52d9f041ead60a3425365116bf1bf4cbcf5e

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml

MD5 437687da72730cf42ce36bd093b78b3e
SHA1 693e31dc362426bc4d7a6b2954f7c80267476d66
SHA256 d0d0b1face19fe4a88c6b51f6ced55ae0e00ac548b75809d88089ad431da5d3a
SHA512 7d05e270926dcb452ce405dac9dab6e9e1a0dd247bc93f0940826eb4abecf827acb6f42ef32d3b6f6ac4b46b28d522e0b25f6b8b679affb9a198db8ba4fe2daa

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml

MD5 48e296d8287ae11c252e4277ee885161
SHA1 8a75b573549c2791d38acb3a4d215fa2153b37eb
SHA256 c94a9a55369ccc4b41a71b9c18b04e1778a0913447ca6b5a630135f7a7ac0c1b
SHA512 b17a5a8a6009bfde681829bd7be3b550d8b8bf6bfee19bdd55567163890550980ac0633fd956f117006892638f408c63449d4520b0716e6866ab0858cc3f743b

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml

MD5 e7b188938a141c90dda76cc258c01f8b
SHA1 fdf0e86d2f90e51797779674e429b6f826107a5b
SHA256 77cf0aa8aa6d73f27ad7faa42f7c9a76a689a60d74483f96050dc1cc0adb88c0
SHA512 b106fa59882b0345ce6885d902317af39a3f538731d100e4a92920ee7895ceab8a62d563c4137f8e3e1c7bd61ad6c017ddb301adbc01c7463984b3b245b3da54

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml

MD5 bb95a9de280c528c32806d0d5231de6d
SHA1 bbffb8596f1bc68df5603a10a3672a02ebd3ea8b
SHA256 a7ca0125b93e1a5681d5a9c294ec3a4e5680cc58e44fd223d2dac04232b7367c
SHA512 ac4cad4f24495aa6b0d5ed8aa439554f479cc2fdba4d5dd256f1983fa43a4121c8fdf79ad7ec9d9a396a73fd480bf2f5141ab5303d50c8b6d2ce47d158010a80

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml

MD5 c9580e2bd3527b65bf5b812b477ffe30
SHA1 66e921f302739af54e7a991ce38a1d37ead7c7c2
SHA256 e77bb87374bd3a9b3ccdf932d260091a3ffeb1d1ad9d236b54f0f6797585ebd7
SHA512 e86e61aa09e93395f03b9976d6af4f775be3e017ca371a837e538d440e04b7813d2855c3b7c2444aaa357c9d7a3b5ccca7649c6c557bc3f520b953d96aa93577

C:\Program Files\Java\jre7\COPYRIGHT

MD5 2a79a18a4fce30f9d28abe3b0174812b
SHA1 fce91cb769cb486bd59d97a59943e69418c03e06
SHA256 46570844fde2506ac28543dcde5bd20877b0bb2522a0cb11671513722ddb842a
SHA512 4ed0cfe9d66106e365977378a53f7881d1bd795fda7e89bc8e879888b54bae79ce80746bde779c9aad058000f06d1b96d8e0c7bacb0b871d3fc075e684a0f2f9

C:\Program Files\Java\jre7\lib\management-agent.jar

MD5 4eefd60f439096ed98b6d8a585da12ef
SHA1 75cb70498807b0c823cac760e00652842c1a63c3
SHA256 e743d6195ff2f42282e101f9471874e8df79dc05a69ca20abf22015d48d28c6c
SHA512 78241e2336f4ee826719d5adc70543db0f0767a1660f723ddfce72c170322a13c0f3c547eaea6b6cfc47cdf6d8e5edcaff4bd003cbf3eb9d3435bec5158fb8d2

C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg

MD5 d1950d80f172e80f1c48685c51835807
SHA1 ae9fb8e72137c1729ffb559aa5f541bff78661c9
SHA256 523c41464ee47d61350e15bc091bc970d73ae2d00bfe7a88bc7fe00ae6202c75
SHA512 a6af7912278d814025fd2825a16943917461c881a8f2ff1972497a3a9f6998e349c5e375d69bc8697ae7197054083e0988198c4fc57cab3184f98f82a07a1a1d

C:\Program Files\Java\jre7\lib\zi\Africa\Nairobi

MD5 9e0573ecb4a0800788a3aa64ad731bbc
SHA1 fa205d2a65684c6245a2272facf45fb12ace4014
SHA256 136dd1a7d0a62859f2077a62b7673c5c712fb750604a15f5f6140ab2c5112327
SHA512 3c01530d43156962f4a2305472eb5dc77464ae3bd88f932a2f55e72355c4c1db1df050c94951a1375ed6f69bbc4102ef6ea45574f4ca293123685564a1334596

C:\Program Files\Java\jre7\lib\zi\Africa\Tunis

MD5 66663b7d29e1bcbcfabbf26496f44d28
SHA1 652e5ca160b40dbdb15b9a3b89ef967d6d44d455
SHA256 8474486baa45dc211adc58156a75954f3542dc65326d6e5b157288711ed74e75
SHA512 aae76395ca6c3fe5e58a64618fb00ba73cf1198450da008edff89366bb9fb5bb62ad91f06b65a3af57c45aec92a67b2d51075c9438b526f5edc0aa4d4f38e17f

C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Juan

MD5 128e5d8a837d1d9b540b96013e4c9f19
SHA1 641eb152f889f8027c1fecec8fd81df2540400c0
SHA256 58bd661ff1a892697366215a8938d1c616cb4523e1ede78b49d155b132430917
SHA512 2a64edb3c126e9d432f8c8592af3121423a93af9d266649bb33b73e3d65a5504db3f00e268a51fb59ddd3e279f03d2048b3b243e9f5602b2399584928ff2a316

C:\Program Files\Java\jre7\lib\zi\America\Blanc-Sablon

MD5 90c805bcb9fa376aacfb38d598ec7bb6
SHA1 c264d31acdf5c68a97ba444c7fd7e8af853122c4
SHA256 dbcfcc77f5774ed3333f3963eb84a324fd967de4d62c96631be6af1d6b3fe136
SHA512 bdd9bfe471648e8a116ab65d97e56f38b2d7516e0ba522de25b284c7b29d089dc039bb653f1b08e6ea0792150cad576adc48890dd6956a6aa29e5175cc5e2f0a

C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica

MD5 1135e286fb5224ef530f4ce0ec4a2835
SHA1 e1ef9d5aba553828ff9b4ff2cf9c1f25b085c6a8
SHA256 4a93894f08d98d707cd9a0274f4c9a51bcfa27e701359e12befcc78ffb488817
SHA512 f57b77dcd655d347fdcfc3a1beada329998824caa5db061553a7c784a163b4641076ba99677a4e648d0477671aa14da7f883b2df8b9ed6eed3985e7c2c8ca4e2

C:\Program Files\Java\jre7\lib\zi\America\Matamoros

MD5 93a2fdbfe3bd18cfa0620f2632efa4d4
SHA1 c0b705de8aa572a851737c34f1721c501473d31d
SHA256 3e84c247e11701fb5451865acb6262c8495d47c5f397a772a7bc01c9ce9f5b12
SHA512 1e5454026ba8100ebf7a32dbdda862c9c315b1f6a758242a7c451ade0ff87ef3757fd8caf58c96a0bd63e7bde72217b9664edfa2bb426f50a9ca9cbc2dde655a

C:\Program Files\Java\jre7\lib\zi\America\Nassau

MD5 4401d715587a3bcf3830b14dd764a25c
SHA1 33117586fe2f2cbfde2a7ff3b1fbf74927a65e42
SHA256 8b3827b7bae22f976e2a59e9957ba8b3b9cee57a4cf923a4da970a8f3c1e79c5
SHA512 7b63cc90c5cb65c3a54ab7249b67d9f12eb86237410eb51e961bd39777f517d65b62a08f018e8d8ce89745c2222b2302a9a007c88771968e81e97a60ce037def

C:\Program Files\Java\jre7\lib\zi\America\Noronha

MD5 527e3a39bc066f9dfcc85c57acc8d262
SHA1 aed5fa100750d77de0ce7e7c2e6d7a322131c910
SHA256 43c2ae1019ad57912662c9bd170d8d6986299bad4ec76811e70c98c4a1ffe3b6
SHA512 a1a0266e0c1b0e8b33e4dd242be63b258df4f2d1ae748583649dcb22ba82c7cd27c4ed12f632f7fd745f484621a303f8ace8c8f91646c74ffc71cf0ab12275a4

C:\Program Files\Java\jre7\lib\zi\America\Resolute

MD5 cb97b848abcb6376d491ac6bd9cbeadd
SHA1 3800020090c3bc180b0cf63fab7b39905680453c
SHA256 d6369598c0846422df1f6e1029041784e34d3b6fcc12a3ba0fc1613a0f80530a
SHA512 5c910d7062750c5f76f87e174eb0b1225453fbf36ba072d04ca025579af6a051c7af85c7772a4756876659ab6f8cc4429c11b3620c3f5298e0599ea4f8d5a644

C:\Program Files\Java\jre7\lib\zi\America\Regina

MD5 05640f18f5c0807dd96697e31fc5d8ba
SHA1 659edaff37a05ac603d08c90d2b5d26d9c90c78b
SHA256 86fbc959c7ffdeba173fc2baa99a8a93d75ba5d6a83a3e3300bab1b0a46b1d42
SHA512 000113934c92690a06eb580a6128941aef65c5d9ac043811627175332a0a6aaa4f55bcae211aafed8c5a7cba9dae94a162785c749c08392cd42978cef1771b48

C:\Program Files\Java\jre7\lib\zi\America\Scoresbysund

MD5 81ed540e1204e3237f63da49df05a7d5
SHA1 88176d30b1bf7d6f87f1ba92dac451b883dc1432
SHA256 256fb9c4796b15a7ec4b0d5319e9e493ca4cffda658310420bdfd31e1c59da79
SHA512 92b183b168ad7cf33673e688094d8199cff7c3063aa3e2b83891838f02ac1a79291e6a36e8216040c588306191634cf51484c79f56106492408dd09079e0f807

C:\Program Files\Java\jre7\lib\zi\America\Whitehorse

MD5 1036f4aae37bd39b2ecc451c487e33c1
SHA1 8d60a72a4873cf55fa7bac47dff692303d17d157
SHA256 b61465acf0031e6a4cc34a66d568bd1735668abf591a6badb1f5f5bc20bf9919
SHA512 3ac2c8d3259ecbc41b186c2861ea6be3e6f9cc6b673a2ef610d42c91b359f31e941aa7de1d6ae801191870acdd6590ec788839cf9c069a7fc658d84582103a62

C:\Program Files\Java\jre7\lib\zi\Asia\Amman

MD5 227fd460860a3ad1fd2b245793c07f95
SHA1 71d8da21d4bb33f4cc32b70b174815e40eda657e
SHA256 693195cf289838146418e1bd05fd1a482c36ff75a77874609d615247285d5b99
SHA512 ce035dbe02b8e15091f7fee997a823dc4a0ef12c14e4f7d8441b9d3d9878bd17036db61e24d4e67db2a6e1f8b50168f6f03311b19713c688691ce4298b1deb2c

C:\Program Files\Java\jre7\lib\zi\Asia\Colombo

MD5 5f54d1240735d46980b776af554f44d3
SHA1 acf7707c08973ddfdb27cd361442ccfba355c888
SHA256 2c80619d7e7c58257293cda3a878c13e5856f4e06f6f90601276f7b9179c9e07
SHA512 b1f542f68a48608ae53904fbe2105bd8f3e544941abb38ec9d24cb7a26f916ef94cfb431cce0c64077dc2934913130d78492914a5e9ffc52f311e68217caef15

C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka

MD5 709c6a80af0276b170c521117ede47c6
SHA1 8e6d9001ca20e76482e1ab88d54d47c65c8c7836
SHA256 d8129de4286dc4fd245c7776b51d76aaa727956e8fc88ff928eb69ff7fc17e0b
SHA512 bef13fa741340cb7c1174406f76f9c65445c76ec091e47daa8537b5f769ad2231347c61144ce8f6e4cb16fd5cd27bb169930c3f8c3b5b9e24e6609491fbbd4e3

C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe

MD5 0d4ec840c1db49efd9ea0f2dd0a7c66e
SHA1 df44812586d12298c713564804b42142fb68a8c9
SHA256 2091501cde52f2dd75b74ad947075b6381c5f503af97a66b592b7caebe9e36cf
SHA512 85585ff43a93051adce2aa4f7213bb5a8e4b4160bc1ba20eb061fe1b7d489cc07676b512e00c37ec63d76e08cc98598901ae6babaaf57a0c59eda9f621c1bbfd

C:\Program Files\Java\jre7\lib\zi\Asia\Jerusalem

MD5 433b6e531d44ca54bab63198a3f6b388
SHA1 f1dceea33541fd68c8e9caaacc76f062da393a90
SHA256 c00b114d3e1a4d978c0051e7e8503f7fd30dea142240d6b950164a37cce3edaf
SHA512 ca77aab2370179c0f5eeb6b8ed8b56eae5c3083860f51eda2031f7d5772e2018011ad5b004b1db1e1b5bc2e4c0f300735eac814cf913f54791fa26375d3eaa11

C:\Program Files\Java\jre7\lib\zi\Asia\Manila

MD5 38397588c4d02f8b95c263852e9aee7a
SHA1 80691ad30930c04fe1bb2f645f9c6c0548ece80d
SHA256 42d699d9e89e439804c0981f96b1a3fa7dbe42c6be1dbca6211c6faa4e0e2463
SHA512 e46b5c1865b53513bb10be9e3a2c2a54ee9e88f83e8802e85e728a2364ab649ecd4af605b41d7583688f8a78d1b49e36f1ef5b8824ab89885578eed8ebdbfd15

C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk

MD5 88a4ef65b666e053c28c9e023d8579f5
SHA1 4a9c1d641605648e7e0ff0f87d1ea6d21ff42a06
SHA256 88d5d20f83be8b19edd7cf53771fa94c1a67429f7bf9cec90822dc84a3a434a3
SHA512 9ef796e128b899f33feb0fba39017a0365e6289c3249ef6d2aae61c6c0283febf89626323bcee6e1e3fb9e80c4908c2ca09ddd53396ac41c78ba2e5c47500f0d

C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda

MD5 a1534d6e98a6b21386456a8f66c55260
SHA1 c7239c0fe3b7a00d812e548f4cb9d8d863e8c251
SHA256 4c555a3d8b83f80c2e0d0b647769e82148ebe7e27811d0a63277d6f61abafbbc
SHA512 af0302203a3ccb765aa4ce1b1ab524ffa500d62e179ffb527b76d2b62f5ba31b037902d8d46278378e7255a91251f06c0779fe4940d47a582415a201b0e401db

C:\Program Files\Java\jre7\lib\zi\Asia\Seoul

MD5 64321e9c7da09049fe84bd0613726226
SHA1 c2bed2099ce617f1cc035701de5186f0d43e3064
SHA256 e43fe96a7f7ec0a38984f78c064638b2daa75e261ab409bbbe2d3e590265ec7b
SHA512 4f56b895d0ab27f71ad4f5e54309538ab3052955c319ca5f718e6b8f8fbed1bd5f51f036eff7cd82d4403ad4b93395ddf75dc8621041ef5c5ca916c1113104c7

C:\Program Files\Java\jre7\lib\zi\CST6CDT

MD5 359a1339722ce22ffdafcf70fb387a3d
SHA1 a958f03b193b09efcd8d35934c33b524b4e0cd7b
SHA256 fbb4fa31c3fa0c14ccb3fe426e39dcad529b17e379309c0adbe27fcc93feba50
SHA512 4a90df2fa4bfee474f9e79570ae05a26b6752f0244ab755a49ac0d38f69f28ed97b134092f353ded2c968a3d9baf2d08a73eee2943e8116b65c4c8357bf2dc0b

C:\Program Files\Java\jre7\lib\zi\Europe\Oslo

MD5 677bb0dcac881a5a4638ede690ca721c
SHA1 ab8e52e9f345d8152a39110c9ebbc07bfe37b182
SHA256 97d364e2d3d35f030a038c41bbadc42d0c15fa8d79ba569987e19fddb2e80f9a
SHA512 6485b77c5bd7581ba0f80318493879df55d29606e30bd8a609f18a94da581c46e2284287869d3d1b7dd2857a5388fd97c87070279305b66e10d67430d5c96a06

C:\Program Files\Java\jre7\lib\zi\Europe\Vienna

MD5 fb4aa89fb89bf94d0590a3174d1193ff
SHA1 c3812f2105099071c24141a994a9d5087199dbf7
SHA256 655a3ef0465a9f30fddf25f4dde0c19a05c6f9069b83961800c1944165955273
SHA512 a494c0d9faf3defa9ff320421d0c00e4e39845f7e998c6a06c50b5e7edbb1ed7a948dda23ace06a3433843615553d2357f1cb04acb4ad1155ec43f1d07511524

C:\Program Files\Java\jre7\lib\zi\Europe\Vilnius

MD5 515d8db6175667b02ed715ba8aff0b2a
SHA1 44ca509396091b269d47da24e3d7e09fd8da7268
SHA256 d50e2d8474134908822ade46e27717d1a22aaa2d4ebd66ee14c988ecafc01461
SHA512 b0003c56ca6ca6789847ca2d75eb762a7da8870cde67cde39baa6d8a50c0a4c62fa1cf67bebb892ea50515ea7913209bdd0ae946b76ddbb1aef46a8f9cba5b8b

C:\Program Files\Microsoft Games\Solitaire\desktop.ini

MD5 22577911e88af39f79409e6de8eed4d9
SHA1 93436ea60c5dcdd2e9893a025f560ab72422ae8c
SHA256 e08dd9962eedb16e12840ea2a977cc07bc5fa8d96259682edaa080573d525e4c
SHA512 2db5f3b0000212518614c74c73dca3205cda5751aa2504ad9bf9b98be46e98143c064980dce9a8a6372305840946717c38e244d9e1f2ecbdff683fc1f0a8fbb5

C:\Program Files\Mozilla Firefox\xul.dll.sig

MD5 69016e6a597d194701476b8e04d4e028
SHA1 71a24ddb0c5bbd321d3f09d7b322c3655fb5e129
SHA256 4740d289d0a31bc1fc00e255845b3d8ba7cec2d6d0ee92177d23aa293f9fca3a
SHA512 a9399ea57f65c6569e2a9e9ebe9fa2da7184ec92a555549f39cbbe9dff15530ad526107a2a2304d822be37580a965c6ea4e88a46adebd8ff3af402d2c25321ae

C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png

MD5 6294c74db1a4aac788765b4e0a0278b5
SHA1 81e9bbc06946e3c078d1c1aa150ca93e501ace6d
SHA256 ab3df617aaa3140f04dc53f65b5446f34a6b2bdbb1f7b78db8db4d067ba14db9
SHA512 a4a83643031063cab4226cef7e215765e6f997ce7719173632a66a45bfc0a710b3e6bc19a590108bda91576030e2e37f77e339a3f4e71478d96dafb0d46d2941

C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac

MD5 c3e4eefedd55eae4334456daa4aa0ad7
SHA1 ba9abe2d4d40bbd94530564b6eb178ec02a47204
SHA256 7081ba3d8887be22551f56b5f50da675bda7dd02f40e9fcb150ac84fccbe387f
SHA512 a302516427a81e59fe955f4316fd56b8e5207542b1abdd7eb3fc2e9dbc669849dce90d12d9160b59d45af233e63e2156f3a3f1e7807b7ae1b1225a94d472cea3

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe

MD5 f4988d7ec7286976af1ebd5c7443be9b
SHA1 5c9d293127395d240112aca3191f6763e377ea69
SHA256 365151e60b6d5d3faa3b6bda819524b98e96b66913d74cd1911010389583a237
SHA512 9cb87e2c8d83a7f52700626d1b774264a164ce44d920c4a083754cb0105884e51345e422176fafca3f36262d978ddbedd01c9e7d934b66b42235287bddb7586a

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe

MD5 4dc4b898f7b739c87c41a173d02803a8
SHA1 5d1812d2050aee3a27afb4f3e83ce2835596fe63
SHA256 091a39a153caf196b46dd2bb14953fdf8594cb3f09051d829ca97c39720c36b0
SHA512 8b8d21b9ff14b2d15944814edeea4a6826916ebeabd28ab8e3d85accb8b08fa984546277c2ef954313627554201fc7e8e6c88a4383772b6988c09ed9d171be37

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

MD5 dc779b8484b20545a92b4c916869448c
SHA1 68656ba76faab94c69042c7a37aba88185f165cc
SHA256 4d9096581537ed640256635f0c29f187b9a7e1c202347e80b761843570eb9fa0
SHA512 bcd45c35517638d7fd67f5516d8b2d6af6e363ddae7a6ae50676a31cd93ccff9dc19428bed003af989dc9011894d73c98381451b0fc9ce326880296573f496cd

memory/552-10795-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe

MD5 bf10c256d60735e1fdb7ed661d28ea8b
SHA1 d4ddcddbbc68eb425c93e54da115ffca4ea46158
SHA256 b4d8b89c2f8d85c571e73238d79dcc234ee97eea2cfe76afa04810d2c9860544
SHA512 a8c56e93f8c23a38a8d5dcafc9901977e45cd7e062b4f519273e9aa4e464e7c0a33c1c9cf054ef19f404f724540ea97600858a0eaa88fbfaabf467730d5fc268

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe

MD5 fb54e7953d62fa86aea496cffd7e6498
SHA1 b34a52b311a4c9420e244754e5d47d2bbdade2bd
SHA256 e390461689549b8570fb395e5f68c343c09e22619e402481ca5ff3069b884284
SHA512 44616503ef0c1b4359eed861ba87d912c75f006d50a27652e0bb0f4f69c0c44386b2eb419513fe29f0e11f0b223c31850acca348bc359a7daa7f5b901d3dc0b0

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe

MD5 9574e987abe9f8a2a545e60e2c4fd458
SHA1 321b59df4983b2be0ef9eb231146d3c03a155460
SHA256 0a22bb73c3f2e43d03b9d453e549b83483d0003561b8dbd2345e8be4610926f1
SHA512 1f17d19a312593829eb70ce1dacd5911b5c9b02b4f7eb38f1d23e1995c680017f6bda6e9401c3c6838219740ab602f4f95a8010c04fc04ce33c9c503d733232f

C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe

MD5 7ce8bcabb035b3de517229dbe7c5e67d
SHA1 8e43cd79a7539d240e7645f64fd7f6e9e0f90ab9
SHA256 81a3a1dc3104973a100bf8d114b6be35da03767a0cbbaf925f970ffcbe5f217c
SHA512 be7fcd50b4f71b458ca001b7c019bf1169ec089d7a1ce05355134b11cbe75a5a29811f9efec803877aeb1a1d576ea2628926e0131361db23214275af6e89e80c

C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe

MD5 c65edcc70563e746334019c785bdf546
SHA1 d2da2e433919d04623cf260284736328de584972
SHA256 20dba512b5ce52d1c06c682dfa211cc9dbf3157a6fcc4dbb5a3cbb3a19233dbc
SHA512 7fc6a053039d517438d0f3d1fe28d4d8be787b1c7af149b60140846e7007a3ce9fbd79b8abfa1489c87a48b7fcac26902844f1292c08e3914cf9dd94930ed289

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe

MD5 35863ef4d1f320b6b9e74371f27615a5
SHA1 236f55f4462859528225f6198ddb22b5a1e14cdb
SHA256 bb74b30efa0fcae915d0e09da93c53620e1ff68b07db81d1c6c4ff8ea1581ee8
SHA512 ce2d7c131b9c0fdeae007134139a4159b4bbf0788bab0acaae3d0ee91afbbabce1d5ad5a115ab0c7f376b131eaeff88096ab6e43bbe18fc609f71a43b60a562d

C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE

MD5 b70e12a99078046b5137685709b549ab
SHA1 05a8ca2e6bb4769b81f99d197a26d33201c1f726
SHA256 472490b5d497151edb0ce65fec9f236a262a39a17f5340d2f94de49e2d2c4a24
SHA512 76059ab7a263a13d2fb44d1eaaf42c6b5d6cbc6f3617f9d8aa1f304e43a9e8e8e287f7d5c32284165e32ff3c22bae06e7ac25174161490063120ea27628d67c2

C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE

MD5 e13383b5b1f1eeadbc837a8c07ca8911
SHA1 3c3dce72323c4262962921dce61d8106f1578570
SHA256 51e4db873d14549cfc617f0a48ecfd06c6ec885917493e1e62476db55f6faed1
SHA512 dca8d18b24c267fdd8a66309ebfcdba0bb54885e7135508c9460bcb61b8dfb24a29cc2b9ad635a76a4d3ec34759869d93060fbda0ed04318106841c9b1c2ec7a

C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

MD5 aabda1120d4cb6cf7df6c74c3ebc7803
SHA1 cc00c59b8d770334eef07bbe4984532a0794483c
SHA256 7abb5ed592746e8bca6b3a0d69fea5560075376d57434648c62c469f2c16d8a0
SHA512 cc46ca780411d8eab2a795d6a4b27c11fbd2f1c7db312bfe34a34d89b9cacc7167e4f9c429a2ad05b3340b37ca199f5d1927a76a221bcd5ed723bb2265f84d8d

memory/552-11866-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE

MD5 dccbe73913319a954a16757a7fb32666
SHA1 19459aed373fde7454780528c95f028d01fad60b
SHA256 7a269b011185240d5b215e2537c6988d10987c528b1d4ca7d2c7ad88558930c9
SHA512 6ef2b55b3fc7721d00100bc6713e3641747421c96521267fe083379d606f740fb973c653e8313b323856ccca884481fc0f389ace2b39a1d91b91afd6087e4519

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE

MD5 74566c21f0efe213d438964b3289c89f
SHA1 d604912b106418e03397966a3511f47a4acf36f7
SHA256 7ac4029ec946af909ec5c8b3981ef1e7c77e9e93a095eeb41f755f7962375d96
SHA512 50d73caea309d87ac16e9b7b9053e32f11349952cde483b5cfec76b93d2241742b03dcae9c0bdfce05eb6d27b69653dfb2f27573ed6595aa63d76e10d82d87db

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE

MD5 87993d9e9c5e703b1c39525a69b3b6f2
SHA1 a1c4605e7b3a5897bde5da4f47b764fcda835735
SHA256 f56e574fbce9762d4ff40bd54d84c80e1890c5207306244045777e5c33c17954
SHA512 af0703793f6408d81f72a586fb3aac3f8ae1903dea8de0fc770b7f46121da5cc06cbbd27d27e1d265b159e615763a5725e67df40ec10c018209066d5e3f19477

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE

MD5 31f86806bc6b3a572acd3026177423c9
SHA1 04120856da3311bba44f74d8b2ab5d3af61af700
SHA256 17636bb3ad6745beb6fcec16e8f30870a17493a04b0f32fa8be5fd6e4ca55d4e
SHA512 8229dc8c6bab17f7e195ef45f7838c13dd289648ece1ac01dfc09e08dd081af8a0117291d7c4405601ce4948896574ac4233d88e21b5c5a2c81f71161277f07c

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe

MD5 7c66f79a0d68c50c6f07e4cdf3f881a3
SHA1 0083e486557d7e2978948fd843cc0332cfb91858
SHA256 704f7e2b5ea567b31e61d036b0a809e25d82a1f23dad62870f5e58e765cf1ca8
SHA512 aa648e053ceeb9b80f7cb6614952b0aa640b218b5dc86a37ff60a98ff18a8e367012628cf5249a4b2532295f8ae6f83c601849c02d7ee6efb8d2a7639d08518d

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML

MD5 05fc90d38e2468528ad10b5ce0bff46f
SHA1 3e50a6510e30a9183cbc4a727d4ee3a6e3786102
SHA256 4f969244f420a506355a2c1e81bdd9841f1263818b9189ac31c5c5e14ea41acc
SHA512 f6e585b7f0046e95b5c808133f17f131ac9c50ac41f0f9c09d7e17509f77891d5e3d9f71b7b0322fb4ed187d98425f2a45f6addf428a9436bec7af74fbe679fb

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe

MD5 6f903b19f72671eacbc6ba67843f9c9f
SHA1 1e3577554ca6b33394c4564473f75346647f2584
SHA256 fad400c90272d535bbbd38127248869467d249d1efd43972a3f0e2663ac4bb13
SHA512 9bb49c7f30da8099daaf1540354faa68237dc321d2a3bb3835204ed7577f7354b0f24fb8a00257f169dba571642368dd4ca20d607c00e411f9eea9cdfc767ba3

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\PublisherMUI.XML

MD5 950ebe96859f7ad2194cce45ba32bede
SHA1 ec77126b84fba5f858a84cde4373e1724c86d481
SHA256 1db92b26f408ddb6f3ac47574cd49cf4dc131efa8090477bf6d0a5feea4bdf1c
SHA512 4755508c6a9fb44d196c2fb4de3cd229b5526f48e1baf0057db858930d5e940c0e7c2c62cfc1e66e558987f2e93d11abeded72c709020df80c0b773607c33d8b

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe

MD5 8f2f9b3799dbafcc9db267c2099e340d
SHA1 ba1180f48d8627b712422345147b3940566398bc
SHA256 9a8a4556176525968418d48add139361cda150e9512fba1d88690443d2936e01
SHA512 00641eb3bd04aa1d971539a2586728119fb0c3920825d6189df620f007e2ef9c34e00865ac4a84f852fc8fccd97dd8732729279f6e911246773c0d9cf1590014

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 1dad2b5c2528fcb0cd57fbc6c6b0ef86
SHA1 8fdc459526d52aab1cd124ab02b293e669591fd3
SHA256 0640fe1ae0da358512a105e91c73cb36b6a1c9190e2a82691a68cd10b871706c
SHA512 ab4bbcbc833655dad176941d5bd75b8a2bd9d1bb26b5c2554fb5968c2a77ac2cfb80babb8b9da10a4468d00684c308cb6ccc8d6285d02dd8e4f5540f959ae441

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe

MD5 f3daac12baac04d6a559c060f126330b
SHA1 c60030176ba73cc2baec51aabad6d8d72508cfb8
SHA256 ea23d2e0c07b9d1c66159e482d2791835f71ba2ad96963e11eea81cc823c77b2
SHA512 0ffbff387e519d4493fca457d74cc6edfc3d43e6bab07bf7572c92861fde03150702e8eaf5665c9197867c4d8d7fb600cca2becf98567eeef8838f33d719b881

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\PREVIEW.GIF

MD5 c42c94e7e22da680544d2ee9553f5327
SHA1 318f931facb45612173e8f845305001d1134d88c
SHA256 0ae208d8333b8d56b0871129f974ea63ad90303e5087fd1092d7cc7a66e85ed6
SHA512 23bf222aaecef148138b5b2cd55e46084913986a7ebab17ab82011890ee179d00403bc5573ba7a783f280ef829e6cd5598a3153aac24d8fe5b2992064c30ed15

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.INF

MD5 decc47bad99272317818a41e7a522d85
SHA1 8d92c3a841aca4b24ae76a488c4e9985570c81d7
SHA256 153e9423e652627ab50fe46f33f0ee612adefaf54ad06bf70947650cdd32871e
SHA512 e8982763416ce78756050b0383398505979193e92a5cd7541758756a7e1c188405073329fa8f737861b4de5236c8a88f797cd0bf0083245349eee2905d906a7b

C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 726e7d645e2657dd9fe0ccaac4177a0c
SHA1 2405e0d02856b6d133d3c2389d16790d372c73c6
SHA256 d9df21997b3223df407e322cce1044bd705d776da0f38eae6de18c9ff0748a57
SHA512 e5fdbb7d201862bb9f03c6d3bb3bc0bbab06a05de86e4ba1870ffb04485145452ea6c59c2c89254d994ee45b138fb090c20e005fa3607b7916178607ec8c33a9

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe

MD5 868330559dfe3d6309d1fb8afdcb83f1
SHA1 9ed11beaf863f2c8bc361c8894b7d8234a3ffdd2
SHA256 d0b5080cc585c4fa12e5e90585e6f5014932eddd6ca89e5e63f378fe10576948
SHA512 4f4b7a4cca1f8e3c76cd0827ba36fd986de10e80b1faa8e686ec8ef9a9fec78bc9bf066b82d68d11509f0274d84a662568a07e12071450cdd437bf4b41cf5d65

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe

MD5 d7ec8fa051fd1a84482d8c75fd4874b9
SHA1 5feeb949ea637dc6119075a99395dd1264195140
SHA256 119289acb5bb1aaac9b7de849cb67b8019d36a4b863e34043eae264eb578c558
SHA512 a914cdc117f60d3f663a17338f1701caf76481e46d1ded5752d096aea9534bb2a22086976adadd54773dbd6deaacaaca52ade243a15472c317ad25352d7f4a1a

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe

MD5 6393e803f97c7fca713d899cb9886d18
SHA1 9172e7ae4f35a478cd416ece868cf308d303c3ab
SHA256 e7fe1ff96b2dcb1512bc530e2ac86ded63c495618d18aaf3c3db52e6ea3e2b0b
SHA512 de53203ad785d523124aeea4f5ede064dfa635d13b99db991728976bef4af2fa9afdc17f27a31c2b854a38cd2f37edd2343a2bc14581141217d09495dcac9970

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe

MD5 1b9cc7e46765f3a07113568a76fa2f1f
SHA1 6c7b7494d4cd17c8f2fa99313a0ddadd45bdd471
SHA256 ae5b8d19cc48f20ba8c466e0122ed37279e9ba335d751e9f7bf6e3f5aab608b8
SHA512 fcb61565b91f3d58a207a7893be8ce808bf6d6f582ee353e74de2d284ce81248904b7f7eabc179666764704c386219786599fae61651c071f063a6bd9b5c9746

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe

MD5 85bd227cce35af823b04887a113a0f3c
SHA1 be356b131c3061d5840e249c4d99dc6aca9d61e4
SHA256 951faed1264f3f2ecfb91334347895c55e06a5752aa562dfea600faa4ca0a3f8
SHA512 c127445719721b9ae8abf940139bc03b9a360c2047ca67b4c0559b3fba4398a0c86b82524eab2721e0545781d6d2820a7d53ff5ae5ecbfc15d1cfb3158dc9b80

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 e472b575386bd2479328e54421a165a8
SHA1 6edfc84b4e024846777a26b65f230ffd7395bdb5
SHA256 0fd053caa7121a3b6bb1631f268ebf3627fd1cec54c038ac681d8ad3b995d01f
SHA512 843ddafd3716f0c0de9a93111c2c561dd6e510db755e251f968341ea25ae9b7030b3576546034f75b6fa08a6d66d1bf4e28f16b8a1ce5b719673db4426dd61b5

C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe

MD5 3b0e91f9bb6c1f38f7b058c91300e582
SHA1 6e2e650941b1a96bb0bb19ff26a5d304bb09df5f
SHA256 57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d
SHA512 a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00135_.WMF

MD5 f08b597fc0dad2e60eb47c729ec5a0e8
SHA1 6102ed704c46ebab3fa452e0978e001f6799e7f0
SHA256 86d911c492b42593042265fd0e6f48a2cee1f9090238e1d849420feae106ccdd
SHA512 b64d872c27d5fd0918f8b6df4c9834718f669ddf7823e191115e64f1784961c0ef384b9de3310bac1e5c10fc52ccee0a94392c5c595f271e169649654e2118ca

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02097_.WMF

MD5 e3d6d9c99344bef76ff5e6fa940c1379
SHA1 84da7a8bafe3d5898bef2d806b318af5adcd85f1
SHA256 dd0a8ab83ad0ac36cb27968e73c3b8c87f5d3080854b214a74b53c152f534036
SHA512 63184737bdff4cc24545d32c83df3656d772538a91644870386aba113dbb09763d4357a45fc5e9197bcb0f3b5aa519d5f8fed6ff48d4d8f953e56b96fd43209b

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00241_.WMF

MD5 b0d582502cd3ceeca01a0741bc96982c
SHA1 015498c371e78b8fc5ed5d0831bf2f8fcf803d05
SHA256 255c3a22d46b57e3f291eac23e404ce7b331400041930a0b43eb777bf8ed06fb
SHA512 d0b92159fe96a71ee641bb11365923eb89c391045c2b275e5fec0512ffca3c430cef1c25270c7440cfbb36d2e525675fd80b69ae2a9273f27ea384d19c58cf07

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00636_.WMF

MD5 42968ab756f9db46dac524acd13c5283
SHA1 6cb4841f1adb1015105a551e1de9a673f2169650
SHA256 7fbcfcd86bdfa943dbd68f67c3fcba6e7ab86fda2d14d28862c176bf18579fca
SHA512 e42291e186e3b3f2e0dd3325d9ffee51a5b1b80fb0125a9fed79926f95f400ae38e7dc60c03718f3b6c8ed970fb9d2d9902bc8648c9d8f0fdf0f9fba8f735dbe

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00351_.WMF

MD5 dd7428c326b6303dcda2df68badec0ef
SHA1 83d0d1df0c2116857baa8ab9c2d5f856e29d6b04
SHA256 59f4c13183ac051510c1eea1127c45540085a860875b07d4987d64ddbf46acbe
SHA512 402a8282fd6f050b125d6ae5efb9fd2bc9976356101714e908743d20f0cb317e43180936e44b709cf83cd12bc628674b74d46a1579332e54d0176484274bcb67

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01244_.GIF

MD5 cafc2a2dde2f05e2a60677690d2ca245
SHA1 8bd9c447b79435b8497212ef76f5b43dffb030a8
SHA256 db91bef58cfa8c3ad4587f4d737202a2ea4374deb35305e8e56a4e0b57232a7e
SHA512 7f293929a1147163d71c612084c7fb99740a1fdae3a3f9d7782f795c10c1b7b2e49617e9d6746938167a2dd49bc5c53788bd8751c61ad145d2d42700ae1f1575

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml

MD5 7e5a19c335555b4fcaf22078f0a5e362
SHA1 55079ae8c6067cd839503f9c3ae7ef9deb72892d
SHA256 202115097d1bee389d4d4d81db00117252be97d5691af316941f3843ef7a05f5
SHA512 371b8cf9a6485a2c59fb928a8b460caec1f7a572126641f568f77133b78e0e7b91fd52c10e6089c286d4162050ce50f9aeb1886784d75d338ab02a6b7d357a68

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml

MD5 0fb569bd35d44c9ffa7d4728af4e734f
SHA1 b41945703b8efdabbb18c60ccd93d2115ceb78fa
SHA256 788ddb3f7716950d0d204e6cad9fe3cc1dddb6140f615cb1c76bea0541722c20
SHA512 b94c1fd2dd103b19b5fbac6c76d3166be91b01d659e1c912a26ccc48664a153c62cbbbf15ab3869aef08fdc8bb3918e4ce83bb97a1a428f55ce12793d50ee646

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml

MD5 5360b12f6a07af7be93437d215f72fca
SHA1 fe12fecaca49a131167d88817c4941514ea408e1
SHA256 a0cffb66ffbe1d4701a3aa75ae66af7ca178b45f5c722de3d9021a543129f80a
SHA512 a0b23b148cd30b1d4a41e81aca63179eda341bac1d1c3bf83924d0bef90a47e11f2de08b4cbb879331d507184ec1df9b59c18951e740b94247ef726b15fcc410

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml

MD5 c3c9945cae188df73afd04c6251ba98d
SHA1 4327d33b49b3c7046cdff83bdd31c724bdbf4118
SHA256 a2a40bb99c6a44d49eeb216549045620e8cb9fb90fb165eff71f846f30264096
SHA512 a674c78678624d59cff6386381c0e4e459836484aca4e617fec26729878743d2ffa5dd4a3bab0a0f0f27d60095739cf4ee0a6b0f4a5d79d31b43a7ecdbba02a2

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml

MD5 e2b1e53f26985bc0bc2a99c7d107a1d1
SHA1 b0b9bccd847f973baaed9790a33f3f77d2d1db1c
SHA256 3dc463a76fc170607c07b104c3cb531362ce7d6e10c1a34e0c0f370aeae08ce8
SHA512 0c53d4208a6b0cc0e6959d7eafc24012efd854316ac3830267861fd02f1da0246a268e75a7549b8b5ede05d08798f22f87c7bc305b62dbf76632cdff107ff718

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18255_.WMF

MD5 68a8b1b2741f9c2ba2c58d3afbeff021
SHA1 7ef6db0684eda77c6003d00c98da41a3e76556cc
SHA256 3b19ee6de90710035284dadad89bb5ad0057db27c79ad2eca5f5d5e540a892c1
SHA512 fb35085a488c6f3cda39a51a67d32a8f88f8ca8b68fe07d68f2a86cfa28879b4998bdec237ee28e61a1271a5cd9f5705e1cf8bc6176df8a2cb3f410da2f90d5c

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10264_.GIF

MD5 6f6b5e30af6a9e64b7b6a19c39de7e0c
SHA1 f4e37133cd52efd2967e90d645332c44a56b6832
SHA256 babd6f664158d665504571b169a1e81ef75470cdca4fdd7d95be6cdb7826136d
SHA512 4521a9829f60e2f4af33d4f72dbeedac048fcec352554b449ca36bcc32b64b65151bb7fcec78b389c37ed5819acd4c7f61e9ec08591408dd2400cf78ab5d67ed

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21333_.GIF

MD5 c7ea739796f77dea0edf2dcebe980a6b
SHA1 5bab75849b9d716b8fec896e7b0f2d37659b3bad
SHA256 4cc7e6272db6b1ad7581f76c63c694e926e20698e9b02223d5041a55960463f2
SHA512 afa36a9eba55e94eaaa5c64129338d6af50a0a485c2b37075594e0415b8d2f2d181574a8b99969a92f90790085f761fb66b1a03020afc715fa17121b803ac534

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21339_.GIF

MD5 60c6b126049a35e50fffeadf17279275
SHA1 1d58c87e67c4b9d2c7ddd6b1f9c033eff16ca9b8
SHA256 77133f431d5e12dd850002c0d3d4e0fecbe3a7a699d604dc8c5eae9976e1d260
SHA512 a3e171c1c71e0c8fb05df6d783f5ac9c7ce0f9c3bbe653952ea048adce025192d5eba4ed8cc7800bd52afd265256ecea887ea63725c49cf563455ff321d45e76

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21434_.GIF

MD5 81e4bf29a6552cb0df60980b937ed4a3
SHA1 ca18e846361c6f84ae934ac108d5df987e977925
SHA256 8d84ef2aa665b1d6e1a15112d9c53eab04b68a09a088de5392ee63d51060db81
SHA512 ff58938f4d4c80baba6b15d20744b9762757cfc6834d8a5023b209f07914793881361ab457eed2fb0d17e28a8c99c541a142809f19715d0350c4487e78846ed2

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21505_.GIF

MD5 6790430bcb39e961b83668cbaa1573dc
SHA1 9f01e584f766dfbb5e49d6e32f7dc51fea2d0d91
SHA256 5514e3463923ca8257bc073bf34413d0426a6b45bf569b5a5b74c7c5298c57a7
SHA512 6fe6a31054dc68ee8c59da7de683ce56963f27b6a3e8ed634184c5ac99b6cb4dfdc2ab7980b4acb1f9b2a44ed61cd363ebb388b44cf466c736789d9bda98573e

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115836.GIF

MD5 4df019b7bb2ba1e54ed725a85be04261
SHA1 f40905a7a7dd1623fa8f075715c862f6b944e961
SHA256 33c35642a71ce7d31f92ebe614045d206968f058cb345c7df4ab397a2655f16d
SHA512 654f35be8431fb1e9995a75ea93b9fb04fa12e7ed94923df34ec99bf8052c46effb28ea46417357e1a6ce6f9a8663525d5ad48cd74942968df2a178396024ac1

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115843.GIF

MD5 5dc32f41bef844b95b3a8d79e9633c42
SHA1 50cf558caa78030567cf4e265f7c9cba3a2d904b
SHA256 86d2cf5b090f43ee54d8f7c1dcf746a853951191457ff6dac96269a9d24860b9
SHA512 99e7e8bbb58a6727ddbfa71f9dbb7d02658a11d7e735367ead3cea004ed3edba9cca8997117745fb40733672879b5f466a7e39cd5684729eb413bce49c2019ec

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14595_.GIF

MD5 a50b718c3518b630251fb54b92bde360
SHA1 a9582222b6f4df2b4e3e4ee5fe91d25ff086b943
SHA256 9d2ce1c032646d2a3381b68bc9201e3dcd53b764e83a0d356d67cc4926ece015
SHA512 95e0676e3177262d29c4105edd4ce1fa1c2a2da5cd3289ab0f873fba782a0185e4bbede5d64fae1f6c4cea5ca3ae0697d7113e6ee63f229431bfaf3f8990c517

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14768_.GIF

MD5 e0a6fc12e9cddb11d637714157db14e8
SHA1 5c2c7b2a90861b03082d3af01f802d42b937476b
SHA256 2f1411c6a9eed5ac2ccf7eb35456b8601e3c96907765746895325407cc307cc4
SHA512 3f30489d8544921a38f743f905aded78827948c695acce03cf892121893ad7193f7810ef5e5941e2183483e27cd384fa37dba257931f392fe0781eebce384ebe

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14801_.GIF

MD5 8edc22fedce822ad66c7733ea98784b2
SHA1 9c0986ff2345b18e88d604e24a105ba386d87b21
SHA256 fa807c957eafe34b850cb453a096df2e5899f0902a837fccd59f9aafa869fb44
SHA512 31bdbaf34b4e8f2edff432a5f1ee5fb571105081cea907b6cd41c529f4a9ec4956d009378f3b4fd912abab84605d78da298d4718b75780814e1fa1e86386d20e

C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_COL.HXT

MD5 0ec3bbc188caf04134280e5a95f00446
SHA1 bd398b51e76ebec0b43d756e04548a1907e8d2ba
SHA256 97779f7cae716a4243ac78cdd8c051cfbefdd111d26740978dd0f4c962c2aa7d
SHA512 e67b8b8f0a30a663360fbac820bfe536abb5534db6e0475424ad3dfd526793663ba5e7d866ebea85f67c9154d6bbda2d38789255f83567be05848cc0d7c1934c

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_OFF.GIF

MD5 c2dc578691371996eab94eb37f6896e4
SHA1 9c09715d6b50b203e161cfb59bbbfaa7837532c4
SHA256 9f3a97071dc41574af5b54e44945fabef8d5da339d179476a78dbd624a60033e
SHA512 a3778926bde4b74eb0dbda8c7857f2f05c6abfc39222f80332bfdcf7fcfd4db9b81ddca44c45a1155244e667f98f07c7211c25a29c68a62d89b8637e8ae05e70

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF

MD5 3e586cd8128ba5d03ccbc121909e7421
SHA1 140dc52658e2eeee3fdc4d471cce84fec7253fe3
SHA256 1207fbf437a6d60bad608c9c4a7397194c4f3768142a32c7e5f3a1415452a992
SHA512 f1759159e90975a7baf3c666e402f9063909bb11f47371c9472ae40315ba13454f0ff4aa418c7d0079eebc09909268b5d2d39ef871f0e5850544b1442f9d6f1d

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\TAB_OFF.GIF

MD5 9cb5fb90f42219febcadbc6eb57257f6
SHA1 c948b86625804155f9ac9478a07cae11d8021563
SHA256 1093af6901915021573eb2e3bcb49af7f1eb79df351806d325b80f1baedaa185
SHA512 9c9031770c5c67f40b93dc7dac91822f3b5eabe1deb83eceb2a878afc810a810ce0521f966e68fa49aa1973cec342cd3ef6096ebaaa191b885a542e4a178ca5a

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Main.gif

MD5 79b9e09ca5f8f8ebd840da4c96afeccc
SHA1 efd9e4cb4eb7a896db0cd0de5138eb5be50864db
SHA256 318e9e1df845c4135ab519baf8e2c9e617df90e2b3020741ab5d926bb0d4cc93
SHA512 2df29a7c367151d76b4adab7002e0e90337c1ee07f935545cf30cb729ae91171bceeec0e2611e50d91d097797bc221ff63f949e225629f23a0dc5de3dae851da

C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK

MD5 301657e2669b4c76979a15f801cc2adf
SHA1 f7430efc590e79b847ab97b6e429cd07ef886726
SHA256 802bbf1167e97e336bc7e1d1574466db744c7021efe0f0ff01ff7e352c44f56b
SHA512 e94480d20b6665599c4ed1bc3fc6949c9be332fd91a14cef14b3e263ab1000666e706b51869bc93b4f479bb6389351674e707e79562020510c1b6dfe4b90cc51

C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK

MD5 b9205d5c0a413e022f6c36d4bdfa0750
SHA1 f16acd929b52b77b7dad02dbceff25992f4ba95e
SHA256 951b1c95584b91fd8776e1d26b25d745ad5d508f6337686b9f7131d7c2f7096a
SHA512 0e67910bcf0f9ccde5464c63b9c850a12a759227d16b040d98986d54253f9f34322318e56b8feb86c5fb2270ed87f31252f7f68493ee759743909bd75e4bb544

C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_COL.HXC

MD5 59bcafcabdd1f16e7b9889ee10dec858
SHA1 116cf3bc4321fa20352d009e1d0cea588a9b61e0
SHA256 006f8885e892963b3d4a0b53141f888ef5d0b36770d43b82296bcbf800a89d13
SHA512 2d0fe70022c2bd7397b94c78b27d6c3d2426a644a1601b6381084941e9b1dca913d0e0787d8e463d69d7730031233f5b85ec76b480b736ced324fbd45727dfad

C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE

MD5 69a90c625e4f2da17fe8c9b0b3c90e74
SHA1 16d29fd72f21d382a670cd093702e5efa81f26e8
SHA256 0d811192c78e7665d8492c6fe65016138ba890c646106aff1c69f58608a6ffcf
SHA512 0909a2bc6e887b10ecdd9e237e902e73ed1568b301da70e2a8c3fde93f4b3cfe061ca26e47de60bb43fa592dc1e668752fdff0fcd5b41b557d3db392ddf208cf

C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR00.GIF

MD5 f5cfd73023c1eedb6b9569736073f1dd
SHA1 669b1c85ecbafe23c999100f55a23e06bf59ead7
SHA256 9e1736c43d19118e6ce4302118af337109491ecc52757dfb949bad6a7940b0c2
SHA512 5d8c1aa556fc17d6dc28d618f521aee37fc0e1826fdbcf8d106e456fc3bcd3c76e712d23fef3378bd2be17b80eb5bfd884ccd89b67490b63c7bd118eaac471d8

C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE

MD5 d88d936506c509653a8d2752b2cb3520
SHA1 d20b8391e51d20b7928fd6518d1c9e313d400a50
SHA256 f28740ec24c73faf463df52ad707cbe85312871c1eed353fb4df820db53ba642
SHA512 883f1990c924eaa831b3ebc7df38c5b6dcbdff77a6ffb7ba35492c9c5757a9fddb6fcc2b0d1eb508b0d56ac1d4f2c1fc043595fe6564e1d0c677b99370f1a51f

C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.XML

MD5 bec4473fc43b77e28e60f89da4e29c00
SHA1 d5dbc7c6642a8a23da14f952a0f64fe874e8191b
SHA256 5e06bfa9ebccfa3d8759270620b6860f0b92be9d69ef7d7802b78ee5b5f07f96
SHA512 ff2c101c1172e64481be5e98b2216d5eba93b81210a1a67adecfe05bcf37c3d965c06b368ddc1ffb7e4187cda0373720f6a27476f036a41517762d5cb3729aea

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

MD5 b1e0da67a985533914394e6b8ac58205
SHA1 5a65e6076f592f9ea03af582d19d2407351ba6b6
SHA256 67629b025fed676bd607094fa7f21550e18c861495ba664ee0d2b215a4717d7f
SHA512 188ebb9a58565ca7ed81a46967a66d583f7dea43a2fc1fe8076a79ef4a83119ccaa22f948a944abae8f64b3a4b219f5184260eff7201eb660c321f6c0d1eba22

C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE

MD5 6180bfc8a67fd42e977375c0cb644a6e
SHA1 1ca669f62d9f6637783be37bb6b3dfb41d2810aa
SHA256 d29d3d783b82422a1fd426cf891ed386bec1ce6fc8e094c33530d8299bac9029
SHA512 6c3af53faf366d41bc3a7917eb13b6e5767e1bc7581dd3779930bf919b5f5d25db53b9a8c1129a20fd768c50da36ebccdad4cefb717ed05569daa267c63d63f6

C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE

MD5 a7aa0336e62c816116e998046085935d
SHA1 d71d0ad204b1a8165d260ff9ed978bcb8eba75f2
SHA256 ee0d2c64243e6ab4c23271dd79c5ebd62de4ba00a3590e1cdb9f5647c9903e9b
SHA512 63c4a2ad43cd16df38eab65a66732d16ea885fa486c91751c3b3f5e216fdf06fe4d6306d79e82eedbaebb88b5bbed376c61025a3d67efa0340436831ef842f87

C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTS.ICO

MD5 d4a7e4b0851785143ecd98f019ace3c9
SHA1 99d3d7b7167a9ce2fe67a0d296bfdf60ba7a8a8e
SHA256 ea3a2d1ae34d98f545d82a53ff2d1c6e5334ab4a0a4cd902e3fcd0fb697bf32d
SHA512 cfaa3e8c5f61f0b662c6e04296ae67b83d81fe96eed7872bc503c131cdf47576777d1857d0575ca309652f63f5de2a8ad6fe072bd3c3127eda3d353e61260c2a

C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTL.ICO

MD5 8722af8683c6dedfa35cf708f04e507a
SHA1 e411318d7904624a56946cec0059e380b0a4bd0f
SHA256 a338f849bbccace695e284ab83c0cecc84876fdb292078f1186b31e9b6a07127
SHA512 1341ce0453aeae411696a7343f2f6a6fa991fbd483433841cfd4b202ad476d77ba62b66ff547baf4e29a5bd38e7c1f2f78ead201ed1bb8ec50b98eb763bb11da

C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE

MD5 da248a3112c6a70696c222f510c83415
SHA1 f96bd0ae0289d71e9a389163af65409f6a8b7243
SHA256 9f776f110ef4230c44ec2e059317e7b5b3ff5d53a394cce51de49909568a7949
SHA512 6e36eca9c5a01d7c9e062f064d008bfb96884201119821e8d474106f2ebc4a704c4d718b04afc1c0f0d7fa37e464dd10404f7656443dcdb36b0746438db094c1

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp

MD5 79f7ca0fba179cb0bc93eb2f178e4ace
SHA1 a529d3822d5bbe18f6c3acfe44b19f0449e76f9f
SHA256 86a618c687c518ca93f7151a26391ef0e19101986d30f7eeefa420b0574fc5ec
SHA512 3924f19e1a9e1b9b9eac515c1d5dffff2aafde9745ad8d20b0d71dfede631875c611b58b2624fef0273830341b497fe7b554710d18bdfedd57c36ac0a764947f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp

MD5 cc084392f2514a4337b42f4865e2cc83
SHA1 79ff391fe2ea7244cdb5a1e1e5bc68ee0cc1c17a
SHA256 3bff857daf1c246b3ba79bff08805f403b65b0e2a5cffb40b078a383eb861514
SHA512 9c19d048cc3c0b34e8191368b9d243a4a9a25bdf4c55b3d51da4e97a679ca8507dd7368fe3ba22cb32451d433533d215549a276271462f8d1d1c2a9ff37ab68e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImagesMask.bmp

MD5 5b4d40b272eb1356f8a88982e76d4451
SHA1 4344a4f7503185c3830fdc877e6d44ac0f1198bb
SHA256 90ebb694c6e15523caa8196f148f47d1c9c477a48c49d638354530e0c2b811ba
SHA512 cee35a29ad193bb1f672cd69fb0c6ea7d35ab7427c5a33757842881d8db17b0eed1e1c59dc52e577ca29f5b74f83f9b023a61b844eab469eeedd04195293654d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Earthy.css

MD5 e2bdd4d017ce36dec632e386e894a4e5
SHA1 973c9f51425416d311a4fb1b502de562b57f152b
SHA256 c23a5cc2d7277749c47ddcad301aa92fcbbaeab54e552813333c1306c5cf2425
SHA512 85878f146a7bbcbea9b35cb48c79bfafa27d7872c4c312e824944d9bc70f1548624a2f58839958c8033981b6aeb01b65ab2f454a75963f91c282871d9df90075

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GreenTea.css

MD5 6c3081b7bee29dbf58f91f2e18d844e2
SHA1 9437dfc92ec5cc8e0b938a23d11f43cc3d1739dd
SHA256 cb973b51d6e0730a068671ec24e50257ecac543574a2678214b7009fd6620d9b
SHA512 2d12c25529f1b40724e5d4e452bc5c5fbe196646e29411c5cd8dcbc2897c65cae881d9be2ca5a9a18c36e2e62127a625271c3c0f5970d52fa29c4c4a9b52cd75

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\VIEW.ICO

MD5 385592b8ece89d5bb6c8ff79b132c562
SHA1 bc14ffc7e1686ee066f445f1ab95714ad631b9e3
SHA256 b57536fb8401facf2e6aed14ed0f15e42a4f38b1e05eebc1a8be1613909c5165
SHA512 62ad043d2e28c8e5eddfb9d46edbacd40ac092b3fcc0e5bca70ac0d07d9d4b80cbf194f99803bbac70f3b963f9a3e7ae2ba29ecf3d71535ea3ab257115862bc1

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Groove.gif

MD5 f536fbf78e26387affb82ee89943b870
SHA1 3ac8e44a9491c16bcd86dab6781acc4f7e1f76a7
SHA256 34dbd6bf55d0d075d666181d9278b8387482a8b5804e44e1ddaafe6876dadc15
SHA512 d9ad640884f40495b4255bd221f0902ff64f84e3136053d03abee7ca417d32a1d72f24a75cb67bc50629e102bdb2f81c0bb087e0eb5cb82fa3d67c4fa5d92450

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right.gif

MD5 697538917066fbdc54bb7922e0f2eef8
SHA1 21cf57e715733ecaadd17747a6956fea5dfcc3e9
SHA256 1270be94b76ac32534581f51fecec7ce90ed9e0f3693f310058fba0c6ca8aaa7
SHA512 26806e433c67cbcf7bff91a47e214a312929f279739bdf2ca0b5d26f04e40f76f6350161c7aaa44de48fe70aa6bb67293d9736aaac526f1f794e94f135538be1

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right_over.gif

MD5 bd38f281632881248ac7f09eef8a6319
SHA1 5a40ad5f3ec39d2ad991e0b94683a0ce987d5066
SHA256 b92428daaf38be6775a2b1ce78f5c8ce213b90c6e6fbd95bae56458ab90f7437
SHA512 1e102e101b9c679ff5bbb874806650bc12a69dbab6fd446617e392c99620c81e35c2233a745934692b2e4f20b46a7cf5e90cf38a97b87ea588d525ce356b6099

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF

MD5 ab58d658c2dfe0393df78f57740dcdb8
SHA1 096427e4fce6a16c49a01f645139172fbf077ba5
SHA256 882993b55cc0c527f0a6059b69b3faf4ef3ccb9cecd3d8847ca0e49a1444debe
SHA512 bfbad9a939371aa29f4ed8c5bcad0d0299766bbe6dc1d9d6233ae0c060a394c0b8bf665b11a28c3713d434340dda690cabb578ecf3e2a4a462d797f0b3f30df2

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF

MD5 0ad4cf7b35f62b8ff9c73f481594fbdd
SHA1 08b895c85051d99477cdf56d80c4006c262048ef
SHA256 c55b90509b8cb9bac53fbdddfc93d4e572685c509f1218423c43a5d6013bbd48
SHA512 697f1c0117c89ea0486b5b8e9dded787eafcfd710251cef4cf5cc275b1572a5cf9d499e44fa672aca8a77521a33b2e5040cf69c7cc3947fec2cd75d2296edecf

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

MD5 ec8d9cf15661e1e246997637ac868ca2
SHA1 e172de70f1a3707fc8501f5a2207613f376169dc
SHA256 82f9a5d07d2ed70801a407aefc9336fb4582b17a23686cbd30ce31881a289b85
SHA512 d87760b7b4b1b286af229762c9c2b81847c803410a2a36834861ee85533ff2c2614753db56db863c73dd6ea6807c1074a317e62f066870dfb6fd4257bbdefa2d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

MD5 9d1101f2c45ce53f2ead40247bc2629f
SHA1 c7c2770645e7611ae33bd7a0b3ed948d39f17c06
SHA256 47f0149b43961165c5fa224dbd2d1e956cf0a26b86d15ee3e12652c2a6e013ca
SHA512 91ae75b332bb98b6116352147701514db0426f710600bcbd1bdfe31f20ab83c2c21c794244055372e5d11ee177f8dedfd31a1d9a744b84be0f57b580a8464ec1

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

MD5 3b8883ab58438b245c89bc76ee848752
SHA1 7b01b457344fcf92362d14247f2c389ed0c89b6c
SHA256 b3b87c3ad568de5a1f07702392e3bfc76f41a47b2fa1d710198406c3c5172697
SHA512 200a52dd5e9334f2c768fb2d152a82cfd551c0991eada79ee92ae41e8beb82a1eac2d90fdac2d9741afe0b7edcbe046cb92a6cf339d25709b53d51f5feb55b1c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SAVE.GIF

MD5 9c1b2a47c87f33de47ccfcdc098e1806
SHA1 4ea8f90ce4f6569e41788252674776594ca668f8
SHA256 8d77e83b50a81c442acd64cf5a57ee30906256da88e661e87cba51320f2cdda9
SHA512 b317fc3bea365325bc928e347d081bf019c0dd35e764172ed105212e86ab4ab303b92bd1bb0752cc27c0a7d46548e199df353fb84873e812a744878d9d34bd30

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_hyperlink.gif

MD5 f25638c3ccba37aad21daf44d061ded1
SHA1 2db65949b3b8b9f2ec83a7aebda1d4379c17391e
SHA256 f2d7df9f7c7a829d151f2d26f67f11bb6b824fb5ed649c159dd6124c4b4dce60
SHA512 362d8d85fb18947f6924d956f93d8cc8eec7febac2cc8aa5bebaa983ce257c1f0eb416663d650c0958d33d7ddadbf79e636a26cd6f592ab38057d7dcc2227c3c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

MD5 ccd9d8aa4c9fbad1069e4dd2c4982652
SHA1 58cc653eba0694d39e7615ee7e049c8441fe6600
SHA256 35e1150f8a8236fd8c2be2c6da618b5f5366caabb763b7453201f5c430441aae
SHA512 7530335f5f01da26479349321531093d3da8a1cefd4e916496dd254273076df9ef5eb91ecde1221e37a2525e76a8578a6859ec79a15ddb0a69e2e39578afb8f0

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxinfo.ico

MD5 46b109680d8e37a25b4ca79ff35e270f
SHA1 e1d4ca57aa3114a7931c7a5bbc8be1ecd8bd7882
SHA256 54a918ed71329a2e6af831153825cb69b8cd45938a352d3b0882c92969a353dd
SHA512 7533cfb7af8b272d23734efddd2eba7524a746ac0664621ba3c05f139417f6e68bdf6e38c57ea16e8552d0b491a37f320f8f95d7b9e39e3c171a28f81643197c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OnLineBusy.ico

MD5 175b6d3035eaaf10bcc78b54ab021ecf
SHA1 480f5c00b285f824d6eec209d6937e05c34d1805
SHA256 868d0516a42b8340eba07ffaa00f5928e1d6a7daf2a3c4d96c1b86b80e2e3e81
SHA512 eb0b26da872e4e957415ca60d0114903a3b62dfc6f4b02db745004a32ce55d791baf8d550284be03157a59a433fdc9e39a3129155cc0a73cef87febc51fb2f6b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\PersonalContact.ico

MD5 d33c6324366941b3c100293e79426478
SHA1 afd047c1461a2ce36b775cc94392672eb43f1463
SHA256 d2a2840f1282913c2678160f13f3204616a9c302ae3b8f47bf17783ef3323aa7
SHA512 7cffef992a6008d2d5b1cd768ae722d533a7e2a637b421ab67f16175328ffc9f3a4cd72ed5db695796d335371aad94c4bf9003fe685c3833b7687b59bbb6b940

C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE

MD5 0ba85d0f052491797f9588f9772ba3bb
SHA1 aa48b7b0924b84bfec0bf8879ee6ed0d5a486b75
SHA256 a27c25bd4d7f6d036b11657af5806b4cf5ebc2853c40571522b53ce4a77ec97e
SHA512 b62eb880aee98baaa1a924c866d2b47dee91fa3ed48af86b12ffbd55d7f544d2692865c009236493c4d6f11e3d8d9bf134371782b08bf37d84b5dfc22f69b9ad

C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe

MD5 55965131d1dda456b523a9cb26a0a72b
SHA1 2c672a5f6ff9d13877b4ab031a5bb4e559ac21d6
SHA256 43823022f0d692e1f26f45adb3b06f79c7aec40820392fa355401e260be8ccd2
SHA512 6e088b985c0fe859ea6e2cabe441e3982624a1b8492fcfbfb9080d22c8f8ce64bf61d9d144f29ac1019d17fc5293975e7b3e22483eb5eaa34a18922f98985bd6

C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE

MD5 3c5167fadcb2fdc0d4c2e5b73cd54ae7
SHA1 2ca7e1e309a437b7abc47e16b7e6fad9fdc4e3b3
SHA256 8fa35222281f5cc1e2ec4d2549df05b61a3d7eff2b227e140b340d91cb6de8d0
SHA512 6b65efc87952b78441fa10dd0facb502518b12d44421a3f6058408cf48e9465230648d1369540a742a5e939820cce2a0aef028856d2418f9096ba7ae270df7c8

C:\Program Files (x86)\Microsoft Office\Office14\misc.exe

MD5 8e06f1a13e124ff3f1d5d86f5e00cab1
SHA1 d52d8cc0819e78b0f5b20e514f25922779944430
SHA256 5454e9ffd8299e68f29e332a8869140601bfdee5ef8e7419da1989d646e0c9ac
SHA512 9490aba0608154ed3bf670767a5c14f5b481a616ceab45a4ff5affccc2af88294254b2af2086480eedef7a47dfe5bf061d475d7acf78bc6fe1deca51da150a28

C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE

MD5 6b53560b0d6081aafa69ee8687f3f169
SHA1 e7e7a0fe35e4524c1e97f7c4648e87e7bb0381b4
SHA256 820e94d494329c2b5c4c8abebbf0c413af0c18f2b02693cbc2dba587fffb2cc3
SHA512 11369b380a51575148826d945f14a087e2062a52978b2739140bc2d584aea7a98e683303d59eefc8e8181bb5122023b1d21cf2f45e73e2cd3e3257ae848a381c

C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE

MD5 b0d98b5a9b27de880f7aa602adc3a01d
SHA1 5d902166878e9c4a6ac327014ba52ae365d91d51
SHA256 7ba5b1dcdaae982c2394d94f158c31ad38976f283482e87ac845437c3c5906b3
SHA512 c15402226073747698a0b6bfdcf73b1bf5fca73a4ca5c374a5a5e40e187a5ee6946a92db87cc65861f16ead0e9a37c86b3455597e4ec754ce51b9a05881ebdab

C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE

MD5 202b13ac4bd309b0b5016cbf4117ed30
SHA1 2ab93e42f9664c008238c5aa8d9fde633c28d443
SHA256 e655309ddda467d1e49bd0bd37e225b1da19b5ebbbf9b68049513907530cfd4b
SHA512 b381f2232640f20607ae404d5ff7a6dc88b5f88475735917f998584ac1476cbdbb2e509e2e99811d9130ac85d0166306ca93bd3e91f6d9f14e4c6caf803faf48

C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE

MD5 da71adabdb7764dc087f1059e5725051
SHA1 2527de36ed3ec2e3738b2739d2561ea83c6d8f40
SHA256 905ac18511faaf3927c5b4adff8428eadb90310976351c7295f537e90fd2db65
SHA512 6062692f78c68af0714acd834fd61b804a915742afa9baa4cfd426f301057a501bed146e269f8cdb830a28b126b04654dcf3bc22a3e7cd72d8cd7537d714a97c

C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE

MD5 8353766a61a653a054ac1cfd2a6fcc89
SHA1 f9a6f85f74f986a6ad61a854c0747532b696487a
SHA256 d1c4010ac4d09dc3895bd20608dd311b79b6afd5a5b41efeae0c68f0a13eab6a
SHA512 0e174f9d5addf0108635da8e3e17d931c4e094acbc59d20037522bb187e91ace5f50c2c0aa5177a40791c7cd6fa39eca79b0353a7cc1b212c328bcd6fb3fdcd7

C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE

MD5 ee2881f27810a544c36ba98f208b955c
SHA1 3d07297466693331ff2c01d31f4208a7e61b1bed
SHA256 f4ac2436a046fcecb4723531f4e03caf6bbdb9e43daf4798823edacbb121289c
SHA512 3362ecefe69c6ba8b4a6491dd133c339be5a47c68bff204fc086e4db27f3b7a761be52c1f2fa756bae7e4563b6537cd9f4c670bd2bdf98fe943ea9f33ec2a270

C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE

MD5 d6d62bacb81f0b4ae28ff6a0acfcd5a0
SHA1 53c805c94909f87ce642b1d555e1875b4ac24e13
SHA256 8bc6d1f55ceeda30df2bbf75546cda7a106320f75907c62d18f41d9f99a626f4
SHA512 feb9bb2d563842374765a87f309700c8c389d826500ada42d56bbb4226d82a5e6323e2025c8430f0ee7c1a9092d68457ff4eab16cff742e1a5d747a3896e66e2

C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE

MD5 ec0a70017159082d3e8b6b92119877da
SHA1 1d9623125d1b32a6e3b700970ece2d478286175e
SHA256 2d2eb8d22e393a51eeb10e50bdde5d7691cb6c01c9c0b14c665fae15890db0ba
SHA512 7b39d239af3bcf35861b98d4cfdfdbf5fb5cdd93ddf1bc2e6c0dda0bf07b5cf9d977f5eac8a99207bfb0c6f11d60d1fe25b52d793f3001ec954bb76165812e20

C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE

MD5 2d0666d10f88a7b1501e169e1374bea7
SHA1 5d2317f24a4ac9770049ab8dce0be81ea4fbc332
SHA256 c755d7f9bda9c1753c6bc56063179dbe9fbe8e4e3b4b644bbf47d3ca844dd039
SHA512 aa701f423db0038a5076e2df273d74d30eee199a023993d8226da6ea4ea92b1e7ffb8701256b52d3852ec3d11862c34ce538cf149f7d27e597ceb433a242f83b

C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE

MD5 7c57692797255a9e7aa6341a659f9c94
SHA1 816ea89228c803bc4a5b774be85bb95a0b7afdfe
SHA256 339ba6baa7d3d04f082354fc03453f0550b83c3bef639582e2b1bf4bb70410c1
SHA512 997b4cc80ddbe67b9b98a83560c5b966da6a20d63671665296e1b6c993fe5645e140397d8ae12f98cb248779f05ab78743c32252ed4af2265ba88b6e1d877288

C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendtoOneNoteFilter.gpd

MD5 9546c10433c45bfb9947449dd8d304de
SHA1 f8ebbbe3ad6a8cfd13607fd3a7fad7a3a7a50158
SHA256 6778c7c7b6b6c1c273e668169a7652a681da86ad62d03f7c5aa120405069feb2
SHA512 90c6dda39740f839fb470f838c35d5f264a0a8664c57cbc66c431082710ee633ca4672b3b64902e7bbb7a61e9b9f4eea251a7d8b6d5126de6d73d3480fdede5d

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTOPENWORLD.COM.XML

MD5 b024a04198ed894b334178e411856122
SHA1 ca7552399eca0ceec6a3dbf393396fade2f5f550
SHA256 cadbea407cb411d2ed1c47c77536b622eb7d53d4fd3ee3b9897d554298683fe3
SHA512 466ef38a6bd49fc816e208b408e5bcc7d366dc7eb9072600ab21510b6e1417894bffeee5ec96f5a0a535d8e541fd505ae3450f2233e5a128bb073394c530e879

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\AMERITECH.NET.XML

MD5 eb74234cb882f0fedae27f0b9e9957d8
SHA1 973377cb3ecbbe475ec49d45f15ced0a02143a1c
SHA256 0645a4a67dcec462dc9f335bb0564e6e39bf12ea7e40cf8de81418210102c2d1
SHA512 480e05680cdcb4d72456228a7a61f2577eb2e412760fce40a5b4066d140d41545110b830851b764ac483a6630dd5ff1e27ba1f95643fa3fcb801eed514ba4b29

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.AR.XML

MD5 dc5794fd7e35debdd2e25f3e22761cce
SHA1 348034e08eaa9434bcf5713e9880f60bfd33ba78
SHA256 15dfcf446deb114d465215cf49907aa5efc5fb8531f97607d50148cb4b680288
SHA512 6a9b27a6702e40ef03367ce611716816cc4debac9086983148ff75c4e8656f10ff5edf73e95e18efe9e0ef7b721350e86a20919061d0ce1266258384ef98b1d2

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IT.XML

MD5 0b0d4b77b1494ca873f4311cc88a9fde
SHA1 e88f8c3100290bbcdc224f4db05a77811726fe90
SHA256 60107be66c9efe4d6aa0a3864f71d60b3800c8d6400daa36c05609d099b5f891
SHA512 0a2410540f096ebd0464f16681b7375152fe8844ad2fed5fe86b352a61d6c65695051c82a36b77156a79ac633943463739752163d48b26abedf2db2c49ba794d

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.UK.XML

MD5 938fcac2676e99d92efee069eacacc37
SHA1 575b35480aab9ada77d22f922bc57cb49a7580a6
SHA256 9b8747ddedfdcb06f34ca5161281e28aafe3bec2e4b21aa731e17bb46dabc6c1
SHA512 515074b8b8c14986ab86913a659ffa007cab07db5c6798ef6a4e12279ad3bf68262ac42ce991ed20a06825a8e5b8d0efc48aca38dad5503178d1dce0ef68c33c

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\WANS.NET.XML

MD5 b4052c951a5d5df0482bec08dcd1a1d9
SHA1 99f3e0929eabf972e94c276c6423499860202f65
SHA256 f860ea6cfbfe8ddb3862a09c1b443f3273dac1a4757ce9e7a3b34d46f971ff10
SHA512 c26450d504e58cdbba0ded009158837855dadd8040b0c05845ee25b540567758c650df3d6b28c3571adff47e39d8ef99b30144250477524a19ab172d0870ef82

C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE

MD5 426717c4e81f8969a208630b79bd0975
SHA1 4608f5a486eef87efad8bdb54958812633fae730
SHA256 a6a0d09449a2ec106d43b341b31300533369f45514afffcc9d5de3d051e0c2ea
SHA512 f4b88ef477c014a87e302463a90b8ab1da109dd43213d5ab775a81fd8c157221f074e1dd1ec49fb368ea066ff2eb1f043da3b99f12cc3f3a1d99eea4fe4267d4

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE

MD5 b5d536968b2bc39ac8bfe4c5f6c685a4
SHA1 701b7c75395915f24553d9efb2dffb8dc7d65a83
SHA256 70130dcb82d364a9e55a668072f40f9d1e28b601a1a4d7c203621c000e6a7ad3
SHA512 6fe10114a270da5222bdd87726575e9d8f52034763e3fc7d62a3ebb4ba080e4a24b5a109c02f3f35ac9ed997d0759235373c4462b405eae5c7764ecdbd23c1e6

C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE

MD5 13716cee650d29447165e3664415aab9
SHA1 b2bc45a6ca428a2b4d28c3d4a664f5b0661a93b1
SHA256 5286e18bf1e490f2176ffedd51307ad0651480dd1fcc45827a3ff82ddfd7694b
SHA512 a9127c4ab778821cafd834795f0de49f79f4be8cd658d45cd5940d9e8de442387c2220e4c259e3f7eac126e61128d7ad7ccd8f9fbc9b9d4f819c9ff555d06506

C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE

MD5 04901fc6485f101a7255ec9fca84fe5d
SHA1 f015ae63061fdeb3fe81b9f75780eac3ad8c360a
SHA256 744f7fbf44fdd8233bcfbf7ed363f3f9dbca1907336de5b4fce300697911e8a9
SHA512 12fe6adab17837fbc2c46945754ad3d6b21712293ad0d31ee8b6d0407d5a77b7e176ae47d1a4e2efeea75e164a26794690a774a361c9023d4980da3e3f6756e7

C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM

MD5 7d0a27db87cbd4243eacad312e5d7f41
SHA1 9b077bbd55fc3718e25dd9b80b89423cd9495633
SHA256 8ae7498b01f40e9d2a04df8a8a91cc0b180eb9eb64b78129f59a6d6ab547816b
SHA512 88ed00f2eba7cc1e53fafddcb74c2c1029f2866c4379816b0c53a6230dd5a06eb33092647b36c90f29ebbb7c705fcb065514977acb06fea4cadd43ae144f73ed

C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Form.zip

MD5 1b09d4b3b183d0e78c9627ba6b0f925e
SHA1 fd441ff31ab04f40acc054b90c34bdee299017bc
SHA256 2555bb5583cd7eecea012833776c74683ce3479d1c1553733366905bc820ea83
SHA512 5426ddbc2ee693f1397c0a44ca5c6f1f8b763189326edfbdae4e82157ffa525937f78f0461f9d9b284a4a2491c7b1fe20d887adeb3ab7a07186b46ab6f5f8038

C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.Lck

MD5 f1d3ff8443297732862df21dc4e57262
SHA1 9069ca78e7450a285173431b3e52c5c25299e473
SHA256 df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
SHA512 ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.000

MD5 cea67ffae620e6410ed0590dc6ec9b92
SHA1 de0e7c9e496fdd650fd8ab826e84b256eeb85812
SHA256 2dfba633817046c7f559ed4b93076048435f7e1a90f14eb8035c04b9ebae2537
SHA512 ba21e55aa88dc8b12e13ebff9e67570177db6aacfb606658650397e6423937d882b1e1c93ed62d12de0dfd59791d78c6a73d68e55f343cfa1f85235daf3b89ec

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini

MD5 0a9c72f9db202d3c13e46b9a902f4a6c
SHA1 c0ef3c5679f5c071f592f49042733f9542a59e4f
SHA256 57eb66eb632b72c290761008baf8118400f3a914e5ea4ff8621c3d61d529c89c
SHA512 2788ba119c86c5f806ac04b1435d0ca668ae665d843d99128cce7b2d79726434d15c2dc0d3d991cd9fd2a492f14695f01a7c5e825211e7a6a593cfb6a85360c9

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk

MD5 3acc3cc8c26b9cd4f8db480174d5210f
SHA1 0084bb4735d725d16042918ea916d3e39d379177
SHA256 18df269c236e68e99a2e97691011172e3c2c600448a13dca21118370bc226335
SHA512 614d3e11bf7670772edc4135db9ea0056d23b2b7374bfafd47bb3de080cd2e35b83b336ce3eadda374b869af5f28b0b29998f011455b467cfd4cbd47bc1ab7b3

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Memory Diagnostics Tool.lnk

MD5 17240404cc21fa5bd98a4a03b059f656
SHA1 17bf789e27311a0ab774e7a293b834c82c425d49
SHA256 54ad5402b99458324b0e2a71fb21fe7c0e16eccf508b444034a6585aae645053
SHA512 d05635f214f250f97319544464039754e289ee5424729d053b5efa90159ddeb6b1ae3902aac8ddc711b5ca51e78aab299f06fd8c19f0d14c9ab621941983a7ce

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Remote Assistance.lnk

MD5 98ca7859082dd1dc8570f548fd1a4894
SHA1 4687cac842d71ea8ddca89cc681dbc83df8aa787
SHA256 56ef96896db0a2f66b66a8513c0c1f699c5c67f1b23d5e7daab3e679e37d48e3
SHA512 c215566e992e46e77bac8dc462301b82206f499d46153203129bd4b05cd1d22621afc2ae828a998369fd0e3578f575fcc53b429023f74c3d7eaf01a8a65b040d

C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn

MD5 80bda6f948a1289beefa36d2ba38194d
SHA1 948905d56e776f1efa1e026b309c6669b089a2fa
SHA256 9cb5d05f0db60b9e0d1b76af229fd2a705903d6a1278d4b815faa536a60c118d
SHA512 ebbc2ac06f50c65430f2d3df2dd94434a6bb0e431a48e5929d57b944882f66e488f6abb668535f0bdd5007b92d18d2c4b726ccbc547c60c6adb3c8f5b7f4e586

C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn

MD5 55b53f1413edc16c71b2ed8377f7cebf
SHA1 c4c7cc19e754412b38845e6fa4c48d20b1c51da4
SHA256 3eefc4790b52024832ea4c03c6e7a781f3ef9416866a959b2777fce101ad9d61
SHA512 23301467411dbbfc5b302282dcb483e3d2758f7b4f999f32717e2d758479fab08e553149558c4a0c2f69b8db739a3eca67e78ef8ddf3d6304e5b577044d55b8f

C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn

MD5 565aba2aa486212bffe024fefb3a8ba0
SHA1 13f8e2befaf22d391595db2f5bb2efd761cb41ac
SHA256 891c1644d5e29e33e5bb88666853f9531b93a3d6fbbd4a8b01e4e8701f836bea
SHA512 a7a9610937383b8b9feeacacbda08f5d05692cd1550b238caac7a94d17399d689bc95e5afbd7a378e4cb2524d59c3bc3591e975a6aad65bcb6f6cd2e65cbe8ea

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index

MD5 1681ffc6e046c7af98c9e6c232a3fe0a
SHA1 d3399b7262fb56cb9ed053d68db9291c410839c4
SHA256 9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0
SHA512 11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT

MD5 4ae71336e44bf9bf79d2752e234818a5
SHA1 e129f27c5103bc5cc44bcdf0a15e160d445066ff
SHA256 374708fff7719dd5979ec875d56cd2286f6d3cf7ec317a3b25632aab28ec37bb
SHA512 0b6cbac838dfe7f47ea1bd0df00ec282fdf45510c92161072ccfb84035390c4da743d9c3b954eaa1b0f86fc9861b23cc6c8667ab232c11c686432ebb5c8c3f27

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG

MD5 28e37d39272f9d6d788d86cbf1810af5
SHA1 aef68a573fb6ec07b0188e2bda3be86c0e79c299
SHA256 06ea118edadd836a02b202c05bc7e47356b57e28c01edf1dad6cc4cf90c662e2
SHA512 1546ae0b5381c79337a67259b889cbceb216358ecd37e7e70d34ebcd52e3aabf1f13952240670884c8fcc705fffb339d0b6ad63c32e412e23fa70e47fe489473

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000005.ldb

MD5 e62da29ac3a82185101eb38cb426322a
SHA1 bb7cbd9ba983f9dceb9fdeaa062f2a142bc84cb2
SHA256 dc2021c180e2d8367d094b4c07d11bd556d64b33d1fe8bf58e208e8da8f5dd55
SHA512 158c590f882fae0fbb8c8bf37e30401272167b76cf26736d0633d4af28c70e91ddefd155090ba13e19c027f8c0546b8176049132370a0068f9c41a413aba5558

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000004

MD5 871bdd96b159c14d15c8d97d9111e9c8
SHA1 8cd537a621659c289f0707bad94719b5782ddb1f
SHA256 cc2786e1f9910a9d811400edcddaf7075195f7a16b216dcbefba3bc7c4f2ae51
SHA512 e116d2d486bc802e99d5ffe83a666d5e324887a65965c7e0d90b238a4ee1db97e28f59aed23e6f968868902d762df06146833be62064c4a74d7c9384dfb0c7f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png

MD5 251a7e1401487e69a415fde9d5128b27
SHA1 9bb2d9b5d93e8f9dfe5337014008bce57b3cdb18
SHA256 d1db33e3ae5c6779e11ecc0ddf3962bf0559582980b5e5a92fd5caf91cb1bff2
SHA512 b572720338c60d4c27870e563145269d62470bd32cfb6ba4dbecc881632273189946d813fb6c6f4ea0539f9f0a6975c89b1bcf7fe7c297a005a4b15d8a4eccd2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\64.png

MD5 5eba5d7f4a561ec133faf5a6fa54a84c
SHA1 8ec9a9b74632a3b8ce7189f9c58ab3acdf5aaa12
SHA256 0abe90866c4fbc89ae5b4512dde9df1c441a2f5923ee3e7932cf34532a6bf773
SHA512 5730894b7e0e4899ae77f45c6a63e02f4a7757e9f9dfcdd24f1029a72caed7f6a40d5bc52cc711a5b4b4e2ad0567ac25373cc019736fec38ec19235e0fb7396f

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JWM3U1DD\desktop.ini

MD5 53553242d57214aaa5726a09b05fe7bc
SHA1 931613845dd0e72f1b1a5ba0c89f1c34e5cc089d
SHA256 1be2b3990b410ca4fb38d1f79019c4018cd8820b69618646c81d22dfcbddc802
SHA512 dd0a0b9213182c99444bb7fb2eba5b28f521a768880be2539706730693ed9ea462feb4fd46b1deb5e7d4f31a284f2803b476209b451c9dc4d6ed056d71736d64

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{33F93EA4-D0C4-11EE-93CC-729E5AF85804}.dat

MD5 b4202f7fe985b9648b4676e6f70832bd
SHA1 d37c2b3927946ed617455b3c5913fcab0bc1af52
SHA256 6cf1b57d59e7111bc218dfb01dda93ac0f776715599a1c69f89035bd20c16a10
SHA512 447ea3de41bc400836a5a3df01efe61c2b3d5d646e9310f399c4842c5268d96042d8432d85fde19dcc8f43a2243626e9de850c9ce37d46fe0d0dd0fe5b2b6a88

C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini

MD5 897208d5df122e307ab837d982b2c085
SHA1 cf4ca14a7adcbc197cd84c1997efdd076911d608
SHA256 eaae98aa73fe0b561c8b02607a524fb4853bbe81c6de8c3d8a9b7449366809d4
SHA512 b0aa03063c42515de12fbf6d89924a3ae7d8bdd64d7c9bae94c75d571c939655253f3e87368fcd96f5784b2aee8fedac8f66200b8672ab47cc8b37c57a9ad334

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini

MD5 68cf4c147c95c7e6a1e5a6ee6dc7a185
SHA1 4204d04da17eea4650c1e921106988ea61c97d40
SHA256 c38f1294a259a7e943728e76d1a9d2e0992d22f4cebf6de1fb42204e7126d19a
SHA512 94dc7f770068c869ac5471148e7ce30670a0bde0014c98a295b4c9b68bb5aba33d39fde081be849c625f501bbd66014214e2c5561b8c0c0deba02e9c788ef098

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm

MD5 6df9012b2b7cb3c55963499a26309bba
SHA1 6d7aaa7d2bcca4a8758b398ab7617839203c828a
SHA256 80bd5cb5a9ca35dcdea1d59b5f1778f4114f6215af38004a02a99a1d37383648
SHA512 32aa05aca47a17b6afdbadabe83e929e5a55777c5f5ddb0c854ae78ef403a2baeda46e7f1f1fd7de5237749f43d5f8ce0c95e260ef25e27e20cbdffde41bcaf6

C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini

MD5 3561c0dffdb90248fa1fc2d4fb86f08a
SHA1 f68f30ee52133e400606a6be91d2d982388b43a2
SHA256 4fea5e6a3ec5f5474a26d858bc77b6d7bd3ab864ea02d988683fdc648602b248
SHA512 6b83e8fc9a2ad34694319eff2972435d2facffb23f6e5d6b2eb7381bd9012a489912c56ab6dfce07ca387b777496f612e63842aa294a208f5360077f37e87b1d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0rowjuc9.default-release\safebrowsing\social-tracking-protection-facebook-digest256.vlpset

MD5 654285e76e3062621bb2a7abadeb9214
SHA1 90514492cfadee2303e64fe5bb1c852fc7caf2bc
SHA256 6c2b87f2b54344778d2eb7f85ae86f2079206f40d185896f7dd3df446533e8a1
SHA512 2ddd07e926504fa628db2e422ed2975fe4d0d99f8effbe43025e19634ad34b7f54b5de7be5dd32972377fe67c5a6d8436c525a1fc9db2d8ccfe676c1d9084c99

C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001.log

MD5 c3eef41f29629d2c7796d9c3ee638df3
SHA1 65c07cdd1c2108cb27649aad8690f2643d018e41
SHA256 04893027370077030b48fd90535706dedb3b2d31e4f6ce5bfbcd1c8578017383
SHA512 96898187fe2e319b120c3026a300b06109bc1c9720660a30d8a3705d7cf58f37162d61e904f64b798c4368e4716c3adbbbdb8d047dae4822c131f4526d5b331b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F90F18257CBB4D84216AC1E1F3BB2C76

MD5 5d52c133dbb0c7dda6de26ed1ca2c54d
SHA1 d61596a342190277c0440fb1eaa096e22ec92a23
SHA256 913c6e2c32d99e4baff62cf421a494730cb043924f2c6bf46406573b59c641bd
SHA512 60bbc39283fa13b09473078627965c153aa35cc330bf37ad9b0827725b1f0fa81e72378d0b88194641cf2c4777a9c4148e6925df180d1315f7b674b860a3d944

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 d2a70550489de356a2cd6bfc40711204
SHA1 02ec1f60b2e76741dd9848ac432057ff9d58d750
SHA256 e80232b4d18d0bb7e794be263ba937626f383f9917d4b8a737ba893a8f752293
SHA512 2a2d76973c1c539839def62ba4f09319efa246ddc6cad4deb48b506a23f0b5ddbc083913d462836a6eff2db752609655f0d444d4478497ab4e66c69d1ef54b5c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.Admin\times.json

MD5 0d7db7ff842f89a36b58fa2541de2a6c
SHA1 50f3b486f99fb22648d26870e7a5cba01caed3da
SHA256 140eda45fe001c0fe47edd7fc509ff1882d46fbcb7c7437d893c1fb83012e433
SHA512 6e6570a7cc802760730db659a4ede4221ac2cd944f4b0d97b0a5c8a9f2a072899e3c3fc5dac336b53f8accde81cbeeca6c5998a1471a2f91eb60e3e13620368d

C:\Users\Admin\Downloads\desktop.ini

MD5 65fe580cf845ed035c4e57ad02a987cf
SHA1 6a7fc08e53675bd325b0e6426eec4ce52db7f2a6
SHA256 4afd6e7f6ef862c727cf5780abfde2094eb56e93383b6e9d4cb7fae81dd17cd1
SHA512 bbc34c4f8892aaae0831e02cdc146ffca22efff5e70601bafa084bb0824e88c87fd20988e602fdcf649ba0322ea1d74cdd5bc7805525987c4115096173e33b76

C:\Users\Admin\Favorites\Links for United States\desktop.ini

MD5 59763dea4943fa0a7ec51296d5f2c7b3
SHA1 c3b3795c396c3f64ac68d9304f97b34adfdbf206
SHA256 6eb69e26de2a26eda48af77d4cec893aa0cf4748a64cbefcfe11a22c1e680ad9
SHA512 92c41f07d1aad07acbe943f36731f4739b5bd84822f660459e464262d45f4970203210180655683feb51868735d9deaaf37fb8308d415376bc631ce887b94fdd

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Run.lnk

MD5 25a495be8250cc90b02a483e82df99c6
SHA1 0f8ca0d9fa83bb38a8a400a893185e589a968742
SHA256 ba1d859d62b101dc263d6834aaa81378941736dfab33b15243a4bf3b45691735
SHA512 6926347d0da33ecdf2af9d5ef5966f2108da941447c4e33ca90eeebf82a4171a1439bb3b285c31387e08b5fbd964851fd98d4c352975802de74ce02b03b7bd0d

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

MD5 6ef918fec6062ec3fa9aec3515ff22e9
SHA1 7b97afba8180e32e17cf04e2ebc14306fbd37a63
SHA256 9df18e83bfce0d614cee8a1ce8ab9500f4fc8c1b39f41acb9b7caaa317fb55f2
SHA512 03c347f8c31b3aed7c3b73450b774fac8a917d2ce7ee9bb58e9da6c3121dd6fd88334ce9ddb56404c1d9c9a964319808577f62855d559a66606537651780b7b0

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk

MD5 9081505b52708b1cf5f639883942d813
SHA1 1efd3054cc8a59abfc3e52f5aa5702c8fb18b0d5
SHA256 5cad8b3db8fbb29e0cabbd785e1e3449ebcd5b04544cde14c93812a93860cc47
SHA512 23b0249a981614c2ac604fa68be9876919513ebddff84aa08e98f05495531f0c4ff7f1dcf19e2b7d9b6040c65e96dc3c210a695f66b20c25b020461cb9c116d0

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk

MD5 393017b9101a884b66d64849d99a7d05
SHA1 6fbef1dbdae7b9c1eb817a8c762704f4301192da
SHA256 fb701ba16878b120e90469d8238b8765f8a157f6aabf76d94fd6aa09b591cf93
SHA512 175fcd4da63f57f127b2382965a38a9359fee7f7a694803bd4f76e8715ac9c607e6ea863b2d938514e727f539613b7e93ed3110c47b30ff4530c3e142237c555

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk

MD5 1477fccb6f5105178b8a4959217a35a0
SHA1 c66fa5d6d133a7cb7247edd1b32fc6b82dec3dd9
SHA256 118980fc1bef9a9da8a06e2a864d3f5f5573b37786bac8709746a8ca26a12523
SHA512 1715a141037d97e12c98f91a62bd44e76364af02e8ad5024699e9dc3951d005eb3471de1bde3569a61af8e5127883cc1133b6274928bde3c5ad5840e36ee764a

C:\info.hta

MD5 fcaf37cef32a86f33afab4a363f65c8d
SHA1 be159b6c8f1f8730e8506e5c46dfc1ddb78d3f01
SHA256 f71c6716517cfcc1792e0273a9c6fa9fc0869df58252636e24c22ae310454485
SHA512 3329e5a1b07746a95379bd9c63bb3dda2ebbf33968dff394f24d727a1c63d6e0684343c857f354ce0d5aa1c40e41d44a48ff5354833c6ac6fdf3b236332fda93

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-06 15:28

Reported

2024-05-06 15:31

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (508) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4018855536-2201274732-320770143-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-4018855536-2201274732-320770143-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\concrt140_app.dll C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jpeg.dll.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ul-oob.xrm-ms.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\onenote\ShareMainPage.xaml C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-140.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsBase.resources.dll.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\POWERMAPCLASSIFICATION.DLL.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Concrete.jpg C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\IC_WelcomeBanner.scale-150.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_col.hxc C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\LargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-up.gif C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\ui-strings.js.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.jpg C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-profile-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-ms.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateCore.exe.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FBIBLIO.DLL C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\id-ID\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nl-nl\ui-strings.js.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxBadge.scale-150.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsFormsIntegration.resources.dll.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\INDUST.INF.id[978DDC5C-3412].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase.Component.winmd C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4536 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe
PID 4536 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe
PID 4536 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe
PID 5004 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\system32\cmd.exe
PID 5004 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\system32\cmd.exe
PID 5004 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\system32\cmd.exe
PID 5004 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\system32\cmd.exe
PID 5024 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5024 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3712 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3712 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3712 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3712 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3712 wrote to memory of 2248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3712 wrote to memory of 2248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3712 wrote to memory of 3868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3712 wrote to memory of 3868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3712 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3712 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 5024 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5024 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5004 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 5004 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 5004 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 5004 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 5004 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 5004 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 5004 wrote to memory of 5432 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 5004 wrote to memory of 5432 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 5004 wrote to memory of 5432 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 5004 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 5004 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 5004 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 5004 wrote to memory of 5436 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\system32\cmd.exe
PID 5004 wrote to memory of 5436 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe C:\Windows\system32\cmd.exe
PID 5436 wrote to memory of 5600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5436 wrote to memory of 5600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5436 wrote to memory of 5820 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5436 wrote to memory of 5820 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5436 wrote to memory of 3776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5436 wrote to memory of 3776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5436 wrote to memory of 5396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5436 wrote to memory of 5396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5436 wrote to memory of 5824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 5436 wrote to memory of 5824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-06_6ab66a317bb18bdaf52c2205846e382e_neshta_phobos.exe

MD5 cf75ecb15b317f6777c036f252a1681d
SHA1 5085b9b84a863695c3e1a07494ef8e7bf7e58af3
SHA256 aec0eea085755d852262e51c7319c31b4e9ea236a5ef354a80cfaf283dac3ef3
SHA512 8c267609453292d086ea024474d7270e765ff1a15e8f068b358ee193a75898a5ea37ed00156da4160bd0d9143ad8dde2af418bd06b64e0fe0b10e8e8dd354e91

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 3b73078a714bf61d1c19ebc3afc0e454
SHA1 9abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256 ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA512 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

C:\Program Files\7-Zip\7z.dll.id[978DDC5C-3412].[[email protected]].Elbie

MD5 8aa8f2820be58c17d9e31824e102accc
SHA1 cbed933c2356eb323b6699611c055bd108090aa1
SHA256 2afcebe95f97bf2c0c0f1ea1b82c8cee997bae1ea901ada1ec4b3d5bb358d011
SHA512 0818110e07df5cc29a51dc14b0dbb2d6084834cd14610fe9230a29499b1486c621f00deb530dfc97fb2a3daae4b4ab1f74770845efe67d606331959f6f4c3f4b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db

MD5 1681ffc6e046c7af98c9e6c232a3fe0a
SHA1 d3399b7262fb56cb9ed053d68db9291c410839c4
SHA256 9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0
SHA512 11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

memory/4536-1941-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md

MD5 ddc4cb14453391bcb5f4d645b2916a6c
SHA1 c4738d174c90c285e17bf51a9218256f45f96ea7
SHA256 0c19ba9eeecab3cbbdf38da08c3fa0266f10ce8166e056715931efc543335eeb
SHA512 34a32b92ffb2945608439653b5ecacba49fd3312ba5487ba14796c75b07655f0d8f735453dac117d46d204d3f810126f8a189f82c015fa8bb6ea37d9b8e0e30f

C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif

MD5 d13b5ffdeb538f15ee1d30f2788601d5
SHA1 8dc4da8e4efca07472b08b618bc059dcbfd03efa
SHA256 f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876
SHA512 58e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 c5b7a97bda04c48435a145f2d1f9bb42
SHA1 bd94219a79987af3e4d4ce45b07edc2230aaf655
SHA256 07ec9bf950252d0254d4d778698c2e4173f36dbc3f57f51f34d1b85a07c2eab0
SHA512 7eb1a26cf8ef725ba6d1934ca4802f70cc22539017334c1d7a6873afeea6236bcd643b52630f7fa9d8a9e692f718ba42cc704ed5f8df17757028be63c3efad80

C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml

MD5 809457c05fe696f5d34ac5ac8768cdd4
SHA1 a2c3e4966415100c7d24f7f3dc7e27d2a60d20c9
SHA256 1b66520d471367f736d50c070a2e2bba8ad88ac58743394a764b888e9cb6f6be
SHA512 cf38e01d3e174ff4b8070fb88ead7e787143ce7cf60b91365fafd01cacc1420337654083a14dfb2caa900141a578717f5d24fa3cadd17c1a992d09280fd8dc44

memory/4536-8581-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK

MD5 b9205d5c0a413e022f6c36d4bdfa0750
SHA1 f16acd929b52b77b7dad02dbceff25992f4ba95e
SHA256 951b1c95584b91fd8776e1d26b25d745ad5d508f6337686b9f7131d7c2f7096a
SHA512 0e67910bcf0f9ccde5464c63b9c850a12a759227d16b040d98986d54253f9f34322318e56b8feb86c5fb2270ed87f31252f7f68493ee759743909bd75e4bb544

C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK

MD5 301657e2669b4c76979a15f801cc2adf
SHA1 f7430efc590e79b847ab97b6e429cd07ef886726
SHA256 802bbf1167e97e336bc7e1d1574466db744c7021efe0f0ff01ff7e352c44f56b
SHA512 e94480d20b6665599c4ed1bc3fc6949c9be332fd91a14cef14b3e263ab1000666e706b51869bc93b4f479bb6389351674e707e79562020510c1b6dfe4b90cc51

C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html

MD5 3be680b6a8edfdeed37bf5068a37dccd
SHA1 75bc261fc558634731e683e431e4a31c5b463107
SHA256 1777e4f7955cb5900c97d92081efc4b11704ee3b265717a7d7152972b49a36c4
SHA512 a3c8a91689105a14c49b020826944d32540353c56fb9e9a011639ff5107d25e1d3466f0fc487ef953c6bbf0c006abc5204e3a8f0093e1c633013a547f8ecab21

memory/4536-15439-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe

MD5 3f08f2e23dc44990f0ef9b9869351758
SHA1 8026b7e51c8b3fceeaed6d1c2a6671b63249e183
SHA256 75cce63070db3d924f709518399ada2531d12adec577bff86f23be7ea392bb3d
SHA512 086645cb6611bb2c32b73297b35ba642d6720c18e4da66cad9e1e5902aabf631320407e19be9920b1dd264299ba57c1bd2aa6310c2f9e08c997b2698c4aae68a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

MD5 373b9867b887f31f6633fb9521186f09
SHA1 7fba8b64856bad19abd4440ea363a10655aa7c64
SHA256 d2b08396b3cf189d3ceacd267856affc4f88667526464941093d7f9ff4baa0b9
SHA512 4a342a715254c6b40f99d80c3babd4186142fa31483ef0f7f0716a94993bdff0e177613e700752ef122a0dd06998def221034477288c75d5604faf2a3a264cd8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

MD5 3a83a5a32b93f0697e4e0bcb7937cf1d
SHA1 84c7d21073750f8b99b55cdbc76c4c8ebb190aad
SHA256 da174ba080de04aa46d1879aa3d9518acb1d0b1caf47ee8de24f475f0a393db7
SHA512 9ff26b807d84052e09becb7b558cc57bcbe255d5e067cf1b63a4ff28792527193598092e3781c81f8d6bfae8d955a7033df8a4848b58ee075cc85a046c102e76

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe

MD5 1f2faf4cfe37cd2c874c9646121c214a
SHA1 acd0b74b2a39f2b58c2a45c1c4d29e0573f7d638
SHA256 666a4b362d5a895ce7e20c15a8743ef6d838bcea568619f8d4a607338617c1c2
SHA512 2ca20ca809338d248b76ee0fa30789ab173d8176f7c0d957f3ffedd8780643e7ee89653aebc7d2c1059ef725494f402b51e36d87f625bef3665488ba1c04cf13

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

MD5 653db5ac62885afbbb6beb8d9b37d1fa
SHA1 fbda33796bf1361370ab8522dc183dc2488ceb43
SHA256 62571d01ae54336ce6ef87176a276c80605efe45ec6abac9bbe6adcb08605544
SHA512 cd28ce095929df77e650c9f71ecbde1af78262c92ad09b5cb43e06b99b0d80301336a194c30bd2be93d6cec625f0cb131f3ef3e41ba688258917671b486f47ce

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe

MD5 94693443bc5c3d9110257977a7d6109f
SHA1 de1f1f5893f5df4d6ab667407f957c2479fa4ca5
SHA256 71f1bfcb873daadb976316f3f4bace93b9a296dd7fb9949d6b572d1fd55e5302
SHA512 07c2bbac51cea408440f058f8cdebd45d683afda89f6fff873bffb1900fa620d15516bdc6149fff7f87a1866aa3b0a6fe4c0f5b2bb68b589a72eb32f078c2e8b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe

MD5 1f40eec06bdcc9e949b1259c5e61991a
SHA1 2cd91e12afb44b2ca62e9e82e95aed01fbca00c1
SHA256 cc43063ba6f50fb20a2632be4fd156d388c4ca6d527594c70477f5c4b6e13795
SHA512 cffc55896afe44dd3ee213425ac1bca9e9104ecc9e283844709764a828acafd314d251e14a78cf8062d58447a20b59ec340159264e290b779bfbac7557b4d636

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

MD5 cf9ffb7ea7001f26fcb3d5f6da2aed64
SHA1 479e5310378d1e773e4b38cedaa5266eb82cf79b
SHA256 a4a5394541eb8a08d54a354f9cb445e577e54d22ee3679391f9c0ca07672fcc2
SHA512 1af42e32c203aec582a0f561297c1338cdf92be5b46a02984515a6c4ca5cf45429c79972f8e1ab5f1a2cc0162ea5e61995f01c3179f303a5c95419e360139736

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe

MD5 33ff04415f2d8f2a29ff3908429a3c23
SHA1 294ea591d235a728e5023397e1aa32e7f9cce2d8
SHA256 e3fbb185f7debf1ab7dbb0bea1c19b69473806855bb8efb267606baa3b01964f
SHA512 99b14b21d06ba857b43d9b6db6a11c6feb95e6f279e8f7aa182d92a2688bb2f946c75cdd7b4849d937944b1f164e22f1ce4cf1c6352367b47b22cfc800c33d52

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe

MD5 69e4ba1f83980700b6676a20dbf7b3d0
SHA1 030edea5f616be1bddd9af64a23aed89f5e14d5f
SHA256 b5ed2baef8e4752fa2f84d711597c0b9db1d501daa501067c5345d8cc2c73a6a
SHA512 abcad716ffc648bfb6380125e9e1f2f728e39b380ed6757961fb8f4c3b87506e70db0f7a0dbc69636b6c7c75cedc978cb4e917b63db1e22f97b29de9e3a72267

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe

MD5 ddd0389389450f55ce1a1154fc6caca2
SHA1 7dde57eb3afe8d0f1d413c278e342604e1df2427
SHA256 aea9fd9958934efe57f14b2e375af4bea0acb728a61a8ee3664efa938cb840bc
SHA512 e6e3efec88f74a862371e3a20404ea043f12b1a86f84db25dfc3eabc185b32713b8c168b7ba285fe2d7ac8bb1900ba421a4b1e49b78b6eb36a09478afd7bba38

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe

MD5 99b3746216eee4e4fbac72f6ac7f44a9
SHA1 dc6b71ff33e212fbd445b1e9b86e638c7521f2f3
SHA256 515af2ceff47f4bf09a46f15947658e4fea6c8ea078f7cf597fa6d7525142c80
SHA512 ac10c544934bb6f0e8a018fb0dca37b02afdbf2844797c4786481672bbd52467e2e001c8638a2eafd9eb9486c968ad85d97a976ecf6fec88357503d004c5e876

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe

MD5 653aeebc98df7ee6e7867b25e835e3c1
SHA1 bca711524516bfe85d7aee7a83516a41dbaf165a
SHA256 aee0bc18d855eada25b25016845447b51b9a885755ff85c7db9954419ab9f848
SHA512 a9cd010e20ebbe3120515ffbb161a8326aace09b9a07c729e1a7723be99423102d47e6c9e94db7f3161ee13583e7c205cd8108e0e4c2c9a42a362746dd454fb4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe

MD5 95610f9dcded01432d179f76a715400f
SHA1 435b7845b5dc5c1d3348640277a231be146ff646
SHA256 4f97cdcbaf61c668233cb0ffe7a4868e287bfa2ba969760ef70c20a703354dd3
SHA512 de4b305b541a1511780e6bc3a759fc1c64addb96290decc9fba6d4ea42a320aa422c8ed55a7b7fc91d308491f711243b42cdecad47c39c47cbd418106a8ee0f8

memory/4536-20427-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions.png

MD5 eedd2d13e3671d589714446755b78b38
SHA1 2fdd23507187a259f5a7edb01611a37b6b09f4da
SHA256 467082e15a8ddefd51088e12a6189f9923dadfdf363ac1b0448ec43dc483cb3d
SHA512 ef47a62ce6ffb0c5b34b2c6d72f5874dbad4109b98aaa21f56b8b2d83471f5ebf983f6dfd889399abe4fead6296cf2ca3f409a4aa4badad8cc3c48f688323837

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\remove.svg

MD5 b651e9101be833e87337050028831efd
SHA1 ee594ba38a6324369ffc7b4dc89407d3436e34d9
SHA256 4717e5fb82c0ee85a7c97d022f410990a62efa2492070e42385cfeab67afd619
SHA512 3552858c2a688c95a76c0bb8a6a76b119b744b2e8ae7e7f30135ccd8a145318762faa52c1783a639fb179056317caeaed20c15f211db1d45bc957bc3ce591aef

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg

MD5 1bf37c0336c12ccaa1c62386acacc858
SHA1 f1e187c79588e4e9fce931997443d7e5cafd1db6
SHA256 a9044f3c6877f4fa6789bd90f11813a22696bda53e0be17bf52229b70fa87673
SHA512 f75100874b1dd43c49f54a9aa4621e8bd1efa84359ce44ece2444b639c7bcbddf6564f6c4be089f5d656550c7293b9f5ec4a4b20880939fbeb5ebc21e30866b1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-default_32.svg

MD5 81cfb9735fea15ca8791a3c34a78d992
SHA1 9b4962166a47f5edc62e5fe3c4f8772446db9296
SHA256 3d89171c24a889bce28f04adb60f08a141584b7c345b158536a72a8070c252b8
SHA512 f6ac853f4012ddcb29e5079ec00bf058343af1a6d6cedbc9613056db0575c77e964b0864c9693a6e02a525d5e13ccc54e0e7fd938ea39c3d2c6005db959b346a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-hover_32.svg

MD5 55215e8f92d35f26cca06fa9d5d221e9
SHA1 994838c8df5921e3828749a7703ebfa8383e43b6
SHA256 e94ac27227c8a25c3f8ede219fd80ace01e7176a12111125b31ae1dcddd487ae
SHA512 7972d3fb8c305a1b41f3ec4a618c9904c1e655fc757f1dc83f9d9041433f3c30e6708ed3d4fb3166cc41d9773df3f159aa44333f76fdde28f317676046bc9c67

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg

MD5 cd5d2472a2bf9ac7eb4e15146b30bd2f
SHA1 bca600423f99b87df44fde9d96ff874017037afe
SHA256 038589c0f8f0b9fbed7fe7835de0237de4a28ea404078955a78c0b8145fa323c
SHA512 dde83047b85cf0afd4ac77c9f4e850ebba48a1e1d581ed78c30733f58a9d5e2e22d34a2b2e57e4527f3c314f84922c3aecd6366052d46e0d6157990ed888a27e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_18.svg

MD5 30c9bd1aee3794fd46bc99fc2a359212
SHA1 9817640da0b98babc461d277a39b323dc9a76cd3
SHA256 4b10fc416763ad7b65a6d6fb3c0016505ec5aaa7a117021a26e4dd6d11fe7d1d
SHA512 bae367b7555f5f7f677abbad1dd548225c2580ffe21bcae5022f8eecf8c97cfe8f7813fd86c31a7f9052c174610ae9d2ae21ac22b381701975492e2386f67f94

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_hover_18.svg

MD5 0498cfb8aae1383c049e8ccdd85f3abf
SHA1 c5fbfcc70b441e91a5ecd23295c745aaf076aa4d
SHA256 ad125b854735c81b5782a65b5b006c7c991e28688b6dd8e5998f432976b9223c
SHA512 113f19bf726f79473ae2b4406a76676ec0bc4709a26f374aaa3bbd9d0b5790ee4fdd8ebe1a3ab68995973923ae33df7c1c6798e93bf060643c14acfabd4e9302

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reminders_18.svg

MD5 3f16cc51cf788a50e6cc1ae60897bbf7
SHA1 e5a8c8f5227ca6da79589192892e81b6a3f43686
SHA256 30f1d12f90b61f22130b22667f722aeca0aadd59ba3e19d866d72a99a3f0ce3d
SHA512 17686bb9e01aa108b9b62b33bb70bb8aa35e4d88199281aaacbc8d8da7d54f1f353bf31a109dc22a4e404780ece4cb3d23f0ec81f80e9553ef060011e568134c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder-default.svg

MD5 2807924fc18c958c38a7004a5dbd4091
SHA1 85534040543c3306284e6a475999c46249a35e4b
SHA256 0345bffb28f80f4d0ded1a2af09a337b18ab3a80c68205bc8321a6ad4d409500
SHA512 264d29c6b920b3005ebda1fdb0e0ee6e17059c69d63969c61ea4b5c5464022166ccc04b2c1f69b91052c3e3dd551a087e8e5379d2a62c452184a12b278a8ac3a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right-pressed.gif

MD5 e3c4dd21a9171fd39d208efa09bf7883
SHA1 9438e360f578e12c0e0e8ed28e2c125c1cefee16
SHA256 d4817aa5497628e7c77e6b606107042bbba3130888c5f47a375e6179be789fbb
SHA512 2146aa8ab60c48acff43ae8c33c5da4c2586f20a39f8f1308aefb6f833b758ad7158bd5e9a386e45feba446f33855d393857b557fe8ba6fe52364e7a7af3be9b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\ui-strings.js

MD5 0d3a12fd3f68decc694da04b57e61d8c
SHA1 f73d4d591f6ef0b2b04fc90d2e840329f7590743
SHA256 ee0352f75df1009fa6f5eaf323a1ed55c127cc679ac6b9de70b1b3f8dc9ece76
SHA512 2c58a879d4022b441056c85c301ce26401da5f7bc9619debd35fa3bd98b5f1cab8f21e2ae5a177865c64e741dae18f39f99fac1cf00c468ba0e281037d5e883c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ui-strings.js

MD5 68b6f0644d50595a97c9fd60b8d8e697
SHA1 a4d0edf9264ce1922dc419c7f3b3cedb2814bea7
SHA256 bf9b3f1f9a3a163d41b1b20a2c410355e6ee72ae97725a7bad97ad23993b0b5f
SHA512 d1a26cc27c302f06419abf97507c0a4d06729aeadab615acaaac0c3fcec6d7715e10642121a4d773ad3d5f613030728e49fb3d07303fad05f7a342352ebad003

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\ui-strings.js

MD5 dd24e91615f1963a5c64bc9878a0a8d5
SHA1 407ece3322d57d16a448b5522d4f29229f80b8b1
SHA256 4cf9816ed1062189ff0c8d427fba5e912cc68fc9af76cf7f08fd255977de3b33
SHA512 a88d5e6fcfd998b0abe79b5b314f3f83f424be9447dca01e1a64a3e7313eb247baa894c10c5758c6788cad27582c09207d00d2e7bc41515e7f1751e05aa812ba

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

MD5 3f7323acc829bc8b3799148d439b3d47
SHA1 3d3c540c4080462a8013d6db9383ad69606779e8
SHA256 d9de646d51650572b66a6cf8a52ad1efd46b7a47830fa7972da0bc05baa2fad0
SHA512 09e2a175dd874ac369331fbfd863be20c9ecc005bfd6c7eeadac071804653265e4f7195d70058f2f73951a6a6e202fc96930f2ce71c2d815b228edf01729b559

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\ui-strings.js

MD5 a778c47dd8521d6a12093b3e97ed8474
SHA1 2099d940cc672373884e1c622bbb606e9e9438b9
SHA256 d5343776747d802d64faedd9954d2a4bf555a6cd85396c55c39a8fce4c5353a6
SHA512 7c9c9b406c1b79b3298e975abb3f64927b6beb9e8784b75927e19ba649936c19f04d958d07499a5d5c52049cf2d3600e32f6f437c98b2946a977ca82c71e7224

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png

MD5 65c9f3fb24b80d8c470d518f901b9c60
SHA1 b9521c39944357d4b55b91f9f3739575d1f3bef1
SHA256 8de76ee7eb6b32c307d4a46a43ac55bc15b917e2a24d36c3d001878a97fd39d6
SHA512 6572d65abd587055a69980558b2568266ff76555faadf3ddc93fa65bdd7a009a2fbca10f37f44c27ae889d3de99a3673c2b9ba6e6456242e951703fa32d9c636

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js

MD5 fb4aa89fb89bf94d0590a3174d1193ff
SHA1 c3812f2105099071c24141a994a9d5087199dbf7
SHA256 655a3ef0465a9f30fddf25f4dde0c19a05c6f9069b83961800c1944165955273
SHA512 a494c0d9faf3defa9ff320421d0c00e4e39845f7e998c6a06c50b5e7edbb1ed7a948dda23ace06a3433843615553d2357f1cb04acb4ad1155ec43f1d07511524

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png

MD5 7ab2ac51d33778dac850c5dd8b4ba45d
SHA1 b3f47f20c438aa488fe835e0145c014853ee48aa
SHA256 ca17d6cc1f7ab317c34a7cb767ad017163e71726ac648518679c6b1c59fa86dc
SHA512 c14ac0ad209625e0acb2ca9e0afc5f6c98901b01f92b675d073b72929455f47ccf29cbfdaa248c602b02fc2bce484c56753b1a54e66f6ce9df2ea57bed88962b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\ui-strings.js

MD5 07bcf4e882ae521ec6ddfd0bb2a608db
SHA1 88e2ab25dec6ba9fedced9bbd21da03639da9409
SHA256 bc9df2774317cdca8e5a702f249a6994fa3b63852e7749124e82ef1f37b89aa6
SHA512 ceafee63fb03e94b418bd87c6af91a53c9bef53b86eddb51a7aee77d8ad5e6654045da12c3c28f3ab4486d2f6f135f7f834790991037708b0301085f62e22fa7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\ui-strings.js

MD5 0ec670fd70f5e89c3d2727df9f2a5398
SHA1 d19c88c8e11361d4f29719518b8543e0ecf5ff09
SHA256 8267479623714339b61159b2f8235b15a38ccc1199eff859e5dc13359f8711c3
SHA512 a429234afdc29df1276238d3e329299a6fb5b1ef6044429c1acd8abb95c0b76a14836b47805c5d464cfc95978f5e3b10eceae6c26a2964e2c352fafe1d7dd6f8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png

MD5 c7fc95def1d53bd3e747248ecbd3cd5e
SHA1 1b251f02465f9c7dce91aac5aa0679a3c34318e8
SHA256 4049b739e6322c7d7caa241ac41c8e0b1f2893957204a910c9708c7731a7a8b5
SHA512 f4b90435a3b250c1d3dc8df9bb4d331dfe9b1c0212eeb1768073afb81b3915fe61a7c4af151c8090565f778dbdf1f4fad7b5f545c9a21b7782cd7671be2ac96e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png

MD5 2a78f84427d1d591409740722e60d793
SHA1 304f17d9c56e79b95f6c337dab88709d4f9b61f0
SHA256 4eae979bb805992739f77e351706e745076ed932d3ef54dd47ba119c4c2fb5c6
SHA512 d687c646bba8b801511a17b756f61a1209ea94938940fbe46d9e4893f14606f9e1e5ff468ba4a77474603f5cdbe0cb9df3d24767e5c9ac81a0b373dcf4a4f3ac

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\ui-strings.js

MD5 1ea3b76135bb4a589027d6243075a936
SHA1 2951fdafcb862ef53fcf213572368bd5e08094ad
SHA256 c960c819e997c1c9d080235a5e24e65059b63cf66b95ff3da9a44773ebf81c1b
SHA512 3c10075e71d2e44535e19c8660bee7071a110d07dbef67ccc4cc94c45f93afd72f8ce6b24be31e6193549823b7db204e20950e5c1a075ae159c39682db295d27

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]

MD5 6cbbe3240a203b0ff387d9bbdadd49ef
SHA1 2c65f6ea9acd8d164ece87edf2f142942d8cdb42
SHA256 7b3bae54e7a2931a1957c1ca23189cdf913f567e92af15089f033b99e33351f1
SHA512 cdd8e32fdf610a0c00f7e8093c98d421f6c60bb75be67fe0a22ca1b5144351526a2b56ffd955f350039e4dca823e45a3f1f4595c3f9f209b3de28cab972cd140

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\line_2x.png

MD5 b513ae819f7d8d10fa4f6cbfdf055b22
SHA1 b4228971cceadd4a698f3c206d8f4bc24a37f991
SHA256 25778f162c4243167f8eaa876f1b0619e67afc158de7805600471a563ec5e8b7
SHA512 c11266406d79494f7d74f8f8a5f955e2bad14b8924877e882fb3e7cc7442998cf6e7a9be3aa7f1a945af8bb2add9dfcdec0ef54239f6ee80748d77444dafe6fe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js

MD5 b17a6a8826832fc2e1098d0286242861
SHA1 8ce2bb5944d61be2b628fc80ebabc769768e0b48
SHA256 82a1cc52037ccd1ee4a73cc41b86ef4c9b45db28025d56105566bbc9f06bc41f
SHA512 688757cebb6aaf1a9948ce1dd30318ac2b7afb7a47938e6eecf1bbbc1be058ba78744c208d71a9747ae514242b09322489ad314119cf612a7e4a717907521962

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main-selector.css

MD5 651bcf535ed50ffa7724c8751bec1a66
SHA1 5758c4862740517ba28026c298d1b3a61f43716d
SHA256 359f38eef400e2fa3924a3258652e74ee19cd46cb92e47bce91f1194fce25e9e
SHA512 492b73f1622e8a1a064141a2edbac9fb29e5f604b629b063fc7251289d237e50721e1295b4f3450322fe72f01b57561a79f0ad4b3a20290cf3214ccf0204d372

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png

MD5 bec4473fc43b77e28e60f89da4e29c00
SHA1 d5dbc7c6642a8a23da14f952a0f64fe874e8191b
SHA256 5e06bfa9ebccfa3d8759270620b6860f0b92be9d69ef7d7802b78ee5b5f07f96
SHA512 ff2c101c1172e64481be5e98b2216d5eba93b81210a1a67adecfe05bcf37c3d965c06b368ddc1ffb7e4187cda0373720f6a27476f036a41517762d5cb3729aea

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.js

MD5 d3e4c2fefeea6e6c467df305f7a8f3af
SHA1 a4468bf4d5abcb4d720b0fefb396dce5864e4717
SHA256 e9288289beec2fe3b6ac24c1311451c8d079786a09515b95cbf2eda7f87f0b22
SHA512 b81a9d38a4a6cd54c2081289192ce7aee3e34d71f834c9b94eac8cd79a5cb90a0dbd3ee0da89be68e4fb69a82903c658addc272a9d70d8f8f8f8cff5c2c18f10

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\ui-strings.js

MD5 a3f07671642038caece41ff2a52d8673
SHA1 53442624b01b79a3729a23d4f12efc8dae4b1002
SHA256 088d391d696ec15140e7b4dbe6fe17e95296af9d09c7eeff17a0a9c241925b89
SHA512 5d1ab4b072eec924d13d760da6aa958cc81fa58cfec3de8ff239d131d37b31cdd547eac0fa5ab34c060f0f28a2295e071a1a9573815541c5b92cf0c63f11bdb7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js

MD5 df3b4d35decc08d05ef8ee0644ab7274
SHA1 6b0381b9ee40dc8470a63218e5cc5feb579f7334
SHA256 e27e5eb93a24a2d866e30bf027e4f0c3da9fae8968cf5eb69446e7f668356164
SHA512 257c770416a94f5b79ed837fa0f5e7926cede3ce06c1a9b819c1ca77c645f37bd366564cb028b0ba6afc5444aa5ac774c3af36cd7c108164d1000254cf85c94a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png

MD5 39e7048d412b94bb2dad145a2daa5875
SHA1 08778bbd84d9411f2e531867dffe45fee5d60d24
SHA256 4985216f1f370fff03c45d4a711c18b3f49165f8278e6cfc231bb38b920095a7
SHA512 65803d69def3517f0021a291748b55cb5bb2e8437732e6cb9b99b1f778f766fbff2c484b664d16ccbedcd51c14f89e99cd5f977cf97d680eca78a9d4f8b87fb0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\ui-strings.js

MD5 74ca2c01b07af0dda4bb39ac330fc49c
SHA1 7cc7781cca7798ce0940fe9be999e85f8b5064e1
SHA256 ab9ac8d62fd064748c921e6bd4c123f5cc8910a384d1804bec33ffe27da27c4c
SHA512 cd71201d364c7cfc9d317f091a9dc318d77bdc7340ec4abceee2fa23e3f58cfb1a8f45b5216f5ebb40b3738fef28eeb37717b2508aa1369316da6b7c82c510fa

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\ui-strings.js

MD5 92f1f77de0ce17e9486d53787f69618e
SHA1 41198fdd6a18321c15c3d4647962e687fc036af6
SHA256 4ecb5e390829b5b11dd02db2f22ac1349e32a24e5bd3a8489f6fb5fb0f07eeb6
SHA512 b389c8364936fbb96a407fb1a848254fd8b7bcbde05637ac1acfb48ba0b30e887dd44b2447e1e3eb75a902241d67571584a819927cc8d0a91d325f5df79f12ce

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js

MD5 72542b122d453927f3d6c59552165606
SHA1 6e2b7f049b60f10edcdec06f357114448c0896f8
SHA256 3b17f8b83bec3e72acd0d014f58e7de206106a7644bf3293f93c7456ced47419
SHA512 25eade5c88cc35325978ba2e103050608fed4330a1677280eb2e0445946a3367d26796ca1233aa6d7ec4c87f04faf7706d82c72b3f3485d80c18e088813f7a1f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\dd_arrow_small.png

MD5 3d55e1e012d3824e53e84d404a6e2f2e
SHA1 9983296698d4e2736faf1c529e8d27f8071d7939
SHA256 6559f403524ea6ef9bf2e1d0bb66d1af8152920fb002ec2c4ced993083124a88
SHA512 ec75d4dea30bf7567b2f6e30ffed408815c57680a38659f6055d770c85393d8a5678d38a066ceb7fd0ff9c5ef49cf9fd73d7e8eae5a9a83360a41ca74343f576

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js

MD5 421cd12b43e660f10da31bee36e85f4b
SHA1 b568bb931d5bf4b5805d20fc339b06f9b3763c9d
SHA256 ce7c16adff608d624a412164fdc692305fb461f4b14f9167e6efa78dbbad12ba
SHA512 f56bf5a7a713cbf018203c24a7f9dd426a2cf018cb3ddf9e27f3a7765be3571339421fa5a2cc68f677eb4929a2a2835238a723db4de07bb0634e3f151878ac86

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js

MD5 7d8302df4582de342a31d0335e979ae7
SHA1 7a3e918e23dc8002dfbe1695f8e8fd52db995d1f
SHA256 899ad5e0b3501d7e00d2f3bd3c7729b4223839e8629c61328db0f818ba0870c9
SHA512 cbc23b3285f6d8d72221d0fc05ff59336402005e7d3f50d66249ef6076648ec2e22d33ed64f5436767c123f59d37dae45270a259153ed98b885f9c43ec9bc2aa

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\ui-strings.js

MD5 0900039f6502c5c4418f5b712f0dc94e
SHA1 cb39e28be0988298003a966ac208c54f83a6ae27
SHA256 7037318dbcb8809fd3d03ab0293d58666df18363f0144ef65b738ca3fbe028f0
SHA512 be9fc36c81963737569c65e4f295f347585bcec88b4fa6ef9da1478f4e0f947b64b8ccaaffb816a74216f713060ae0a56f58c3bea1d12b16bb8488a7663db391

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\ui-strings.js

MD5 35d5c7b80ed270a94872c0e56a6c59c6
SHA1 bbc4ed04ea6c922213d7cc19c62c3c4cd23b7113
SHA256 5c03e31975b96b3d151d9e034b884cab9c6fb29576d2b5653c375fc5661b6dd1
SHA512 57ec341f6ff49f24516e117d5c0b119ba4c62dc0537cfcaa15bbba248729c06d29ca224462bb331c44ff1b3abd724df86d0b2ec473ae9f5d54e31ae2002e8bdd

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\ui-strings.js

MD5 29dbb24810bdd7f802c1165f8bc3a714
SHA1 9ed5ed2ea58cb6d9196e8d88fccdd8f0d522ea47
SHA256 c9fdf06266cf9e6d61f7989471abe569239a93cc2c0f65a7c596a81af8d6a67f
SHA512 3802320bcf7b20a6656460456d5b03ac4f85e4572d7530518dcf99f28162964adc211c5adcfb7ace603b6734271581cea26c9e85821b88b1915e13780a19ec24

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js

MD5 b54b9c5d611b062aea9d8ec0d192335d
SHA1 a6a96602b80181ef494a0da49dacae1c44f7c739
SHA256 d70a13e9b9e9f4026679200872160d667979bd0ae57e6527d44090e49bbc2c83
SHA512 e56e4a0dba26c3bd824bcd397d495249466a3732bbe1466f9ed1c23ec3a25d79e44e360fb5ee5a229fb24d6961ac32a2a57d0a29fe669e767bd33b956f57ebf5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js

MD5 7a232b079f30771ada44ab6a1843ec14
SHA1 72349db2853443af021d538be9417fe32369d2ab
SHA256 e33edcde1654c47b3f834797623932ff5dd99a4331b255b60452d69d61ccfb4c
SHA512 431073f497196ad03ba92a8087aa6c50717ae137b05aba341cd8f7ec1705b46f2878b30455c10d7339f89ef16022ca5d054b0f96e5956ef0590121ad8e1a6638

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\ui-strings.js

MD5 3b8883ab58438b245c89bc76ee848752
SHA1 7b01b457344fcf92362d14247f2c389ed0c89b6c
SHA256 b3b87c3ad568de5a1f07702392e3bfc76f41a47b2fa1d710198406c3c5172697
SHA512 200a52dd5e9334f2c768fb2d152a82cfd551c0991eada79ee92ae41e8beb82a1eac2d90fdac2d9741afe0b7edcbe046cb92a6cf339d25709b53d51f5feb55b1c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js

MD5 edbd91ead174c60fdacb765349ea4fcf
SHA1 e55660206658be80e2033a93abd8854653246eea
SHA256 dfd68e26d32c27e8c7d096cd558b12da3228019525baaa2d4b32030339fb0b6a
SHA512 9c664370c6c102a0e6992f2fe711e7fe7f6ac732a8562bcc1839a0d99d828e4ab0b3dc70f33f3cba444d04161d0df13b70e72b9079c5aabc7a85543168d58854

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js

MD5 ffaab524b0c94fd06a44c1b5b683e0dc
SHA1 17dcce5e4d3b9f718c902863652cb67e060e2f3e
SHA256 d0a34414103960973357a239952bb0fab5f988ccda1b67ff8e6864afcd806272
SHA512 a7ecbd3e9656cb0fc1304b4b86980e97680c73b673c4284bbca08c4a3f3ade0699a7de61f0905aee9d521da4beaed61d3ec943090ecc44833118f1f5a29318ab

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js

MD5 5af99e838bada8e34b660d7fcecae2bf
SHA1 ead4e402f4696ede69adb3e4cd694e7d52925844
SHA256 e3f604ce27fb93d417b9e8a4a5f10f6fd17b59a76aad9754ea0cc5c56b31687a
SHA512 e69f6f12a51382491b4bec6f19260df249dc6dd9a33fc590a90a055baa5f6dcc80894e2c65ecc7dd0d10040c90740dcfcd2f98dbd1f2fbd94c34941897f6ecd9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png

MD5 45ad813c887294a1c5c88358f6e6fd12
SHA1 45266d0bda31888b67b10c601d303caca8786d30
SHA256 91ed5badd0d99f45c65c0ccdec04fc59fffb1f6d055a4d2722dccde82a6bb73b
SHA512 b06ab5889fdf50735ff0c3cfcac3e526b9f32d694ac631e7c2a06eceff357f17e92540df5f84426f8e8f75726c1e7df3592f1620728b70a4b5290c9e49e377f8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_thumbnailview_18.svg

MD5 9b4c8a5e36d3be7e2c4b1d75ded8c8a1
SHA1 1f884298931bc1126e693e30955855f19447d508
SHA256 ad47fd9e87159d651a53b3dfba3ef200684a9ed88c2528b62e18f3881fe203b0
SHA512 e1acc0b10c92c2895fc916fc8feead869e04315e5e6e279f8e61b344545103b4c9ff808c9ca2121d1b013879071364f677da128caeba89bf918ec2791e5ed094

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png

MD5 5c4cbc56377969e41dcf39d60690feeb
SHA1 a20120d0d043af4d3b6a72db517ab8a623b3febc
SHA256 c0601bc1bac97e69da3ef3e2898aafe64aec5ae4f3ccbdb7649471f76da4ca0e
SHA512 4accc91aeb47949f1137ac69a0740a25c957853f59ff8d18077e64b1a3262488b71fc4bd45714075a0652328e1a49a602c7950b86edabbbd7e5abbd9000b705f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png

MD5 5991993dd41d6d2b062d58bb70971e0c
SHA1 1a75ce12ef1c4cb6a85225d0bf4f68d4a3edfce5
SHA256 bd66e8f62d34f70917102405af895c0b07b79c13fd2d1ea65ebfba3bd4853aeb
SHA512 75511589b1937aca668348061728734718d02065ae76446b61e3292834709e3b66f2a453717fd593a8fa1db92ad7b97af03f7d2e7f5538716582ae7d8c11e09b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png

MD5 4eefd60f439096ed98b6d8a585da12ef
SHA1 75cb70498807b0c823cac760e00652842c1a63c3
SHA256 e743d6195ff2f42282e101f9471874e8df79dc05a69ca20abf22015d48d28c6c
SHA512 78241e2336f4ee826719d5adc70543db0f0767a1660f723ddfce72c170322a13c0f3c547eaea6b6cfc47cdf6d8e5edcaff4bd003cbf3eb9d3435bec5158fb8d2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png

MD5 6018a4862e3cc6b434d517a47858a2bf
SHA1 23769e9ae485bb2c35630db9a6ecc8a40c2207cf
SHA256 fde09d85ac7ec84dc0b5f2bf1c1f935b80a3e45dd9257af499d412302602f310
SHA512 4fae17ef027649315cbc73ea47a2fbdd8c8c05b9d818af5b41439e9e5fd81d62ce13f6ad125a2817d0bb4b24a831358803c53003628520cb9c2a8376ac8e1aa3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png

MD5 f2f1d5a683617b2bdb6cb0b1eae67135
SHA1 3e0dda160b0f8b963dde8036b45aabab5d86504f
SHA256 96497e49c11ebeb0f73bc01b033b7f45cd9f8eee478176e11b1c7342efa63569
SHA512 cc9688ee19a6391296abbae9fb1422a6d72d87b7abe8552e860eeb092f8cf7e6864a7f06dae6a60784b77353c38103abd3632492f8b33b7b3d900531cdb673b2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png

MD5 a7a19c86ac01e03111c30032ba417b55
SHA1 fd7f42ef37d82cf1704b65762a8bc6b4a868234d
SHA256 494032a3293df271c7cc5d26a5753acffc5f6df811d024e9b573f2fa380f3591
SHA512 728d4755dd7d21c5ca285906d5f043728fd089de42d2fd04beb514563224104f7672e5f5144e4ed68770b933dd1069d76b26d140eb692d83d907176330f3f6dd

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\ui-strings.js

MD5 cf69901e6d4609009dff8be5b3045c96
SHA1 712afbf4bdf24b6fa059f0fcd837449d75432800
SHA256 16d0edc8b7ad7705b23a14058f366ff1c0dfa16a0ad14f741924c308754cf8d1
SHA512 84b63e071f56e8e406fe361473dfd6eb17daec1809eed425b1b977f0135d6a78a3375c9bd1a65daf1ac7977f712b63ed735eac8ebc91e55c1a3f366e288a9ed6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_checkbox_unselected_18.svg

MD5 8c8fd1cfdc60f513bf20132a1d5aeea2
SHA1 40167e542ddfd848fd138e2914dbb7f116a8f99f
SHA256 f438a4e713df6a982afbe2eec993cd582edc37a876fee88e1ddabb478f2b5ee0
SHA512 e5a985404619bebfb615d4b5378942b56089b40170e4072c61eb9ddf722639941e820f039437b59cd3859944b3e06ed72ee49e879522e81fd9d49b56c8e40d35

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close2x.png

MD5 5e0d423694dc87169e1124f26d755117
SHA1 340b47ffc7ffe45c30ce927f1c839d01600f6161
SHA256 68df674391ddb32170020e5b55b8df9ac1bb5274419dbf8748ce53efb18584cf
SHA512 17ace592b7b00dd530d923711160c39417b6c6412c3528cecb002fc065a16dc439555f61e4f6de7ac86291cd9cac5f5ea8411bec8ffe043faba887026fd2ec77

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js

MD5 8ab4b211dc3d2947d2466033f6d524f7
SHA1 7c457aa6cb3b704da3c977bbcf3953c3c1a7a7bb
SHA256 5bc633d52bc4345c9cc4ea7cf49422a85a9fe401faf3239ef72b53aa0dd667ee
SHA512 0b7e9cda1a82a15fc9492a35808bd1ea43966cf5e55d84b9831f79d64f36a66583a14f0ba95eb12098bf9df6a95eef0bec6606aba1cf56bdee0e046aa60f8d5f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\close.svg

MD5 2518c2304a390e60d20b53b101fc0056
SHA1 aae24d58011859ff6986508882dd7eecaaa7f604
SHA256 03e98670a1d9049b8e1f02c4fdd449d098465f7578ee0eebfaf3f138a78301ae
SHA512 b7457acf824d68e7728088668cd8d44e06566dc71d156db7e9480b957305f2268778907a8e93e4e2d1937b3c3cbfeeb327399cd7f33a60274d91efab2ec3f534

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe

MD5 6b0a4731a12f99ceab2a3a60aa2062d7
SHA1 22105cea1a8f82d2825ce76553abffe85687e804
SHA256 da0864d98fa6599601257e4d098d40dd2a3611382f66baabf5b4bbde70c5167a
SHA512 b8425eb8d548226e06e6272eb77ab6ea54549f6897881122ea437521a13acd219ee63ad0af0bdc1a107adbdfbbf92b4fbd524b5b2813a5176366eb6f7ecaac1e

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

MD5 9c59ddbd6efb94149ccba07c086de145
SHA1 e2c98419b84e37c1c4a394b8ec6451072a1b8dc4
SHA256 dec84d95197eb2c166e8a47b085b02ec2d21dd7b2f0d657d832b4f38dd257e5c
SHA512 2355f97c7435734a675f1a25068f0a77fab08e29868c82b107813626ee8f705dedf63500bc6ee5e898451de147d9a0d999217385a42050f9a7ef071974b1809e

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

MD5 d898745feadc433e88f150481184f0b9
SHA1 114b2cca045890b72dfb7dc7abbe7878be5626b4
SHA256 9a265e8bae92ef6eee0c931d32bd13c843d3c49926a0e7fc8d7735972f28e381
SHA512 7faf47d247c58bbf5167ed8bc1dfaab0d01b585a911b69621efd1719fc81bb202cd512855389aeb965927aa0e15e25ba7ddc9aa05422c17f3dbffc80a15dda74

C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

MD5 c107f93db71d6562cea157d4f5c761ec
SHA1 747ab8822bbea5e1580d38a3f270048223123758
SHA256 eb1a06f1463f499bb148fbfa0a46b5cefe7e2b2648ce8af163e095cbe451afa7
SHA512 cffb86819c05d2fa6d00f3f1c21c77800ec0a13fa24025bbe4b49fa16d386bc050c7e96e87e6f2f903f7ddbba516f05b4af55336823ea6ca0153795617a4cadf

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

MD5 8991abd1fce1ec520bafd50a5e04e08f
SHA1 4e85cda9c5a1b64fe7e9b93a217a739d95f40186
SHA256 3a12117fbcde5289c5aa488bb4d304c748607e6725f80abb2031436b33360f1c
SHA512 68c1f0b484448cb8132fc0ab3098311e4fa71f5f2df50c872886329931812b2657c4a4ab2118c9c077f560b1afa8eefd8dc61dec57d655e95f52aff276675a40

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

MD5 b8f31bac1be89bec86839ea45c0b8055
SHA1 27cdfd69fdf474ec4d961c599bcb66ffcf9f3a2c
SHA256 e41ae236411596b566331da7f5f798299db5629cfb05d1b43074f5975efb4c54
SHA512 b7844403a8b1ec7d976372b2c2a84315ee92c00b0d97ee95a264f8ae7c29f9db5e5ee415aab0a5b83f2188997cad3e702395eb1720f80df09c1570bcf35dc1f4

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

MD5 648a2de249b93c97992bfa1b091378b7
SHA1 8ebffecaabc9bd80da4ae8e543dfe2f195eec3e3
SHA256 79cbe36f204b682248295dfc99ba1838b9b473d61c81b0b12811dea9c15e04f2
SHA512 cf4686f2a1efcfcbc87ea64a5a3621de725fea877855fd641bb34f0c898c17d07c6d8396b2e5e2075eaaf36c43060f0d71ec9711047dae56d317ba8e01a07ff3

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\java.exe

MD5 24aefd930cd0067bc1bec3a181d14570
SHA1 218c007ee9e37224488dfb849c80f791902d78aa
SHA256 1fc7d0e532af4bd685206932715ccc46019e8333b57adf2e7417fdfa2d756ee9
SHA512 8c9ffc265527391be4972c9d7620f00da4523f4834f9f4fe0ea79537c3f166c5f18d6cd9d5cd5444df2a420fbc1541fc78e29ae10d080413460c08c987dc80eb

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe

MD5 728747e82b337373a05772a52cfb2d9c
SHA1 3dbad154ba7298bcc16ec9c226f52718b778d8b5
SHA256 be1d040714fd32b9a3574d41fdfe407d1f87fdbbc568003ca06258d13d5c7b46
SHA512 0f62926da147a65218a464d096b18c9514370f40b69fd658ad6e56cb5bc8c0f58513c1a55045cd7b805989f66b4572d30c883f42b250848c4054e8a4fd3152cb

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe

MD5 1b9cc7e46765f3a07113568a76fa2f1f
SHA1 6c7b7494d4cd17c8f2fa99313a0ddadd45bdd471
SHA256 ae5b8d19cc48f20ba8c466e0122ed37279e9ba335d751e9f7bf6e3f5aab608b8
SHA512 fcb61565b91f3d58a207a7893be8ce808bf6d6f582ee353e74de2d284ce81248904b7f7eabc179666764704c386219786599fae61651c071f063a6bd9b5c9746

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 5bfc589d17d6fd6077affdcff278ccb4
SHA1 6ab62ee661fbb8510a5c9dbf1650babace18528b
SHA256 58d5c00fb6c0b65b5b313b96a2fcd5cbf352ae6aa3c1d9d86fda4f73716f7d39
SHA512 85ad6035333de189b8014da3a611854e415e90ebac57d8038103eb429325f2e57d239a774c9bc2d7aa17981b49ac57d36db8a4df575015a9d2057602fd3aa525

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe

MD5 85bd227cce35af823b04887a113a0f3c
SHA1 be356b131c3061d5840e249c4d99dc6aca9d61e4
SHA256 951faed1264f3f2ecfb91334347895c55e06a5752aa562dfea600faa4ca0a3f8
SHA512 c127445719721b9ae8abf940139bc03b9a360c2047ca67b4c0559b3fba4398a0c86b82524eab2721e0545781d6d2820a7d53ff5ae5ecbfc15d1cfb3158dc9b80

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe

MD5 4aeca83c06a5a1af796ae1f180b0e857
SHA1 7a5f28df56a557383bdec9b044cda077dff8d45e
SHA256 72205b8647834cc8bd60e893627d51ebae6f2afa2d6cff4273ff5f0eebb30418
SHA512 84bd02d8fb608503ca650b9635ddac900cf984157a1fecfbb3c130824546b16e0d64246afe07e84754d2fe029b9df20ebb99d686148433c85f46f2552c8e708d

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe

MD5 d7ec8fa051fd1a84482d8c75fd4874b9
SHA1 5feeb949ea637dc6119075a99395dd1264195140
SHA256 119289acb5bb1aaac9b7de849cb67b8019d36a4b863e34043eae264eb578c558
SHA512 a914cdc117f60d3f663a17338f1701caf76481e46d1ded5752d096aea9534bb2a22086976adadd54773dbd6deaacaaca52ade243a15472c317ad25352d7f4a1a

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe

MD5 11b808a636ca2514df18d3b8a4e0e6f9
SHA1 77e101fa15da2fc0032a9fb7c4f3e8aa8d426295
SHA256 eadb833ae0dc8e459473e17769228508d0cd2099c9468ddbd7ea18fb2bbf8360
SHA512 664748827ba087b851861f65e7013910fd56347e3b5018891d633d43e4ccbce954267304ad6c952350ffbfcb3f6bce1aff2f38d7dd95d500efc34fc41d566fb1

C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe

MD5 6393e803f97c7fca713d899cb9886d18
SHA1 9172e7ae4f35a478cd416ece868cf308d303c3ab
SHA256 e7fe1ff96b2dcb1512bc530e2ac86ded63c495618d18aaf3c3db52e6ea3e2b0b
SHA512 de53203ad785d523124aeea4f5ede064dfa635d13b99db991728976bef4af2fa9afdc17f27a31c2b854a38cd2f37edd2343a2bc14581141217d09495dcac9970

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe

MD5 026c541324e53acd6dd7fa5990f515e7
SHA1 031761f07d0b635f90dd976f5f8e09a4a5e19aa0
SHA256 2468840dcaf48964b4fb38e0b7eaf75f6e9fcb4b39a3c9a518539111eb3cbd22
SHA512 8188bc3a11afc42007501137cf7c220ac488175b75c9718ad65497a0ed4186bef2836a49eaa1fd2c9f63647d58e2dfb73d90a5249ac558b30b1f633adda32eed

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe

MD5 f56016801a5b2519db6b6494fe7ce550
SHA1 9d0ce2450c5159c6a8b1c31378ef1796761c4793
SHA256 e59d39f2567740c96310849df1e9656b804b60e64c5783e0aedce95508fb5d79
SHA512 f22ba79c36d513ced089b5e3a89fdc1e0caa3ab19265fcbf665e99c0575318a4d91682774c7252c8dc3adbb7ae02892ec7bbd9fa975e9d76b411dab4d430bf84

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 110d156de57db59e90a921400208e9e5
SHA1 559f02b3dd1bd410798941999e0cebb9d4b6cb05
SHA256 8f49b140f5c72b0a6a464685cc480accb3a1f1d8e0a4ba5e1924ffe49190d3fa
SHA512 303b8b9f621bb019d056254cdf06c283734f2eae1b55dce5ae41439eac4d7a709a8a7e6fa43ac4b2f8c196f8d0bd540ad80305c0f80dd38f7402388debcea95e

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

MD5 f94e24721d5d2a44dbf8cc1ff8490534
SHA1 efb388e4545423893559f5cda1535a6aa03a9119
SHA256 30d5b4d218a4bda9f512399398e709f8ed152e3936fae3d8f4fab8fbe63d8ffe
SHA512 fed74f83580f2bf8f6fc9155668e673ec5b2fbf18ae484254d040081c60c723fc564e357c8357e1dab3ff68a8b1eaa7e342a2b4bddf7b8d19b34f464c148a56b

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe.manifest

MD5 69016e6a597d194701476b8e04d4e028
SHA1 71a24ddb0c5bbd321d3f09d7b322c3655fb5e129
SHA256 4740d289d0a31bc1fc00e255845b3d8ba7cec2d6d0ee92177d23aa293f9fca3a
SHA512 a9399ea57f65c6569e2a9e9ebe9fa2da7184ec92a555549f39cbbe9dff15530ad526107a2a2304d822be37580a965c6ea4e88a46adebd8ff3af402d2c25321ae

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

MD5 41d2ba94f101b0a1d3b5a75834c6b092
SHA1 624241465b47701e8dc9f648dd733f9bc9f1f28a
SHA256 ccddef32c2e8d8d2c724b5fcdf4b93947edf6cf63ffb640b39fb01f03f812741
SHA512 4a1774be6727238973a23e26767e812756cb4c835eac63a98fd4d78a5c4c8db2945301b8c1cfa9f4686cf4094a76f07021c106e645ee71db27726ddfb5862012

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe

MD5 af22c5b93018a19409baa48232524a10
SHA1 1906f515eb1f2102db67372e242e4ef2a8593fee
SHA256 0ebc79db8fc1a0a00470e687bc306e6bae988f3a2acf93931cfaa7504575d64e
SHA512 19c5e1e1f8c4f798bd4383ececf00caaf6d9a7e1c437b773af0fdcea2a1cfa0713c0df42a21089b1156b1692fb5bd59b958c1275d0eb9d19c0d81a9d72cdb1fc

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe

MD5 85fa05ae73887ca2e9f1d23dc26b53c8
SHA1 c8970885c250c07a274077c9939cba0f9f574820
SHA256 dfbf08de1ade62a9ebf0ebf1caf52e7282a076771ea452103d45329143b66bc5
SHA512 0eadcbb9ceaf9bfc71835c32ad5a1936beeaac671f9d5a219254d9a8aaa1ad1607edc1657bc245985bdab5b6dd9cb6bffa49b314da77077b0d4af00da36dc7f3

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe

MD5 d268c53f7f66ec167aa48db4ec7a3a62
SHA1 2b02321923d1ff8fa803f0c5a42e825d603224ed
SHA256 188c3c02b48db615e6822d026ea9c88ac25ddb7584f9d87df4077d4576c3ef82
SHA512 535d2803106f2e58fb53364c17022bf5ba1400101d1f205acee644001164d1fcadcf96b902de296a346eb9f42fddc8712be51e2e13f24be3567eb64dc73a75d7

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe

MD5 f318e860e4a3abb94a81cdf878ee363f
SHA1 b738d5bf86eff28aaf2ebd6168f797eea767a25e
SHA256 13d9b8fb79a6a1ae3ea6fbf76000d9203268cc476919c729c5d65a794f6fcda1
SHA512 793e7d119ccd3b3b3976acc185cbb85b9e300145bdcf37e238d1132eae2767fe33cc2f6c8ce3b88c5b59f5742a2dc0b73aea893cd5d92c77b6633002639c9be0

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe

MD5 c9d5dddfc861cc4d45299759c3bc4d28
SHA1 265104cc490c6928ec1926fa34f9214d9395d46f
SHA256 321d1163fad8646d2dc9c9a2e168e66ca5727edf489a339dc156304e2455df7d
SHA512 c8df5d807da6c4d44ecaa9bc8df3e50fb296eab8a8fbf2445af7dbdf1644fe6ece02c7b753fd8caf8d7d93f09b89a8b16d46409773f040eaa177be7c1d9c765e

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe.sig

MD5 d8d0face111912e6dcc93f665bfa10ad
SHA1 e171cc8b4abd73e2e6f9e0145e8e3d46e333133b
SHA256 5efe288bf88e3a66ead387ee327d7f2ae6637fa507e14271cd1c30024279945e
SHA512 2bedc86a79225d3c23067a042a219976a670ee164222cbde077edc2bf5618181eb5e26edf86946e2797016c5a87f3534e47dc4ac76d40487354a701ef77aa51a

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe

MD5 52b1ab13fbb2b922449ba867b436b146
SHA1 1ff97a8bc7f61a08ea93d6705a0416d694ed34df
SHA256 ea03243e368206716ef499fe9141864b04358bdd273a2ffff6a2f12bde338a8d
SHA512 0f7a5b293dd32bb83d6c089e0594aab9da38b82b8bb063670e0f8cd1786a93251b937a329505fab49b9e2c1559821e962f44850a2b23ec210b94af4f2a63db0a

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Staging

MD5 27418f9aeb0fae483bcf13272efe6310
SHA1 9a28ce8233f1be05276f787e06f872f7dd49f8ed
SHA256 e3c2af35d1dfc500e16f826a071cc311bf55003a3de77de7ea3376c6b6fa2857
SHA512 35386ad7cb2b39b8d9dc94599e08bd68cc60e3a192090b511f1a2c99b3824b7f74949ed57494ea0e4ba32d25b2c6bdc30117687a5352ec96ca41b1a927ffa7f4

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateComRegisterShell64.exe

MD5 8d848ed9111e9a88338944cae1c00d72
SHA1 5c93eff2ec8de934252cd35c37d6719fc0124a43
SHA256 9f36cc67e5342e29dadb51a47e3425c1ead7319d863284b87d66762e8ef73ccd
SHA512 96249217f0906fd557c896dda5cd86837daed6a9fa21c49cecb1af003b4fb3c31c4e878f8a24f8704a7bf45338d7c6f07cc6327cd0395f5c52bee9a089597753

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateOnDemand.exe

MD5 00f040175f172f86bc3b7d8d6e6f5185
SHA1 7f0eb44eb78f01382df2e662fe6c9126e6f0986c
SHA256 50f89234bb59249be5f89308c91e586d6702bfbb3791ec482f9f24d155641aa5
SHA512 9246bb8603a205fd6bd9c60db23ec957c83990f28979663a6314fd8670a0368b7c4316611cee4856e10827fa28d06ba3bd5ca5acf4ecd20b45a2f7b2b7097e9e

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateSetup.exe

MD5 02e346c8aad36a974f70cf8d4ff00ed6
SHA1 108f16fbbb13e3e3b47613ba8999d9f22a32e27d
SHA256 4dcd5e2c9dd955448bd4fa7493e0bb759fb1c816b54d59f33857de99462692d0
SHA512 6818d2182731e504959fc893a7d89f138da2433e545f67b3dcb87d33eb88ab38406bb9b5e7b675dd08acaafc9d846f074417b3483e4954ee6ee9be226868ee54

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateCore.exe

MD5 71c71645f10df80ba4f905e0652a63b9
SHA1 c7bec92a409150cc6ff6715d6116a41364da2d77
SHA256 f71a626255495657658428382b62009cc85881595e02c2698aa0b69ee6079f9a
SHA512 e7f89190a9e297880801e0e4a1e8c3cfec23808c7c8864a49f50deaeceac1aeae1af3fd121b57f6cf6fdc6dd95436fd52fc74caea4498b05b373991dab8da193

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateBroker.exe

MD5 fafd66c030c9029b9d71180442f2258a
SHA1 4344ad335a61b7cabf03cc6985287ab633123bbd
SHA256 f362b88e78241b9a79824e4138530ed0a565be50b9ca4521b254b241a0b6a465
SHA512 e978595283a6621f572d34c7f6335c3093fc139a9ab0d8bfbc888282010a6d1133449773154a87908e2fc69ab6a6f8e4d69b47a431ceb78ad460ff6cc9533390

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdate.exe

MD5 17f8d7fbe297c5551397eb42c0233765
SHA1 6475fd23f6126e8ce9da8b915b5e54e6b490af92
SHA256 eb158a5050135eba21cfb374f28afd0a64f2a41d416bf4e394d40d7ba1fad01e
SHA512 ce9e82aa42d0015b70a79d5cf3e7e1b0eefb2356c5b38b875be141a43bde7cfa1f9e7c157c403a7f63ec98e4aee43af7ad0e4b613ab8e8a4502990e3662f6430

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe

MD5 c5c4ce70ed0f3e25c7b4c7979fd480c5
SHA1 2a3154b51ff2d4d380b6c7556537da0399ac8063
SHA256 e964b449f06ce942fb84186b7ab20f0dd77471f75821fd7949009fd91c3d5168
SHA512 7761eeff6708c49619eb9a5e14c7516ca16107939f7a3f2873091dc5629799ea4603324cae5869a6de5912858676340e429b8bbdf1382baac9761d748723ee97

C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe

MD5 ae91d609f41c01512a760d2a48c537e3
SHA1 3b43d719bdf38e8ba493897937d99d7b0582128c
SHA256 ec9fade9478b126a77105e32fadf47b8d1cc6943e97393fb7900f1f142ff2d74
SHA512 9247884f97caa9cc84bf46f18a97d56d85f26f14ecdf695ca57225ec9d925c84b8c48ac087f96cbd0664c36a6d54378b6d6e601f09b14326b34633f9634fa1d9

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 4c0a44979bb984470f56bb3cde4dc1ea
SHA1 b4e80e639b7871deac7f81b6ccec35e73158c379
SHA256 8969cbd521a9cabfb5afee05b4993efbf6ed3912f574073a7064c46defd767d9
SHA512 118f606812069d45fe05d6cf8fc90274fcc1fbe221ec6b259984c1c6c2e93960d972bece55ed09f02189ec9c308f8c97f12b940e4d4ae1ea4614237a7ac978f2

C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\MSFT_PackageManagement.strings.psd1

MD5 9cb17fa9b59645c7f574893b4565d2ab
SHA1 274e027aa39e24845fd11fcbf265523de44e69e9
SHA256 e2e70c766bc6c37a41a221b53a0e62ef616c8fbcf7a244c4863f6a74c06b8e64
SHA512 d28e543a9355274fecea9be5b1120fefea5e4652835e477cc9886527c0a67556582368618ef1ad98fc95a406541cb7541dc30451033a77b8c0f2011874b1a774

C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\MSFT_PackageManagementSource.schema.mfl

MD5 1fb20e4a02ba1ad84aca9d99fb1921cc
SHA1 169ea6ad71a5c4f4d8312668259ffb793e6cac0d
SHA256 1c55f2acd075736d1fccd0e7bca9292072d933e2811b8e042c172e9e7f112f39
SHA512 3516ca18f6f5b64fdb2de80c950d114b2c5d979c24764cad4328411eca14c47c4758816bce45c3a691adaef50fdeeef64ca51a7ce603aa5ac11bd308a9166621

C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\MSFT_PackageManagement.schema.mfl

MD5 125863dbbbb069fd535aaf5f8b17bfbe
SHA1 ba601b96a414c6e3dddc42e6a0608ecf099e6310
SHA256 424c38504d88d0f7b3691471d18b1a21141b9e31b1cee5dad278963613252480
SHA512 18e068cfb976f972322e12fe755aa37a3f44fe79e2da094042f22f1a3b0a6328033e05a625f4faa2a373c654751ed1094f9c04d9411e86888448e367ded915d6

C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\PackageManagementDscUtilities.strings.psd1

MD5 5f3c20c13de3ac54a574e3dfec50a560
SHA1 ff983979d46433ed43e738f5c34c5340083cca11
SHA256 a6f6e59f677587238a2b472d2f214b1c95d61d86a7973cdd89a61e2c05ca7594
SHA512 4caa9867ce2b6bb9abe419a9306d1e417a2da05d5af5624bd92f433872338f39d5b88cbb4d94efc34ff29ced991cb38ac531ff6b6bcd9f899bc7061c906f228a

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

MD5 2d15de6561bc83298ce3a4020e694130
SHA1 aa578eff5340b17518d464423b24acec84af2ac9
SHA256 40a2cf480fec7857ef67b27817cafe65ddf9b86b5b9279b0f941ab77395d3b90
SHA512 14045fc0c027f39417948945a291df6d1f4c692b721069ec469647d4326fe6d1f095e1eb5f2f67bbfa9ed6b33402155f578ad949e0c4f1399d6fa3fb2aaaa184

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\9BD09B5C-84D7-4E40-BF8C-CACD6EE1539F\en-us.16\s641033.hash

MD5 f536fbf78e26387affb82ee89943b870
SHA1 3ac8e44a9491c16bcd86dab6781acc4f7e1f76a7
SHA256 34dbd6bf55d0d075d666181d9278b8387482a8b5804e44e1ddaafe6876dadc15
SHA512 d9ad640884f40495b4255bd221f0902ff64f84e3136053d03abee7ca417d32a1d72f24a75cb67bc50629e102bdb2f81c0bb087e0eb5cb82fa3d67c4fa5d92450

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.29\MicrosoftEdgeUpdateSetup_X86_1.3.185.29.exe

MD5 03088a65751ce0b1467416ece646073d
SHA1 82b2869964837297ce765642823d960663843c17
SHA256 17c1f9a5bd6cb3fc062008524fe11031f291793bc25fcde74dfbe13309c8496a
SHA512 07e8c0fc84316e327e9439e203423ad16606c515901baaeb31d580c903e169f242bbbe5a59b5670691f70b99edaaac6b6a34c5c88c35461a5f9b240492233e1b

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeComRegisterShellARM64.exe

MD5 a3e7fd9a9af9647807df5e025c50657c
SHA1 089c2a5f8aa25504279adad5b4d6f282a9bec437
SHA256 05d47c5ecd269f601034820ca5be4e6ed4771f7a999d99f7a1e3483fe125c936
SHA512 81e6706a3d6be91c336138da6624ad9b3295637cc8fff2ae7fe4cc6ec83a29f392a69e6a4f976eda57fa85b28c3250938e0c5a7fc78a778c28074f0377a4aed5

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

MD5 e827d1ea1a54dbf3e2eac8790370ecdd
SHA1 d52fcf20d0e09e897c62afd39a081ff353845f65
SHA256 2d18eb4a22062fc9f1fdf8c84fb226cf0438e2fa4aa440866e3940d2ed453cb2
SHA512 9e81eda047dff993360791f8fbc1e52f4a5302bfc69a5be2e4d8e8ab74dd85cb7b10b7e2a01f4275dd49a2cb3610f16dff0689243e53ba48666936fc061675bd

C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-Eco3PTelDefault.json

MD5 ab9d8ef2ffa9145d6c325cefa41d5d4e
SHA1 0f2bf6d5e1a0209d19f8f6e7d08b3e2d9cf4c5ab
SHA256 65a16cb7861335d5ace3c60718b5052e44660726da4cd13bb745381b235a1785
SHA512 904f1892ec5c43c557199325fda79cacaee2e8f1b4a1d41b85c893d967c3209f0c58081c0c9a6083f85fd4866611dfeb490c11f3163c12f4f0579adda2c68100

C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json

MD5 709c6a80af0276b170c521117ede47c6
SHA1 8e6d9001ca20e76482e1ab88d54d47c65c8c7836
SHA256 d8129de4286dc4fd245c7776b51d76aaa727956e8fc88ff928eb69ff7fc17e0b
SHA512 bef13fa741340cb7c1174406f76f9c65445c76ec091e47daa8537b5f769ad2231347c61144ce8f6e4cb16fd5cd27bb169930c3f8c3b5b9e24e6609491fbbd4e3

C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

MD5 af91ba296d8c5813f58b0e14b284cfbd
SHA1 204516efa5bc8e23ae6be228d31644ae9df19f46
SHA256 5716e54bf9ba9e524a77025923c60f6655b40f347c87dab59410f0b4371f0c24
SHA512 4f29dba8748da9e8ba8d222023fa54dcb655a8739b1bf5265141818a5ad44051ec742286a9b8e8ff61c577670c65ebe994e5a0f8b4977cc12891d8ab7e1fe69c

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 d499b78dde2e0a7ac7cbef5736fbcd10
SHA1 2e850eae88416c1957141da5763a2ea7887bbb7a
SHA256 a34b1f7beddf19466fd8af622f20d74d37f55871e302957c5e1a8423e774ecb2
SHA512 777dc6a0849b0984b1a8e3f606dba0f4d2eb7e64c30123a531ecf6afc30c532c6b8bc7e40634af80b6779793d60848997ff2048ffcfdca39aa4f04441e9f98b1

C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\0a8c1492-65ca-6a01-de25-0e183559d10d.xml

MD5 234c58fcbf2775edbfda910d2e0cb945
SHA1 16314a6f5604aab01e76d5e7f7794b40c23a4785
SHA256 68193f3f98611b2aa42be4d2995b0b9a2465277c7520231324a08460639a41a5
SHA512 fddd87a902c108de1d986dc6e4fa7347e3908076d1ec3f64b19602d3a2318ad5ee0a1d46599ba860dec61843c2954d3cc9e91aac9718a82d1043e32b3dfb6bdd

C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\8e383e90-b2f9-7bf2-1d5b-4e47dcb2014e.xml

MD5 af98b62b3f9d6e70c082f05969c0d2b3
SHA1 2a78fe6ace36668a1505ce949dd5415cf172590b
SHA256 77544451f210250b90637e7ecfebfc0ce00398ef964a2d46f1b92adf4d6f97a2
SHA512 6a8d54bbaa9d6f04de832a60fed8f471eaf38bce9f95942d2fa84dba035739b65cc4fbe58904a7d2220af89d735b96be1bb6aa43aedecb83afba6c4d3be20850

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk

MD5 8b550761ab80413c9c09f7fb472dbfaf
SHA1 67122822562203c17dd3f762194e470f90ddfa97
SHA256 f5ea79165516de2e7e1efb53d016983f5d18c3184413f044a4002f4b751c918b
SHA512 9546013cf4d45a2c4c609524b7ed4adecc7dc2fecded7c3b7085415a1bcd1c25db5d88bb591ac05fa5a6313763a8e8d5d8fc6ee6610b454cf7696b647e7781fe

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 a781800433def8446b0b631e3b7db830
SHA1 1ce441e9a4a9da03c5eed0a979b68f7c6961cac6
SHA256 e49020dbff46224343726fa09eed56fd05a11beeb0ccccc53c40a8a5d3d57959
SHA512 168ca24668d05613aa129a81a9b38b902bbf76aed988facf67df25c15392d002832ab19fb19a3e6e0804490886dfd57f0c5c7acc233d75b056aba737ac4e6026

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 d85c0f88d320255dd342edfdbc42cf70
SHA1 1cfa2795a91f4f0e783e5c95406ff265929a0719
SHA256 e2879ada105a738a7c4cfea07875c2365073cafb12b083fb36859518c06a66cb
SHA512 85f51574e6ac067193eb346f7868fe7bdcd8ecff6faed193d153afdbe7fbe67ba264703a2cae781e177d81093205b83ee6351ba324178cdd895559874e666b3e

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm

MD5 8776c367699ad807af292f1f5d085d4c
SHA1 9209e352bf9d3999f94881a75d6f7d39bc6d7f77
SHA256 18b602cdbb7656129a359046fc68faf1b990da88c6c3b3e6b20c1df399cc0645
SHA512 83a17d98d175a122fe98cf89c476826769d8fae0d74dc93c8fe48d12089e26bfd501a586db3783a03e1bfe07864ebec2a6b5a48415554c61cd565131ed40a9e1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old

MD5 2dcea950234175e3edf672936843ab5f
SHA1 4ca6dfb9ed642bbfc0002cd47abaa2dc895ce0d4
SHA256 74ca16b1138459ef2afb19324097332626ee7c897687c5adc5488f93bf0c11ff
SHA512 483866f3ee1d730f1052b0ce34832e0e42145296df490a68901b95e616f2dfdc39fb13e2ed80bd259c43475830f6a74257a5fc8d163e7f1dd17d39556501dfa4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\dasherSettingSchema.json

MD5 310614b10980392ebdb5a5a8b90b527c
SHA1 8c8fb36e7c2a1574cde7fdea30e8e5f14fad7691
SHA256 445c811c35e2fbd4aa59389ec805492c7b2db50d65f5d161417ce8302b103fbe
SHA512 416650adf9a61cbbb6eff7af635264e5bdde903477465cce05b63773927b8afb35e75fb68497882bce7778f524b9c7f3f2befcfe3840e99bff90ccd305bac66e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\_locales\hr\messages.json

MD5 798b4a7c5a9f20d24f36ba8daf7b8f70
SHA1 0f007b82783ddea5da7374c96925b77a7fe9f57f
SHA256 e5cbc8e3a6e843009fc9a9de7a83df9d05532e08d48da06c66f907f58d0c745e
SHA512 e3faa4376d03dad6cd714dee6349733abe29d0c2118456f80bcc4c758015b12a06b4ec6532a6e98d512f5c6dec7a7ade5c1d2a418db0f739ed17f18c0cd6b54b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\CURRENT

MD5 4ae71336e44bf9bf79d2752e234818a5
SHA1 e129f27c5103bc5cc44bcdf0a15e160d445066ff
SHA256 374708fff7719dd5979ec875d56cd2286f6d3cf7ec317a3b25632aab28ec37bb
SHA512 0b6cbac838dfe7f47ea1bd0df00ec282fdf45510c92161072ccfb84035390c4da743d9c3b954eaa1b0f86fc9861b23cc6c8667ab232c11c686432ebb5c8c3f27

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001

MD5 f5cfd73023c1eedb6b9569736073f1dd
SHA1 669b1c85ecbafe23c999100f55a23e06bf59ead7
SHA256 9e1736c43d19118e6ce4302118af337109491ecc52757dfb949bad6a7940b0c2
SHA512 5d8c1aa556fc17d6dc28d618f521aee37fc0e1826fdbcf8d106e456fc3bcd3c76e712d23fef3378bd2be17b80eb5bfd884ccd89b67490b63c7bd118eaac471d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b203621a65475445e6fcdca717c667b5
SHA1 c17fd92682ca5b304ac71074b558dda9e8eb4d66
SHA256 17b0761f87b081d5cf10757ccc89f12be355c70e2e29df288b65b30710dcbcd1
SHA512 ed68f5f49945dcd0d81dfebe2f2fd1fcfe016807d5c64ee0377d046efeb0a7fd9b4b9589b3df8a14194d51dcffbd89c8aaa072cea2ad4e7976bdf53528ea90cc

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin

MD5 1595ed4372d33dbecabbfd411c6c8f46
SHA1 8b8ba962b765110f762f873edbc3193adef48b33
SHA256 8f6abb9e202dd8027ac9abbd475a24e62659a0b2683613f219c21d1238816ed7
SHA512 e0017291c0d0685ede7a6492c2683a90b37482d21037840ab3e2cef4ed381bbffa8c31ef3c8d06db0a800eff69ba4505012886f88a911997657b3f26284142f1

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin

MD5 97d6d52a254a9cbd2bad939ce1926af8
SHA1 15a64b0f07658da802cb0bdd43c9c6f2df2f0af9
SHA256 bbfa41253ad301a1cd9c7f6321bff365068178f26cd84e8afb127fb4001bc4be
SHA512 98e76665962acd459228cb9635d95bb37c6e538eca7ae50107c665c93be334b907178f87749b3a4f33db34152b9d9035163fe2429306eb3ac45ee539e242c3da

C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini

MD5 897208d5df122e307ab837d982b2c085
SHA1 cf4ca14a7adcbc197cd84c1997efdd076911d608
SHA256 eaae98aa73fe0b561c8b02607a524fb4853bbe81c6de8c3d8a9b7449366809d4
SHA512 b0aa03063c42515de12fbf6d89924a3ae7d8bdd64d7c9bae94c75d571c939655253f3e87368fcd96f5784b2aee8fedac8f66200b8672ab47cc8b37c57a9ad334

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6DEZ09S4\Windows[5].json

MD5 01b53ab60d1307f1db2f793377d3af08
SHA1 aead0b1b398828d1bb81e91a52f28e504d717e1c
SHA256 b5afda9531d50eca02d7e10dd6a5e5a9346ef452f1aea17049b4acf84be62641
SHA512 ee7663533aae47cae26d9605f045b9165ed9ba387789a09db6e4bd0d76ca08aaee685d5299a8ec40ee086123f4e3ab766a793d9199c639d18d56d87c37cc8f6d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K7TNQP8W\Windows[1].json

MD5 53549731972ee564bcb8ca0cc2ba60b0
SHA1 28dc01ae758d21cfa547f4a9974797660291a1f0
SHA256 fa9ef72c7116ed4e52fc3f5f9a2798ee5ea2b44fb33f8ddbaffc9a45161be40b
SHA512 75cd8db86e7c0679a2d9e4eead364d4c34a88c3c206128204d0733b41d4edc198cbeb027511326078c526ca15a7740859c7938d4b00b5d01c5c99bb0aeae5518

C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk

MD5 61d2c715839bcfa06ce4d23dd84e7457
SHA1 cdb61e6100ac4882ba4863875f63e38b8b804ddc
SHA256 1f9ec15f6ff239e14a3a243a98f19ae7db16d425a63b2da0908cc0ffcb1258e7
SHA512 cb6577068e0b746a0ff0148238fd5be9e02e4ff6218fc21d78194a06ebd3f54aa12a1a9b80a4cc9a9f66f72f49eb875eb367b344f674807af11373770f75d952

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\safebrowsing\ads-track-digest256.sbstore

MD5 017813103ef615c6e4e41c106f0d8540
SHA1 a7bb21ac882f35d671d5f0597f8962f9e04e371c
SHA256 f18f13c653940384b01c154887477150b1c0669d5620d263f72bfcfa57daee09
SHA512 0a615cbbde1ce71e1e3623454e2dc355f5ff2e2480520ec0598de70a9cdbb287959bf7958435ed05457957e3ae09d2db2884ffd743806191b773d91a5c882fda

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png

MD5 535ee7f4b7959a29e1d1be5a67e00334
SHA1 c8b3bcb1c1fbf79c59a847510d884da10dc62f19
SHA256 46dcb7a9e7bde1f57e5ed2eef9257d2d0ad622c1b3da32700f6d9e2ec4a0e287
SHA512 b0f9d39cb8200c35c564053454dc9fc67e68140861255f77dbe63679375ff3f892426109e95633fcf6e285b9547d890d1281d8ae4ef97cfb78433608961934b4

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\b8713325-0776-4be3-bce5-7c930564ba89.2e33cb38-ee12-435d-99f2-a9efbb9faecf.down_meta

MD5 20059d007362aedb8bac5d3ba0a01eda
SHA1 20985142da0752637f58876cea05645d04df4dc7
SHA256 2b1677a1e2e7af682bb225824537c7495a77670ae56e69e8bd967ce11edb2f23
SHA512 dd65d9b35d117ab0af9273f4f0d0409d61315aa6e3849556f30b8dc8df2447ff7548ecd3da4bf3bdd389f99da922a00e906293905b9741a3f6eded45c569b75d

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 fc91658bb81ea407fd37a59d65f0d86e
SHA1 6cb269ab1a592dfd2039dc8c50c00b86af94d3e6
SHA256 4bafbcbc4cbbda94d0a315a09176de0ce6872cf1d85113539a7b04ff2360efa1
SHA512 c5b8832097ab5e74a0c31cc243c98c6a2b9734da4eb6e25cfc28070529ff4b6d77de1e97388f188f00148cd8db32f3ea62dc86aa841d47e25da8d8dd2267061e

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

MD5 a50b718c3518b630251fb54b92bde360
SHA1 a9582222b6f4df2b4e3e4ee5fe91d25ff086b943
SHA256 9d2ce1c032646d2a3381b68bc9201e3dcd53b764e83a0d356d67cc4926ece015
SHA512 95e0676e3177262d29c4105edd4ce1fa1c2a2da5cd3289ab0f873fba782a0185e4bbede5d64fae1f6c4cea5ca3ae0697d7113e6ee63f229431bfaf3f8990c517

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

MD5 80be6efdf5a776659777bf07d4aff891
SHA1 1f98e7ba8de8c6b39f4b202739ca71fa2629fd6d
SHA256 9ebc694d4895efc802ea27714a71986f293edf4b63e9918c27d65871b06f43a9
SHA512 03a5434f25209a74a0abc6045c66a45e098d487227cab71004363c8c823840b49596857e8f757f42b8953f9bc2066209b1e8f52104d1837705828cb2676119cc

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4e96c2d7-5797-4048-b25c-9a74b4ff22ba}\0.2.filtertrie.intermediate.txt

MD5 ca9c491ac66b2c62500882e93f3719a8
SHA1 a10909c2cdcaf5adb7e6b092a4faba558b62bd96
SHA256 8855508aade16ec573d21e6a485dfd0a7624085c1a14b5ecdd6485de0c6839a4
SHA512 65faa9d920e0e9cff43fc3f30ab02ba2e8cf6f4643b58f7c1e64583fbec8a268e677b0ec4d54406e748becb53fda210f5d4f39cf2a5014b1ca496b0805182649

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F

MD5 4f00b32a70c5d829f8199614fe56af64
SHA1 ff2afa238f88ce8cdb4430fe578c58823cd6d752
SHA256 e3833793f7412667cdbe15693f5dc4994934d1a6695392f8bebb74f985658256
SHA512 6ca12db615454c1b842040e5047ab24906d372b15b547653553d39ebd18cf4f90a360c5032e415d00ba313cb27def27aa8eb7e94ae3d86fefcd856b693f0c6aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27

MD5 8c1d71b2bf2d4d1eea6a825412dd4544
SHA1 7160c20079f39f98532f42db23209435edeaacd7
SHA256 0441772f66559a1c71f4559dc4405438fc9b8383ce1229139257a7fe6d7b8de9
SHA512 5d70cd72a6f162cb39167337001b791347abc07b9edc095516489de9e9427cb824bc79596362b41f78e73144d3e224dad14f3dbf48cdd0fa08f4b5073ab702ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

MD5 aba916524277db53210ede106ba4f0f4
SHA1 a1e373efa2f5820871e207361b899f5cb1a4c76c
SHA256 a365b37a503f29488c93f2656419e7d591002904360f6bdeb2ef2067fff23741
SHA512 06741f2b929c8b8df2769b42c2f12385739db4e0457215990e46bc86d4630738245b06fcdb001dd32fda4192e3fb2247bb7f70dc184abc05865d6c45969dcfb5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_5C1009244D39FCE23AF8F277537F2613

MD5 a75d7d422fd00bf31208b013e74d8394
SHA1 3d59f8de55a42cc13fb2ebda6de3a5193f2ee561
SHA256 7a12e561363385e9dfeeab326368731c030ed4b374e7f5897ac819159d2884c5
SHA512 af3a1e15594a0bf08ae34a5948037ef492e71ee33d5d4ac9f24b18adf99a34563ab40ba8f47f2adff5d928f18d8a8cd60fc78e654e4d6cf962292d2f606def66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A

MD5 a00c4336b61933a3b7eed1304d15427c
SHA1 8f2546735c9653c10cae89332b593630d800df46
SHA256 8dea6b6aa16702f424f2679d756a6beb769c64ba4b1c74da279e32cfceaeb396
SHA512 20a953a8f435df7eadf5804379be46093f289368024885d80c8531bd80460d6a9245060a6986529b656a5deb8080f332746a12e2d912d3b3599336fa046098f3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\dd7c3b1adb1c168b.automaticDestinations-ms

MD5 d2a70550489de356a2cd6bfc40711204
SHA1 02ec1f60b2e76741dd9848ac432057ff9d58d750
SHA256 e80232b4d18d0bb7e794be263ba937626f383f9917d4b8a737ba893a8f752293
SHA512 2a2d76973c1c539839def62ba4f09319efa246ddc6cad4deb48b506a23f0b5ddbc083913d462836a6eff2db752609655f0d444d4478497ab4e66c69d1ef54b5c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\storage\permanent\chrome\.metadata-v2

MD5 c183857770364b05c2011bdebb914ed3
SHA1 040e5ac904de86328cca053a15596e118fc5da24
SHA256 094c4931fdb2f2af417c9e0322a9716006e8211fe9017f671ac6e3251300acca
SHA512 8ac7790c0687f86d2d0ca82cfc9921c8cd6e6f5392594317d5ee6f3661500de58ebd5ef6300a412c23ed1cd2748c5eadeeb9719f32758590bd4168a0259bbd70

C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk

MD5 7a4228aa2003a72a296e741bfa8246f7
SHA1 e94ca8cb43d671cdc3ed759980bfbaf73cf4c6f8
SHA256 462fa5c6568794276673c9159500918afddf8f170e580fd1f3d483c48934b050
SHA512 ed66dc35762f661f760eaf0feb82e22c823f11e552c9f938748a8b158ecf0828f40d48afc4d5cc07122f41a13e7b322950b9f156808b125bc7a1ae19e066d304

C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\06 - SystemAbout.lnk

MD5 45de417378735f7d0d1d3c3148dc6d00
SHA1 3295b1605ccb0910148b618c52b4d0c17fbf0a9f
SHA256 43782c4d9b63da7cfe64f6a9a06a6cf8007d2a793b8a5f94c9b962bb5cb25b0d
SHA512 23ee803d8a1619d5d5a3dcbdea08175b3a6dca7a29a9d37f37342bad73ad4ee383b68ebd237099cab565699150f90cfd9014aa35e2fa09a6cabc0fa6fcae9c04

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk

MD5 35705a33e80294bdc078f5582784f4fa
SHA1 3b8d2bc3650098d604e3363fdc41e9bfc2f4609e
SHA256 d0e438519a8e2075e13430b66debeb7204e5e8ab41fb24eaab20db0bdb66d835
SHA512 e560c350940f15a8d5c5187ed833190cdef9e4862e8f06dde9b0204ad1a0decb9adaadd27c4b7015ea5e7fabe7d7a63538ba72def9997e56300cc8ddc4249061

C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini

MD5 6e36ba0fe61f7c6334305d61299c04cf
SHA1 646aaf623a9b65f3054571ba8680342cf02b6225
SHA256 367467f43d580c3c07040a78c7890ae4262dad4778878f9a49d5f652c81689a5
SHA512 ee5d694d66bb3ee0d55129c96c83116e7af28b6838854d110cafe9dcb530fc05ef8b97469d7fe0c864481298fba5008c97eb2b503e90b58b1e33f8856cb132d2

C:\Users\Public\Libraries\RecordedTV.library-ms

MD5 a9d5728f9b0e997753288b3a140c5335
SHA1 a44e9168f2e351f3ad4ee2f7c0e0037d64f65066
SHA256 84ba348aafb41879cfa434256c8657baff00a9bf41d5ebe041b0ef87e7419f28
SHA512 13380300950d351ffb3256e3b65f6dcfda8c52dcedf6627e10ef231925e45b178d173e7a24406bdef42949f9919326e7abf8a9101e2fee0127c578a46a1df294

C:\info.hta

MD5 8625b20d949bd146523a3dd37d0c5d92
SHA1 16bf901905f225d628cac24ed411cb8ec14da027
SHA256 7b386a46807a7365fcaa15e0a77bf652ac9fc3faa6323b75f8a342713dd2f8b7
SHA512 972cbf990eda8ddfa3f0d1c9795abb056f87b1e728802c7dcd3aff8616741a774da90158087958fda676d388148ef02f968a7a314f6dd082432fa61957d9efa1