Analysis Overview
SHA256
99cb0f92c60d88aadbb3e821f277ab51f6d8861c202cc1e16bb9ff0da10348a9
Threat Level: Known bad
The file Desktop.zip was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Agenda family
Quantum Ransomware
Yanluowang family
Detects Yanluowang ransomware
Agenda Ransomware
Phobos
UAC bypass
Renames multiple (314) files with added filename extension
Renames multiple (95) files with added filename extension
Renames multiple (444) files with added filename extension
Modifies boot configuration data using bcdedit
Renames multiple (550) files with added filename extension
Renames multiple (127) files with added filename extension
Renames multiple (509) files with added filename extension
Deletes shadow copies
Renames multiple (96) files with added filename extension
Renames multiple (99) files with added filename extension
Disables Task Manager via registry modification
Modifies Windows Firewall
Deletes backup catalog
Loads dropped DLL
Drops startup file
Deletes itself
Reads user/profile data of web browsers
Checks computer location settings
Drops desktop.ini file(s)
Enumerates connected drives
Adds Run key to start application
Modifies WinLogon
Checks whether UAC is enabled
Sets desktop wallpaper using registry
Drops file in Program Files directory
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
System policy modification
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
Interacts with shadow copies
Modifies Internet Explorer settings
Views/modifies file attributes
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-18 15:47
Signatures
Agenda family
Detects Yanluowang ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Yanluowang family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win10v2004-20240508-en
Max time kernel
1761s
Max time network
1172s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
"C:\Users\Admin\AppData\Local\Temp\1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.89.16.2.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win10-20240404-en
Max time kernel
316s
Max time network
1605s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
"C:\Users\Admin\AppData\Local\Temp\0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1108
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 25.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
Files
memory/3800-0-0x0000000073A5E000-0x0000000073A5F000-memory.dmp
memory/3800-1-0x00000000005D0000-0x0000000000750000-memory.dmp
memory/3800-2-0x0000000005460000-0x000000000595E000-memory.dmp
memory/3800-4-0x0000000073A50000-0x000000007413E000-memory.dmp
memory/3800-66-0x0000000005280000-0x0000000005312000-memory.dmp
memory/3800-67-0x00000000011A0000-0x00000000011AA000-memory.dmp
memory/3800-68-0x0000000073A5E000-0x0000000073A5F000-memory.dmp
memory/3800-69-0x0000000073A50000-0x000000007413E000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win7-20240221-en
Max time kernel
1556s
Max time network
1557s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe," | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Deletes shadow copies
Renames multiple (127) files with added filename extension
Disables Task Manager via registry modification
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
| File created | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
| File created | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
| File created | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
| File created | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellExperience = "\"ShellExperience.exe\"" | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\Wallpaper = "C:\\Program Files\\Temp\\AESRT\\AESRTback.png" | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Temp\AESRT\AESRTback.png | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
| File opened for modification | C:\Program Files\Temp\AESRT\refresh.bat | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
"C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Temp\AESRT\refresh.bat" "
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
Network
Files
memory/2240-0-0x000000007454E000-0x000000007454F000-memory.dmp
memory/2240-1-0x0000000000910000-0x0000000000A78000-memory.dmp
memory/2240-8-0x0000000074540000-0x0000000074C2E000-memory.dmp
C:\Program Files\Temp\AESRT\refresh.bat
| MD5 | 0c7022bc17761ecace63d45343c9d2fd |
| SHA1 | 7fdf53bc92830e4e5935f61d745a055edd3fc9e3 |
| SHA256 | 98ba9ab619027be3265fd7827270e1ec59fbe39b79f98c65c17712f667c7fe8a |
| SHA512 | ea434972b6fbffdf6c59e083cc1ed55557b4aa9113413f387b20c5eaf212a86ce995d4c8a93251cc22b9fd8b7ae4fc4125bbc85f5caca2dad8d81f4bb05dba5a |
C:\Program Files\Temp\AESRT\AESRTback.png
| MD5 | 92a48ac7dd5a294775a7eaef78471c0a |
| SHA1 | 60bb24b00c1854db86ce46ed4d2d76bf43a0403e |
| SHA256 | 0ac5f7f06c21225d2ea5239998e34085fdc47f77b9c8e228245beb6291335b82 |
| SHA512 | 4fb0020b7fe79d4104fbf5de8cfce4294e58bb52fedb613dd023f91ee78db1065de2d9ef181f372c483abbb0827133f41fedd980559b2ebecf227ff2cdd79ffe |
memory/2240-270-0x000000007454E000-0x000000007454F000-memory.dmp
memory/2240-271-0x0000000074540000-0x0000000074C2E000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win11-20240508-en
Max time kernel
1383s
Max time network
1172s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
"C:\Users\Admin\AppData\Local\Temp\20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe"
Network
| Country | Destination | Domain | Proto |
| US | 198.252.108.34:3012 | tcp | |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:18
Platform
win10-20240404-en
Max time kernel
315s
Max time network
1580s
Command Line
Signatures
Agenda Ransomware
Processes
C:\Users\Admin\AppData\Local\Temp\37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
"C:\Users\Admin\AppData\Local\Temp\37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/3508-0-0x00000000003C0000-0x0000000000558000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:18
Platform
win10v2004-20240226-en
Max time kernel
1793s
Max time network
1803s
Command Line
Signatures
Agenda Ransomware
Processes
C:\Users\Admin\AppData\Local\Temp\37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
"C:\Users\Admin\AppData\Local\Temp\37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3708 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.239.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.169.42:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 42.169.217.172.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
Files
memory/2748-0-0x00000000006F0000-0x0000000000888000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win11-20240426-en
Max time kernel
1553s
Max time network
1671s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
"C:\Users\Admin\AppData\Local\Temp\0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3772 -ip 3772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 1156
Network
| Country | Destination | Domain | Proto |
| NL | 52.111.243.31:443 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/3772-0-0x00000000750DE000-0x00000000750DF000-memory.dmp
memory/3772-1-0x00000000003E0000-0x0000000000560000-memory.dmp
memory/3772-2-0x0000000005580000-0x0000000005B26000-memory.dmp
memory/3772-5-0x00000000750D0000-0x0000000075881000-memory.dmp
memory/3772-63-0x0000000005450000-0x00000000054E2000-memory.dmp
memory/3772-64-0x0000000002A90000-0x0000000002A9A000-memory.dmp
memory/3772-65-0x00000000750D0000-0x0000000075881000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win11-20240426-en
Max time kernel
1521s
Max time network
1494s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
"C:\Users\Admin\AppData\Local\Temp\1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win11-20240426-en
Max time kernel
1487s
Max time network
1500s
Command Line
Signatures
Agenda Ransomware
Processes
C:\Users\Admin\AppData\Local\Temp\37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
"C:\Users\Admin\AppData\Local\Temp\37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
Files
memory/4100-0-0x0000000000850000-0x00000000009E8000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:18
Platform
win10v2004-20240426-en
Max time kernel
1696s
Max time network
1168s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
"C:\Users\Admin\AppData\Local\Temp\49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win10v2004-20240426-en
Max time kernel
1390s
Max time network
1184s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
"C:\Users\Admin\AppData\Local\Temp\0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1616 -ip 1616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1140
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 74.239.69.13.in-addr.arpa | udp |
Files
memory/1616-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp
memory/1616-1-0x0000000000F70000-0x00000000010F0000-memory.dmp
memory/1616-2-0x0000000005E90000-0x0000000006434000-memory.dmp
memory/1616-4-0x0000000074A10000-0x00000000751C0000-memory.dmp
memory/1616-59-0x0000000005CB0000-0x0000000005D42000-memory.dmp
memory/1616-60-0x00000000058C0000-0x00000000058CA000-memory.dmp
memory/1616-61-0x0000000074A10000-0x00000000751C0000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win10-20240404-en
Max time kernel
315s
Max time network
1608s
Command Line
Signatures
Quantum Ransomware
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\Favorites\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Links\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Saved Games\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\AccountPictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Documents\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Downloads\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Documents\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Downloads\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Desktop\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Contacts\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Desktop\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Music\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\OneDrive\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Searches\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Videos\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Libraries\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\f: | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Program Files\README_TO_DECRYPT.html | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | \??\c:\Program Files (x86)\README_TO_DECRYPT.html | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.quantum\shell\Open\command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.quantum | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.quantum\shell | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.quantum\shell\Open | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2280 wrote to memory of 3476 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2280 wrote to memory of 3476 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2280 wrote to memory of 3476 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3476 wrote to memory of 4112 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3476 wrote to memory of 4112 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3476 wrote to memory of 4112 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4112 wrote to memory of 316 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\attrib.exe |
| PID 4112 wrote to memory of 316 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\attrib.exe |
| PID 4112 wrote to memory of 316 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\attrib.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E578B67.bat" "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll""
C:\Windows\SysWOW64\attrib.exe
attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.239.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.143.123.92.in-addr.arpa | udp |
Files
memory/3476-0-0x0000000000E30000-0x0000000000F01000-memory.dmp
memory/3476-1-0x0000000000E30000-0x0000000000F01000-memory.dmp
memory/3476-5-0x0000000000E30000-0x0000000000F01000-memory.dmp
C:\README_TO_DECRYPT.html
| MD5 | dc9ee4b120a90025ce0fde1a24782d63 |
| SHA1 | a8a27c75e387664beb9b17480c6062f8fe5272b8 |
| SHA256 | a3a584e6f7faa1a374aa96ff3d0862c1ac09038fb0b4eceb2d439690b10034f8 |
| SHA512 | 41ea08feb97f71deb6be0991646d0afd0d9d145893846e527f62d4043cc49f6aaf26410e7e94f6c36679d0597f380bfdb9c84ad04f7702905b90264addfc3c44 |
memory/3476-62-0x0000000000E30000-0x0000000000F01000-memory.dmp
memory/3476-14-0x0000000000E30000-0x0000000000F01000-memory.dmp
memory/3476-10-0x0000000000E30000-0x0000000000F01000-memory.dmp
memory/3476-9-0x0000000000E30000-0x0000000000F01000-memory.dmp
memory/3476-60-0x0000000000E30000-0x0000000000F01000-memory.dmp
memory/3476-12-0x0000000000E30000-0x0000000000F01000-memory.dmp
memory/3476-4-0x0000000000E30000-0x0000000000F01000-memory.dmp
memory/3476-1020-0x0000000000E30000-0x0000000000F01000-memory.dmp
memory/3476-1024-0x0000000000E30000-0x0000000000F01000-memory.dmp
memory/3476-1028-0x0000000000E30000-0x0000000000F01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0E578B67.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win10v2004-20240508-en
Max time kernel
1763s
Max time network
1713s
Command Line
Signatures
Quantum Ransomware
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\Music\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Saved Games\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Libraries\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Contacts\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Documents\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\OneDrive\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Documents\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Desktop\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\3D Objects\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Downloads\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Links\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Downloads\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Desktop\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Searches\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Videos\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\AccountPictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\f: | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Program Files\README_TO_DECRYPT.html | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | \??\c:\Program Files (x86)\README_TO_DECRYPT.html | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.quantum\shell\Open\command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.quantum | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.quantum\shell | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.quantum\shell\Open | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E5777FF.bat" "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll""
C:\Windows\SysWOW64\attrib.exe
attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\README_TO_DECRYPT.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca8a546f8,0x7ffca8a54708,0x7ffca8a54718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4012 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 45.89.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
memory/4544-0-0x00000000027F0000-0x00000000028C1000-memory.dmp
memory/4544-1-0x00000000027F0000-0x00000000028C1000-memory.dmp
memory/4544-7-0x00000000027F0000-0x00000000028C1000-memory.dmp
memory/4544-30-0x00000000027F0000-0x00000000028C1000-memory.dmp
C:\Users\Admin\3D Objects\README_TO_DECRYPT.html
| MD5 | 867698a2f6e51b54a2c826e3c9600f07 |
| SHA1 | 94cb5ed8f01225b02db259fb1d1908e687f53577 |
| SHA256 | fb66e9dfa750c9043b58bbd4a38a83a48e58d1ae13ba989e164795f999e3a7dc |
| SHA512 | 045cecd3e62078d2668ccac248f1842f9f2ba575efc859df1b982c6d1706551f1e8e5e425629aec9f1a8ae92ad5e9e402e2d832087aa3a66727c20cd344a3867 |
memory/4544-8-0x00000000027F0000-0x00000000028C1000-memory.dmp
memory/4544-32-0x00000000027F0000-0x00000000028C1000-memory.dmp
memory/4544-66-0x00000000027F0000-0x00000000028C1000-memory.dmp
memory/4544-1141-0x00000000027F0000-0x00000000028C1000-memory.dmp
memory/4544-1144-0x00000000027F0000-0x00000000028C1000-memory.dmp
memory/4544-1150-0x00000000027F0000-0x00000000028C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0E5777FF.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c7e37d16241d68c979f5e27c88a19801 |
| SHA1 | 934aa98dc16d8ca007f7119bf6087201b6c98c41 |
| SHA256 | f10883b5faabc9e709ec3d6df5b4d4a3ae87931e36d30cf8de14552d2ad2341c |
| SHA512 | e64bf0bdef3db28946b81951a8e72cd4240019d419a2dea40dd23a1aa5976ddd8dbae8bcdae18bbf06feb84c32c8fc9ed2a10c306a40433bf1ec8012684947d3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat
| MD5 | 9e4e94633b73f4a7680240a0ffd6cd2c |
| SHA1 | e68e02453ce22736169a56fdb59043d33668368f |
| SHA256 | 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304 |
| SHA512 | 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0f438a3c22a3a53fbeda21a482b95b7a |
| SHA1 | 954deffa5eb6785ef191a67c832e3b7ff39e9375 |
| SHA256 | 8f1d9bb7e050c512ad9ed77ce31dac8c7555e4bc5cb59764098507670aba987b |
| SHA512 | 1aea30026d310c68d0892970d81add32b593c539ed2fc58244cb1a329837cd5aafca6b62f3f3f5a116b99ca894f8c7abf26bf6e3d138371a4cc122e540380c1c |
\??\pipe\LOCAL\crashpad_5080_LFGMYAIPRDWJRZXY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\44883cfa-eb98-4929-90a6-83450cf6a2b1.tmp
| MD5 | e5e3377341056643b0494b6842c0b544 |
| SHA1 | d53fd8e256ec9d5cef8ef5387872e544a2df9108 |
| SHA256 | e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25 |
| SHA512 | 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a6dffc5e76b21697a246243f175feaef |
| SHA1 | 0501c5a0e04a45f6d65af6a4563b2b857ba6ba90 |
| SHA256 | 16d58f4ad4fcf2ecc154e0f6f8984b8beaac3cc3180183e18552d0e3719327b7 |
| SHA512 | 4700890801d22c46e34587631c8b62bb6e8b359da730cba9e532fcb0ee780f53d8d5b7a97a75d30343ea4b4efe8064533527d9f9c8d271f36182e04f6893bda7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\22646e41-42ab-4f92-85a7-d059297410cf.tmp
| MD5 | 53b6e64d4f73f7fd481b0f1e3423e815 |
| SHA1 | a3eaafb3823618948c9b84ce8331f8b5833a4b80 |
| SHA256 | cfd20e0d411a7c06b49de8231e9034a2fb1c0ff109a0e11bdaded9ea4c34b39c |
| SHA512 | 038e2d3871cb83208b83afb498c40c1b711d2221d58f2b73dc846b9a33ff72c572aa99bfe9d43e255a3a5ce5b07d7a18164e5c8eca533a659fd61cced2053a54 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-663B6585-1244.pma.quantum
| MD5 | db6a396499efe8bf347c95b50b035a42 |
| SHA1 | 069f3d44aca9ff625bc1d87b5b4d6efeadb2fca2 |
| SHA256 | 063b4def4dcb37d2dde2c6a806dcc3b2baf75214a7e92687ef14847171a1aa09 |
| SHA512 | e90b079363db524e0a9a3accf1913c7a162c9e13631b0a3c3d3a810a9b97a2dae0fcfacb73e3ac7752c2552a69926259921fef4f4a0a1d23ec2a880f14a54d0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
| MD5 | d0d388f3865d0523e451d6ba0be34cc4 |
| SHA1 | 8571c6a52aacc2747c048e3419e5657b74612995 |
| SHA256 | 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b |
| SHA512 | 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c959e4649f2f3e5272ee451b05ad9b9c |
| SHA1 | c1ce14ada4d1b18d0ed9907b9da7f66a9f2bc546 |
| SHA256 | 9913bc9fb15a0358da1e82a113d2981446e8be6ceeda2f56a98385af30b1d359 |
| SHA512 | 25e38c4d2d6b6ac97c5912eaf6c8b21397dd46d3633e1a10f6ccf6ce0d3ffb14a47a4b414602ab997591b10ea526bd4aff09b5ccdf0e74995bc08c2c0670e176 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 137b3b5ad46bbd468887b0d61277a7af |
| SHA1 | 6ac0b55e904f40cc3c5bea2909aaa6bc4968bc6f |
| SHA256 | df068702d2b3b62e6cc8c2683e7a57dd4188e7117d1d49f652517f48f76a8bed |
| SHA512 | b4d3d76fcc624b7099e5c840178376b98b59aa33d28f501aed35479de69ee062cafea482806b7e5553a53931c36f959d7a12468e6133310c88d37473a1b192e3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences~RFe57cc49.TMP
| MD5 | 51a3cfbd69983bfbde792363fc776873 |
| SHA1 | fbc5f6ef81b563ba87b546689194362b4901b47c |
| SHA256 | 802b2bf8cb0a20fd9f6b3489c44e9fa77c42ed34a8a94b080ab6d9e13660b361 |
| SHA512 | 6bc4b68ff98ec9b71641e652188b9c7059660e6d7b825cf9be3a39090d017869d05da9cbf90693eef620c04cc238d09555df35e61156aae8d0f460df8d6e35e5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\48ef9f70-9c3d-40e5-8e1e-0003fc653abb.tmp
| MD5 | 8a33fd0f73fd8c65dadbb7792cb5b6dc |
| SHA1 | 33aa53a3ff6629bd87f8a8a8cbd776ccc3570345 |
| SHA256 | eb66ca9fc5dc43c6fdfb36cce92c3a76eca28ce2837c4e071caad510345b47c2 |
| SHA512 | 04b9a3489acc25a8e4fc8058a0ba765a7125052bbd3f4f907210e18acda06ca20c5995572fc19ffd42e542591ff45c3291d2fbe9ac40aec40455da51fd9098e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 513248e5bcf55b3412a1d6174fa1ae8d |
| SHA1 | 4cf869375d31deecdc5dba2e07915eb983670dd5 |
| SHA256 | 03f6b165090a709c6ac12f45711280e2e30d45b68af0b088db6f5ddc8ac68cac |
| SHA512 | 2bdafeafd449ef624836209dc6eed09ae57c1dec26e9c234043d9cb33d6881ad6bdfbb6d8b153f21f94311e95969b39678d0b15d415a82e8f008bf7dcba1a087 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 15b963566f4e2d373c27ae5956e58f65 |
| SHA1 | aab063ed7a2084e71a4043b019acba3563c50b99 |
| SHA256 | 0876e97f8f50c89630698ab66014ce58524566b93467eac7a4f71f0215a64093 |
| SHA512 | 065a282a4944cf2fb7607857b5033a65a5b09482071629de67eef899daf14f50065da0d81b893cf6b4f3214446c1029fca22ac74aa6013c02e49ff7156da8084 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win10-20240404-en
Max time kernel
361s
Max time network
1596s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe," | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Deletes shadow copies
Renames multiple (95) files with added filename extension
Disables Task Manager via registry modification
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Drops desktop.ini file(s)
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellExperience = "\"ShellExperience.exe\"" | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Program Files\\Temp\\AESRT\\AESRTback.png" | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Temp\AESRT\AESRTback.png | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
| File opened for modification | C:\Program Files\Temp\AESRT\refresh.bat | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
"C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\Temp\AESRT\refresh.bat" "
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/4904-0-0x00000000733AE000-0x00000000733AF000-memory.dmp
memory/4904-1-0x00000000002E0000-0x0000000000448000-memory.dmp
memory/4904-4-0x00000000052D0000-0x00000000057CE000-memory.dmp
memory/4904-5-0x0000000004E70000-0x0000000004F02000-memory.dmp
memory/4904-12-0x00000000733A0000-0x0000000073A8E000-memory.dmp
memory/4904-197-0x0000000005F90000-0x0000000005F9A000-memory.dmp
C:\Program Files\Temp\AESRT\refresh.bat
| MD5 | 0c7022bc17761ecace63d45343c9d2fd |
| SHA1 | 7fdf53bc92830e4e5935f61d745a055edd3fc9e3 |
| SHA256 | 98ba9ab619027be3265fd7827270e1ec59fbe39b79f98c65c17712f667c7fe8a |
| SHA512 | ea434972b6fbffdf6c59e083cc1ed55557b4aa9113413f387b20c5eaf212a86ce995d4c8a93251cc22b9fd8b7ae4fc4125bbc85f5caca2dad8d81f4bb05dba5a |
memory/4904-201-0x00000000733AE000-0x00000000733AF000-memory.dmp
memory/4904-202-0x00000000733A0000-0x0000000073A8E000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1580s
Command Line
Signatures
Phobos
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Renames multiple (444) files with added filename extension
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[EB0A2CB4-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66 = "C:\\Users\\Admin\\AppData\\Local\\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe" | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66 = "C:\\Users\\Admin\\AppData\\Local\\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe" | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
Drops desktop.ini file(s)
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi.id[EB0A2CB4-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.SqlDatabase.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-oob.xrm-ms.id[EB0A2CB4-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\sticker.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_closereview_18.svg.id[EB0A2CB4-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\THMBNAIL.PNG | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Document Themes 16\Wisp.thmx.id[EB0A2CB4-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\Particles.jpg | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\attach.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.id[EB0A2CB4-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png.id[EB0A2CB4-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN103.XML.id[EB0A2CB4-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Selectors.Resources.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libequalizer_plugin.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Popups\SilverBadgeEarned.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-black_scale-100.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\106.0.5249.119.manifest | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Printing.resources.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Lift.Transcoding.winmd | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerLargeTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md.id[EB0A2CB4-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\ICE.ELM.id[EB0A2CB4-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png.id[EB0A2CB4-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\CAPSULES.ELM | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small2x.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\codec\libfluidsynth_plugin.dll.id[EB0A2CB4-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\FullScreen\FullScreen-press.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\Generic_placeholder.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-white_scale-200.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\WideTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-100.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\VVIEWER.DLL.id[EB0A2CB4-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-30.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest.id[EB0A2CB4-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\bci.dll.id[EB0A2CB4-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\complete.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\demux\libcaf_plugin.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\dot_2x.png.id[EB0A2CB4-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\card_shadow_big.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashScreen.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\WideTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\PREVIEW.GIF.id[EB0A2CB4-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Calendar\ribbonicon.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][EB0A2CB4-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-150.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-48.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d.id[EB0A2CB4-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\7px.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-64_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_shared.gif.id[EB0A2CB4-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\classic_13c.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8577_24x24x32.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javadoc.exe | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
"C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe"
C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
"C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
Files
C:\Program Files\7-Zip\7z.dll.id[EB0A2CB4-2378].[[email protected]].Barak
| MD5 | eb4a1b126155d50ebeeee0be6e892c25 |
| SHA1 | ecb8b088ed3b3a5019772ae862bec73240deb4f3 |
| SHA256 | 890159678eb49b1b5df3262cf03dcd6788f4d12bcd05559420d639a5a315cca7 |
| SHA512 | 64e14705eeefc4ab88a2de97bc5f43a6e6ad9a335956f33f25096c585f70892eae819a57012e24dcf28eab26a9e6aa2ff187132df0516e56428a3ab21dc0f48d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db
| MD5 | 1681ffc6e046c7af98c9e6c232a3fe0a |
| SHA1 | d3399b7262fb56cb9ed053d68db9291c410839c4 |
| SHA256 | 9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0 |
| SHA512 | 11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5 |
C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md
| MD5 | ddc4cb14453391bcb5f4d645b2916a6c |
| SHA1 | c4738d174c90c285e17bf51a9218256f45f96ea7 |
| SHA256 | 0c19ba9eeecab3cbbdf38da08c3fa0266f10ce8166e056715931efc543335eeb |
| SHA512 | 34a32b92ffb2945608439653b5ecacba49fd3312ba5487ba14796c75b07655f0d8f735453dac117d46d204d3f810126f8a189f82c015fa8bb6ea37d9b8e0e30f |
C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif
| MD5 | d13b5ffdeb538f15ee1d30f2788601d5 |
| SHA1 | 8dc4da8e4efca07472b08b618bc059dcbfd03efa |
| SHA256 | f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876 |
| SHA512 | 58e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46 |
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
| MD5 | c5b7a97bda04c48435a145f2d1f9bb42 |
| SHA1 | bd94219a79987af3e4d4ce45b07edc2230aaf655 |
| SHA256 | 07ec9bf950252d0254d4d778698c2e4173f36dbc3f57f51f34d1b85a07c2eab0 |
| SHA512 | 7eb1a26cf8ef725ba6d1934ca4802f70cc22539017334c1d7a6873afeea6236bcd643b52630f7fa9d8a9e692f718ba42cc704ed5f8df17757028be63c3efad80 |
C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml
| MD5 | 809457c05fe696f5d34ac5ac8768cdd4 |
| SHA1 | a2c3e4966415100c7d24f7f3dc7e27d2a60d20c9 |
| SHA256 | 1b66520d471367f736d50c070a2e2bba8ad88ac58743394a764b888e9cb6f6be |
| SHA512 | cf38e01d3e174ff4b8070fb88ead7e787143ce7cf60b91365fafd01cacc1420337654083a14dfb2caa900141a578717f5d24fa3cadd17c1a992d09280fd8dc44 |
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK
| MD5 | 301657e2669b4c76979a15f801cc2adf |
| SHA1 | f7430efc590e79b847ab97b6e429cd07ef886726 |
| SHA256 | 802bbf1167e97e336bc7e1d1574466db744c7021efe0f0ff01ff7e352c44f56b |
| SHA512 | e94480d20b6665599c4ed1bc3fc6949c9be332fd91a14cef14b3e263ab1000666e706b51869bc93b4f479bb6389351674e707e79562020510c1b6dfe4b90cc51 |
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK
| MD5 | b9205d5c0a413e022f6c36d4bdfa0750 |
| SHA1 | f16acd929b52b77b7dad02dbceff25992f4ba95e |
| SHA256 | 951b1c95584b91fd8776e1d26b25d745ad5d508f6337686b9f7131d7c2f7096a |
| SHA512 | 0e67910bcf0f9ccde5464c63b9c850a12a759227d16b040d98986d54253f9f34322318e56b8feb86c5fb2270ed87f31252f7f68493ee759743909bd75e4bb544 |
C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html
| MD5 | 3be680b6a8edfdeed37bf5068a37dccd |
| SHA1 | 75bc261fc558634731e683e431e4a31c5b463107 |
| SHA256 | 1777e4f7955cb5900c97d92081efc4b11704ee3b265717a7d7152972b49a36c4 |
| SHA512 | a3c8a91689105a14c49b020826944d32540353c56fb9e9a011639ff5107d25e1d3466f0fc487ef953c6bbf0c006abc5204e3a8f0093e1c633013a547f8ecab21 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions.png
| MD5 | eedd2d13e3671d589714446755b78b38 |
| SHA1 | 2fdd23507187a259f5a7edb01611a37b6b09f4da |
| SHA256 | 467082e15a8ddefd51088e12a6189f9923dadfdf363ac1b0448ec43dc483cb3d |
| SHA512 | ef47a62ce6ffb0c5b34b2c6d72f5874dbad4109b98aaa21f56b8b2d83471f5ebf983f6dfd889399abe4fead6296cf2ca3f409a4aa4badad8cc3c48f688323837 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\remove.svg
| MD5 | b651e9101be833e87337050028831efd |
| SHA1 | ee594ba38a6324369ffc7b4dc89407d3436e34d9 |
| SHA256 | 4717e5fb82c0ee85a7c97d022f410990a62efa2492070e42385cfeab67afd619 |
| SHA512 | 3552858c2a688c95a76c0bb8a6a76b119b744b2e8ae7e7f30135ccd8a145318762faa52c1783a639fb179056317caeaed20c15f211db1d45bc957bc3ce591aef |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg
| MD5 | 1bf37c0336c12ccaa1c62386acacc858 |
| SHA1 | f1e187c79588e4e9fce931997443d7e5cafd1db6 |
| SHA256 | a9044f3c6877f4fa6789bd90f11813a22696bda53e0be17bf52229b70fa87673 |
| SHA512 | f75100874b1dd43c49f54a9aa4621e8bd1efa84359ce44ece2444b639c7bcbddf6564f6c4be089f5d656550c7293b9f5ec4a4b20880939fbeb5ebc21e30866b1 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-hover_32.svg
| MD5 | 55215e8f92d35f26cca06fa9d5d221e9 |
| SHA1 | 994838c8df5921e3828749a7703ebfa8383e43b6 |
| SHA256 | e94ac27227c8a25c3f8ede219fd80ace01e7176a12111125b31ae1dcddd487ae |
| SHA512 | 7972d3fb8c305a1b41f3ec4a618c9904c1e655fc757f1dc83f9d9041433f3c30e6708ed3d4fb3166cc41d9773df3f159aa44333f76fdde28f317676046bc9c67 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-default_32.svg
| MD5 | 81cfb9735fea15ca8791a3c34a78d992 |
| SHA1 | 9b4962166a47f5edc62e5fe3c4f8772446db9296 |
| SHA256 | 3d89171c24a889bce28f04adb60f08a141584b7c345b158536a72a8070c252b8 |
| SHA512 | f6ac853f4012ddcb29e5079ec00bf058343af1a6d6cedbc9613056db0575c77e964b0864c9693a6e02a525d5e13ccc54e0e7fd938ea39c3d2c6005db959b346a |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder-default.svg
| MD5 | 2807924fc18c958c38a7004a5dbd4091 |
| SHA1 | 85534040543c3306284e6a475999c46249a35e4b |
| SHA256 | 0345bffb28f80f4d0ded1a2af09a337b18ab3a80c68205bc8321a6ad4d409500 |
| SHA512 | 264d29c6b920b3005ebda1fdb0e0ee6e17059c69d63969c61ea4b5c5464022166ccc04b2c1f69b91052c3e3dd551a087e8e5379d2a62c452184a12b278a8ac3a |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reminders_18.svg
| MD5 | 3f16cc51cf788a50e6cc1ae60897bbf7 |
| SHA1 | e5a8c8f5227ca6da79589192892e81b6a3f43686 |
| SHA256 | 30f1d12f90b61f22130b22667f722aeca0aadd59ba3e19d866d72a99a3f0ce3d |
| SHA512 | 17686bb9e01aa108b9b62b33bb70bb8aa35e4d88199281aaacbc8d8da7d54f1f353bf31a109dc22a4e404780ece4cb3d23f0ec81f80e9553ef060011e568134c |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg
| MD5 | cd5d2472a2bf9ac7eb4e15146b30bd2f |
| SHA1 | bca600423f99b87df44fde9d96ff874017037afe |
| SHA256 | 038589c0f8f0b9fbed7fe7835de0237de4a28ea404078955a78c0b8145fa323c |
| SHA512 | dde83047b85cf0afd4ac77c9f4e850ebba48a1e1d581ed78c30733f58a9d5e2e22d34a2b2e57e4527f3c314f84922c3aecd6366052d46e0d6157990ed888a27e |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_hover_18.svg
| MD5 | 30c9bd1aee3794fd46bc99fc2a359212 |
| SHA1 | 9817640da0b98babc461d277a39b323dc9a76cd3 |
| SHA256 | 4b10fc416763ad7b65a6d6fb3c0016505ec5aaa7a117021a26e4dd6d11fe7d1d |
| SHA512 | bae367b7555f5f7f677abbad1dd548225c2580ffe21bcae5022f8eecf8c97cfe8f7813fd86c31a7f9052c174610ae9d2ae21ac22b381701975492e2386f67f94 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_hover_18.svg
| MD5 | 0498cfb8aae1383c049e8ccdd85f3abf |
| SHA1 | c5fbfcc70b441e91a5ecd23295c745aaf076aa4d |
| SHA256 | ad125b854735c81b5782a65b5b006c7c991e28688b6dd8e5998f432976b9223c |
| SHA512 | 113f19bf726f79473ae2b4406a76676ec0bc4709a26f374aaa3bbd9d0b5790ee4fdd8ebe1a3ab68995973923ae33df7c1c6798e93bf060643c14acfabd4e9302 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right-pressed.gif
| MD5 | e3c4dd21a9171fd39d208efa09bf7883 |
| SHA1 | 9438e360f578e12c0e0e8ed28e2c125c1cefee16 |
| SHA256 | d4817aa5497628e7c77e6b606107042bbba3130888c5f47a375e6179be789fbb |
| SHA512 | 2146aa8ab60c48acff43ae8c33c5da4c2586f20a39f8f1308aefb6f833b758ad7158bd5e9a386e45feba446f33855d393857b557fe8ba6fe52364e7a7af3be9b |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\ui-strings.js
| MD5 | 0d3a12fd3f68decc694da04b57e61d8c |
| SHA1 | f73d4d591f6ef0b2b04fc90d2e840329f7590743 |
| SHA256 | ee0352f75df1009fa6f5eaf323a1ed55c127cc679ac6b9de70b1b3f8dc9ece76 |
| SHA512 | 2c58a879d4022b441056c85c301ce26401da5f7bc9619debd35fa3bd98b5f1cab8f21e2ae5a177865c64e741dae18f39f99fac1cf00c468ba0e281037d5e883c |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ui-strings.js
| MD5 | 68b6f0644d50595a97c9fd60b8d8e697 |
| SHA1 | a4d0edf9264ce1922dc419c7f3b3cedb2814bea7 |
| SHA256 | bf9b3f1f9a3a163d41b1b20a2c410355e6ee72ae97725a7bad97ad23993b0b5f |
| SHA512 | d1a26cc27c302f06419abf97507c0a4d06729aeadab615acaaac0c3fcec6d7715e10642121a4d773ad3d5f613030728e49fb3d07303fad05f7a342352ebad003 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png
| MD5 | 65c9f3fb24b80d8c470d518f901b9c60 |
| SHA1 | b9521c39944357d4b55b91f9f3739575d1f3bef1 |
| SHA256 | 8de76ee7eb6b32c307d4a46a43ac55bc15b917e2a24d36c3d001878a97fd39d6 |
| SHA512 | 6572d65abd587055a69980558b2568266ff76555faadf3ddc93fa65bdd7a009a2fbca10f37f44c27ae889d3de99a3673c2b9ba6e6456242e951703fa32d9c636 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\ui-strings.js
| MD5 | a778c47dd8521d6a12093b3e97ed8474 |
| SHA1 | 2099d940cc672373884e1c622bbb606e9e9438b9 |
| SHA256 | d5343776747d802d64faedd9954d2a4bf555a6cd85396c55c39a8fce4c5353a6 |
| SHA512 | 7c9c9b406c1b79b3298e975abb3f64927b6beb9e8784b75927e19ba649936c19f04d958d07499a5d5c52049cf2d3600e32f6f437c98b2946a977ca82c71e7224 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\ui-strings.js
| MD5 | dd24e91615f1963a5c64bc9878a0a8d5 |
| SHA1 | 407ece3322d57d16a448b5522d4f29229f80b8b1 |
| SHA256 | 4cf9816ed1062189ff0c8d427fba5e912cc68fc9af76cf7f08fd255977de3b33 |
| SHA512 | a88d5e6fcfd998b0abe79b5b314f3f83f424be9447dca01e1a64a3e7313eb247baa894c10c5758c6788cad27582c09207d00d2e7bc41515e7f1751e05aa812ba |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png
| MD5 | 3f7323acc829bc8b3799148d439b3d47 |
| SHA1 | 3d3c540c4080462a8013d6db9383ad69606779e8 |
| SHA256 | d9de646d51650572b66a6cf8a52ad1efd46b7a47830fa7972da0bc05baa2fad0 |
| SHA512 | 09e2a175dd874ac369331fbfd863be20c9ecc005bfd6c7eeadac071804653265e4f7195d70058f2f73951a6a6e202fc96930f2ce71c2d815b228edf01729b559 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js
| MD5 | fb4aa89fb89bf94d0590a3174d1193ff |
| SHA1 | c3812f2105099071c24141a994a9d5087199dbf7 |
| SHA256 | 655a3ef0465a9f30fddf25f4dde0c19a05c6f9069b83961800c1944165955273 |
| SHA512 | a494c0d9faf3defa9ff320421d0c00e4e39845f7e998c6a06c50b5e7edbb1ed7a948dda23ace06a3433843615553d2357f1cb04acb4ad1155ec43f1d07511524 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png
| MD5 | 7ab2ac51d33778dac850c5dd8b4ba45d |
| SHA1 | b3f47f20c438aa488fe835e0145c014853ee48aa |
| SHA256 | ca17d6cc1f7ab317c34a7cb767ad017163e71726ac648518679c6b1c59fa86dc |
| SHA512 | c14ac0ad209625e0acb2ca9e0afc5f6c98901b01f92b675d073b72929455f47ccf29cbfdaa248c602b02fc2bce484c56753b1a54e66f6ce9df2ea57bed88962b |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\ui-strings.js
| MD5 | 07bcf4e882ae521ec6ddfd0bb2a608db |
| SHA1 | 88e2ab25dec6ba9fedced9bbd21da03639da9409 |
| SHA256 | bc9df2774317cdca8e5a702f249a6994fa3b63852e7749124e82ef1f37b89aa6 |
| SHA512 | ceafee63fb03e94b418bd87c6af91a53c9bef53b86eddb51a7aee77d8ad5e6654045da12c3c28f3ab4486d2f6f135f7f834790991037708b0301085f62e22fa7 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\ui-strings.js
| MD5 | 0ec670fd70f5e89c3d2727df9f2a5398 |
| SHA1 | d19c88c8e11361d4f29719518b8543e0ecf5ff09 |
| SHA256 | 8267479623714339b61159b2f8235b15a38ccc1199eff859e5dc13359f8711c3 |
| SHA512 | a429234afdc29df1276238d3e329299a6fb5b1ef6044429c1acd8abb95c0b76a14836b47805c5d464cfc95978f5e3b10eceae6c26a2964e2c352fafe1d7dd6f8 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png
| MD5 | 2a78f84427d1d591409740722e60d793 |
| SHA1 | 304f17d9c56e79b95f6c337dab88709d4f9b61f0 |
| SHA256 | 4eae979bb805992739f77e351706e745076ed932d3ef54dd47ba119c4c2fb5c6 |
| SHA512 | d687c646bba8b801511a17b756f61a1209ea94938940fbe46d9e4893f14606f9e1e5ff468ba4a77474603f5cdbe0cb9df3d24767e5c9ac81a0b373dcf4a4f3ac |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png
| MD5 | c7fc95def1d53bd3e747248ecbd3cd5e |
| SHA1 | 1b251f02465f9c7dce91aac5aa0679a3c34318e8 |
| SHA256 | 4049b739e6322c7d7caa241ac41c8e0b1f2893957204a910c9708c7731a7a8b5 |
| SHA512 | f4b90435a3b250c1d3dc8df9bb4d331dfe9b1c0212eeb1768073afb81b3915fe61a7c4af151c8090565f778dbdf1f4fad7b5f545c9a21b7782cd7671be2ac96e |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\ui-strings.js
| MD5 | 1ea3b76135bb4a589027d6243075a936 |
| SHA1 | 2951fdafcb862ef53fcf213572368bd5e08094ad |
| SHA256 | c960c819e997c1c9d080235a5e24e65059b63cf66b95ff3da9a44773ebf81c1b |
| SHA512 | 3c10075e71d2e44535e19c8660bee7071a110d07dbef67ccc4cc94c45f93afd72f8ce6b24be31e6193549823b7db204e20950e5c1a075ae159c39682db295d27 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]
| MD5 | 6cbbe3240a203b0ff387d9bbdadd49ef |
| SHA1 | 2c65f6ea9acd8d164ece87edf2f142942d8cdb42 |
| SHA256 | 7b3bae54e7a2931a1957c1ca23189cdf913f567e92af15089f033b99e33351f1 |
| SHA512 | cdd8e32fdf610a0c00f7e8093c98d421f6c60bb75be67fe0a22ca1b5144351526a2b56ffd955f350039e4dca823e45a3f1f4595c3f9f209b3de28cab972cd140 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\line_2x.png
| MD5 | b513ae819f7d8d10fa4f6cbfdf055b22 |
| SHA1 | b4228971cceadd4a698f3c206d8f4bc24a37f991 |
| SHA256 | 25778f162c4243167f8eaa876f1b0619e67afc158de7805600471a563ec5e8b7 |
| SHA512 | c11266406d79494f7d74f8f8a5f955e2bad14b8924877e882fb3e7cc7442998cf6e7a9be3aa7f1a945af8bb2add9dfcdec0ef54239f6ee80748d77444dafe6fe |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js
| MD5 | b17a6a8826832fc2e1098d0286242861 |
| SHA1 | 8ce2bb5944d61be2b628fc80ebabc769768e0b48 |
| SHA256 | 82a1cc52037ccd1ee4a73cc41b86ef4c9b45db28025d56105566bbc9f06bc41f |
| SHA512 | 688757cebb6aaf1a9948ce1dd30318ac2b7afb7a47938e6eecf1bbbc1be058ba78744c208d71a9747ae514242b09322489ad314119cf612a7e4a717907521962 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main-selector.css
| MD5 | 651bcf535ed50ffa7724c8751bec1a66 |
| SHA1 | 5758c4862740517ba28026c298d1b3a61f43716d |
| SHA256 | 359f38eef400e2fa3924a3258652e74ee19cd46cb92e47bce91f1194fce25e9e |
| SHA512 | 492b73f1622e8a1a064141a2edbac9fb29e5f604b629b063fc7251289d237e50721e1295b4f3450322fe72f01b57561a79f0ad4b3a20290cf3214ccf0204d372 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png
| MD5 | bec4473fc43b77e28e60f89da4e29c00 |
| SHA1 | d5dbc7c6642a8a23da14f952a0f64fe874e8191b |
| SHA256 | 5e06bfa9ebccfa3d8759270620b6860f0b92be9d69ef7d7802b78ee5b5f07f96 |
| SHA512 | ff2c101c1172e64481be5e98b2216d5eba93b81210a1a67adecfe05bcf37c3d965c06b368ddc1ffb7e4187cda0373720f6a27476f036a41517762d5cb3729aea |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.js
| MD5 | d3e4c2fefeea6e6c467df305f7a8f3af |
| SHA1 | a4468bf4d5abcb4d720b0fefb396dce5864e4717 |
| SHA256 | e9288289beec2fe3b6ac24c1311451c8d079786a09515b95cbf2eda7f87f0b22 |
| SHA512 | b81a9d38a4a6cd54c2081289192ce7aee3e34d71f834c9b94eac8cd79a5cb90a0dbd3ee0da89be68e4fb69a82903c658addc272a9d70d8f8f8f8cff5c2c18f10 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\ui-strings.js
| MD5 | a3f07671642038caece41ff2a52d8673 |
| SHA1 | 53442624b01b79a3729a23d4f12efc8dae4b1002 |
| SHA256 | 088d391d696ec15140e7b4dbe6fe17e95296af9d09c7eeff17a0a9c241925b89 |
| SHA512 | 5d1ab4b072eec924d13d760da6aa958cc81fa58cfec3de8ff239d131d37b31cdd547eac0fa5ab34c060f0f28a2295e071a1a9573815541c5b92cf0c63f11bdb7 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\ui-strings.js
| MD5 | 74ca2c01b07af0dda4bb39ac330fc49c |
| SHA1 | 7cc7781cca7798ce0940fe9be999e85f8b5064e1 |
| SHA256 | ab9ac8d62fd064748c921e6bd4c123f5cc8910a384d1804bec33ffe27da27c4c |
| SHA512 | cd71201d364c7cfc9d317f091a9dc318d77bdc7340ec4abceee2fa23e3f58cfb1a8f45b5216f5ebb40b3738fef28eeb37717b2508aa1369316da6b7c82c510fa |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js
| MD5 | df3b4d35decc08d05ef8ee0644ab7274 |
| SHA1 | 6b0381b9ee40dc8470a63218e5cc5feb579f7334 |
| SHA256 | e27e5eb93a24a2d866e30bf027e4f0c3da9fae8968cf5eb69446e7f668356164 |
| SHA512 | 257c770416a94f5b79ed837fa0f5e7926cede3ce06c1a9b819c1ca77c645f37bd366564cb028b0ba6afc5444aa5ac774c3af36cd7c108164d1000254cf85c94a |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png
| MD5 | 39e7048d412b94bb2dad145a2daa5875 |
| SHA1 | 08778bbd84d9411f2e531867dffe45fee5d60d24 |
| SHA256 | 4985216f1f370fff03c45d4a711c18b3f49165f8278e6cfc231bb38b920095a7 |
| SHA512 | 65803d69def3517f0021a291748b55cb5bb2e8437732e6cb9b99b1f778f766fbff2c484b664d16ccbedcd51c14f89e99cd5f977cf97d680eca78a9d4f8b87fb0 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\ui-strings.js
| MD5 | 92f1f77de0ce17e9486d53787f69618e |
| SHA1 | 41198fdd6a18321c15c3d4647962e687fc036af6 |
| SHA256 | 4ecb5e390829b5b11dd02db2f22ac1349e32a24e5bd3a8489f6fb5fb0f07eeb6 |
| SHA512 | b389c8364936fbb96a407fb1a848254fd8b7bcbde05637ac1acfb48ba0b30e887dd44b2447e1e3eb75a902241d67571584a819927cc8d0a91d325f5df79f12ce |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js
| MD5 | 72542b122d453927f3d6c59552165606 |
| SHA1 | 6e2b7f049b60f10edcdec06f357114448c0896f8 |
| SHA256 | 3b17f8b83bec3e72acd0d014f58e7de206106a7644bf3293f93c7456ced47419 |
| SHA512 | 25eade5c88cc35325978ba2e103050608fed4330a1677280eb2e0445946a3367d26796ca1233aa6d7ec4c87f04faf7706d82c72b3f3485d80c18e088813f7a1f |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js
| MD5 | 421cd12b43e660f10da31bee36e85f4b |
| SHA1 | b568bb931d5bf4b5805d20fc339b06f9b3763c9d |
| SHA256 | ce7c16adff608d624a412164fdc692305fb461f4b14f9167e6efa78dbbad12ba |
| SHA512 | f56bf5a7a713cbf018203c24a7f9dd426a2cf018cb3ddf9e27f3a7765be3571339421fa5a2cc68f677eb4929a2a2835238a723db4de07bb0634e3f151878ac86 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js
| MD5 | 7d8302df4582de342a31d0335e979ae7 |
| SHA1 | 7a3e918e23dc8002dfbe1695f8e8fd52db995d1f |
| SHA256 | 899ad5e0b3501d7e00d2f3bd3c7729b4223839e8629c61328db0f818ba0870c9 |
| SHA512 | cbc23b3285f6d8d72221d0fc05ff59336402005e7d3f50d66249ef6076648ec2e22d33ed64f5436767c123f59d37dae45270a259153ed98b885f9c43ec9bc2aa |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\ui-strings.js
| MD5 | 0900039f6502c5c4418f5b712f0dc94e |
| SHA1 | cb39e28be0988298003a966ac208c54f83a6ae27 |
| SHA256 | 7037318dbcb8809fd3d03ab0293d58666df18363f0144ef65b738ca3fbe028f0 |
| SHA512 | be9fc36c81963737569c65e4f295f347585bcec88b4fa6ef9da1478f4e0f947b64b8ccaaffb816a74216f713060ae0a56f58c3bea1d12b16bb8488a7663db391 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\ui-strings.js
| MD5 | 35d5c7b80ed270a94872c0e56a6c59c6 |
| SHA1 | bbc4ed04ea6c922213d7cc19c62c3c4cd23b7113 |
| SHA256 | 5c03e31975b96b3d151d9e034b884cab9c6fb29576d2b5653c375fc5661b6dd1 |
| SHA512 | 57ec341f6ff49f24516e117d5c0b119ba4c62dc0537cfcaa15bbba248729c06d29ca224462bb331c44ff1b3abd724df86d0b2ec473ae9f5d54e31ae2002e8bdd |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\ui-strings.js
| MD5 | 29dbb24810bdd7f802c1165f8bc3a714 |
| SHA1 | 9ed5ed2ea58cb6d9196e8d88fccdd8f0d522ea47 |
| SHA256 | c9fdf06266cf9e6d61f7989471abe569239a93cc2c0f65a7c596a81af8d6a67f |
| SHA512 | 3802320bcf7b20a6656460456d5b03ac4f85e4572d7530518dcf99f28162964adc211c5adcfb7ace603b6734271581cea26c9e85821b88b1915e13780a19ec24 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js
| MD5 | b54b9c5d611b062aea9d8ec0d192335d |
| SHA1 | a6a96602b80181ef494a0da49dacae1c44f7c739 |
| SHA256 | d70a13e9b9e9f4026679200872160d667979bd0ae57e6527d44090e49bbc2c83 |
| SHA512 | e56e4a0dba26c3bd824bcd397d495249466a3732bbe1466f9ed1c23ec3a25d79e44e360fb5ee5a229fb24d6961ac32a2a57d0a29fe669e767bd33b956f57ebf5 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js
| MD5 | 7a232b079f30771ada44ab6a1843ec14 |
| SHA1 | 72349db2853443af021d538be9417fe32369d2ab |
| SHA256 | e33edcde1654c47b3f834797623932ff5dd99a4331b255b60452d69d61ccfb4c |
| SHA512 | 431073f497196ad03ba92a8087aa6c50717ae137b05aba341cd8f7ec1705b46f2878b30455c10d7339f89ef16022ca5d054b0f96e5956ef0590121ad8e1a6638 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\ui-strings.js
| MD5 | 3b8883ab58438b245c89bc76ee848752 |
| SHA1 | 7b01b457344fcf92362d14247f2c389ed0c89b6c |
| SHA256 | b3b87c3ad568de5a1f07702392e3bfc76f41a47b2fa1d710198406c3c5172697 |
| SHA512 | 200a52dd5e9334f2c768fb2d152a82cfd551c0991eada79ee92ae41e8beb82a1eac2d90fdac2d9741afe0b7edcbe046cb92a6cf339d25709b53d51f5feb55b1c |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js
| MD5 | edbd91ead174c60fdacb765349ea4fcf |
| SHA1 | e55660206658be80e2033a93abd8854653246eea |
| SHA256 | dfd68e26d32c27e8c7d096cd558b12da3228019525baaa2d4b32030339fb0b6a |
| SHA512 | 9c664370c6c102a0e6992f2fe711e7fe7f6ac732a8562bcc1839a0d99d828e4ab0b3dc70f33f3cba444d04161d0df13b70e72b9079c5aabc7a85543168d58854 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js
| MD5 | ffaab524b0c94fd06a44c1b5b683e0dc |
| SHA1 | 17dcce5e4d3b9f718c902863652cb67e060e2f3e |
| SHA256 | d0a34414103960973357a239952bb0fab5f988ccda1b67ff8e6864afcd806272 |
| SHA512 | a7ecbd3e9656cb0fc1304b4b86980e97680c73b673c4284bbca08c4a3f3ade0699a7de61f0905aee9d521da4beaed61d3ec943090ecc44833118f1f5a29318ab |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js
| MD5 | 5af99e838bada8e34b660d7fcecae2bf |
| SHA1 | ead4e402f4696ede69adb3e4cd694e7d52925844 |
| SHA256 | e3f604ce27fb93d417b9e8a4a5f10f6fd17b59a76aad9754ea0cc5c56b31687a |
| SHA512 | e69f6f12a51382491b4bec6f19260df249dc6dd9a33fc590a90a055baa5f6dcc80894e2c65ecc7dd0d10040c90740dcfcd2f98dbd1f2fbd94c34941897f6ecd9 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small.png
| MD5 | 3d55e1e012d3824e53e84d404a6e2f2e |
| SHA1 | 9983296698d4e2736faf1c529e8d27f8071d7939 |
| SHA256 | 6559f403524ea6ef9bf2e1d0bb66d1af8152920fb002ec2c4ced993083124a88 |
| SHA512 | ec75d4dea30bf7567b2f6e30ffed408815c57680a38659f6055d770c85393d8a5678d38a066ceb7fd0ff9c5ef49cf9fd73d7e8eae5a9a83360a41ca74343f576 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png
| MD5 | 45ad813c887294a1c5c88358f6e6fd12 |
| SHA1 | 45266d0bda31888b67b10c601d303caca8786d30 |
| SHA256 | 91ed5badd0d99f45c65c0ccdec04fc59fffb1f6d055a4d2722dccde82a6bb73b |
| SHA512 | b06ab5889fdf50735ff0c3cfcac3e526b9f32d694ac631e7c2a06eceff357f17e92540df5f84426f8e8f75726c1e7df3592f1620728b70a4b5290c9e49e377f8 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_thumbnailview_18.svg
| MD5 | 9b4c8a5e36d3be7e2c4b1d75ded8c8a1 |
| SHA1 | 1f884298931bc1126e693e30955855f19447d508 |
| SHA256 | ad47fd9e87159d651a53b3dfba3ef200684a9ed88c2528b62e18f3881fe203b0 |
| SHA512 | e1acc0b10c92c2895fc916fc8feead869e04315e5e6e279f8e61b344545103b4c9ff808c9ca2121d1b013879071364f677da128caeba89bf918ec2791e5ed094 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png
| MD5 | 5c4cbc56377969e41dcf39d60690feeb |
| SHA1 | a20120d0d043af4d3b6a72db517ab8a623b3febc |
| SHA256 | c0601bc1bac97e69da3ef3e2898aafe64aec5ae4f3ccbdb7649471f76da4ca0e |
| SHA512 | 4accc91aeb47949f1137ac69a0740a25c957853f59ff8d18077e64b1a3262488b71fc4bd45714075a0652328e1a49a602c7950b86edabbbd7e5abbd9000b705f |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png
| MD5 | a7a19c86ac01e03111c30032ba417b55 |
| SHA1 | fd7f42ef37d82cf1704b65762a8bc6b4a868234d |
| SHA256 | 494032a3293df271c7cc5d26a5753acffc5f6df811d024e9b573f2fa380f3591 |
| SHA512 | 728d4755dd7d21c5ca285906d5f043728fd089de42d2fd04beb514563224104f7672e5f5144e4ed68770b933dd1069d76b26d140eb692d83d907176330f3f6dd |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png
| MD5 | f2f1d5a683617b2bdb6cb0b1eae67135 |
| SHA1 | 3e0dda160b0f8b963dde8036b45aabab5d86504f |
| SHA256 | 96497e49c11ebeb0f73bc01b033b7f45cd9f8eee478176e11b1c7342efa63569 |
| SHA512 | cc9688ee19a6391296abbae9fb1422a6d72d87b7abe8552e860eeb092f8cf7e6864a7f06dae6a60784b77353c38103abd3632492f8b33b7b3d900531cdb673b2 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png
| MD5 | 4eefd60f439096ed98b6d8a585da12ef |
| SHA1 | 75cb70498807b0c823cac760e00652842c1a63c3 |
| SHA256 | e743d6195ff2f42282e101f9471874e8df79dc05a69ca20abf22015d48d28c6c |
| SHA512 | 78241e2336f4ee826719d5adc70543db0f0767a1660f723ddfce72c170322a13c0f3c547eaea6b6cfc47cdf6d8e5edcaff4bd003cbf3eb9d3435bec5158fb8d2 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png
| MD5 | 5991993dd41d6d2b062d58bb70971e0c |
| SHA1 | 1a75ce12ef1c4cb6a85225d0bf4f68d4a3edfce5 |
| SHA256 | bd66e8f62d34f70917102405af895c0b07b79c13fd2d1ea65ebfba3bd4853aeb |
| SHA512 | 75511589b1937aca668348061728734718d02065ae76446b61e3292834709e3b66f2a453717fd593a8fa1db92ad7b97af03f7d2e7f5538716582ae7d8c11e09b |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png
| MD5 | 6018a4862e3cc6b434d517a47858a2bf |
| SHA1 | 23769e9ae485bb2c35630db9a6ecc8a40c2207cf |
| SHA256 | fde09d85ac7ec84dc0b5f2bf1c1f935b80a3e45dd9257af499d412302602f310 |
| SHA512 | 4fae17ef027649315cbc73ea47a2fbdd8c8c05b9d818af5b41439e9e5fd81d62ce13f6ad125a2817d0bb4b24a831358803c53003628520cb9c2a8376ac8e1aa3 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\ui-strings.js
| MD5 | cf69901e6d4609009dff8be5b3045c96 |
| SHA1 | 712afbf4bdf24b6fa059f0fcd837449d75432800 |
| SHA256 | 16d0edc8b7ad7705b23a14058f366ff1c0dfa16a0ad14f741924c308754cf8d1 |
| SHA512 | 84b63e071f56e8e406fe361473dfd6eb17daec1809eed425b1b977f0135d6a78a3375c9bd1a65daf1ac7977f712b63ed735eac8ebc91e55c1a3f366e288a9ed6 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close2x.png
| MD5 | 5e0d423694dc87169e1124f26d755117 |
| SHA1 | 340b47ffc7ffe45c30ce927f1c839d01600f6161 |
| SHA256 | 68df674391ddb32170020e5b55b8df9ac1bb5274419dbf8748ce53efb18584cf |
| SHA512 | 17ace592b7b00dd530d923711160c39417b6c6412c3528cecb002fc065a16dc439555f61e4f6de7ac86291cd9cac5f5ea8411bec8ffe043faba887026fd2ec77 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_checkbox_unselected_18.svg
| MD5 | 8c8fd1cfdc60f513bf20132a1d5aeea2 |
| SHA1 | 40167e542ddfd848fd138e2914dbb7f116a8f99f |
| SHA256 | f438a4e713df6a982afbe2eec993cd582edc37a876fee88e1ddabb478f2b5ee0 |
| SHA512 | e5a985404619bebfb615d4b5378942b56089b40170e4072c61eb9ddf722639941e820f039437b59cd3859944b3e06ed72ee49e879522e81fd9d49b56c8e40d35 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js
| MD5 | 8ab4b211dc3d2947d2466033f6d524f7 |
| SHA1 | 7c457aa6cb3b704da3c977bbcf3953c3c1a7a7bb |
| SHA256 | 5bc633d52bc4345c9cc4ea7cf49422a85a9fe401faf3239ef72b53aa0dd667ee |
| SHA512 | 0b7e9cda1a82a15fc9492a35808bd1ea43966cf5e55d84b9831f79d64f36a66583a14f0ba95eb12098bf9df6a95eef0bec6606aba1cf56bdee0e046aa60f8d5f |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\close.svg
| MD5 | 2518c2304a390e60d20b53b101fc0056 |
| SHA1 | aae24d58011859ff6986508882dd7eecaaa7f604 |
| SHA256 | 03e98670a1d9049b8e1f02c4fdd449d098465f7578ee0eebfaf3f138a78301ae |
| SHA512 | b7457acf824d68e7728088668cd8d44e06566dc71d156db7e9480b957305f2268778907a8e93e4e2d1937b3c3cbfeeb327399cd7f33a60274d91efab2ec3f534 |
C:\ProgramData\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\Prov\RunTime\0__Power_Policy.provxml
| MD5 | 798b4a7c5a9f20d24f36ba8daf7b8f70 |
| SHA1 | 0f007b82783ddea5da7374c96925b77a7fe9f57f |
| SHA256 | e5cbc8e3a6e843009fc9a9de7a83df9d05532e08d48da06c66f907f58d0c745e |
| SHA512 | e3faa4376d03dad6cd714dee6349733abe29d0c2118456f80bcc4c758015b12a06b4ec6532a6e98d512f5c6dec7a7ade5c1d2a418db0f739ed17f18c0cd6b54b |
C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\MasterDatastore.xml
| MD5 | f006e7d4dccfb3da2975fa59fc8f8079 |
| SHA1 | be32b0764c841c09e3d4931476dde18cf9776b52 |
| SHA256 | fb5a84b8d151d7705990e0b26b0a2f326c587126f56a9b33068a534836bdd682 |
| SHA512 | c38584c2ee3c0c7fbf1fa177e86751f8240f6295a7f211e890361991b2c485f293c3a736981effc824643bbca802ae1f0caf45adb3bb5a9b2321d433fb08bfd2 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\107__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml
| MD5 | 90947e3479154523f3bdf3ea242538c8 |
| SHA1 | fadad623162f56983edef5df34c65a9a3aadca77 |
| SHA256 | 4b48f21a4b7a02bfbec19ef880a967a02334a3cdcef8ae83de2ef327ba8bc5dd |
| SHA512 | 1927cade54451d3de672ff66f3b86c11b13a05eca671e6fe2c4e0b6704b694c2f3b55e388df74c15fa627093bf5b180544de0c48d54917196931bc830b2f0132 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\140__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml
| MD5 | 310614b10980392ebdb5a5a8b90b527c |
| SHA1 | 8c8fb36e7c2a1574cde7fdea30e8e5f14fad7691 |
| SHA256 | 445c811c35e2fbd4aa59389ec805492c7b2db50d65f5d161417ce8302b103fbe |
| SHA512 | 416650adf9a61cbbb6eff7af635264e5bdde903477465cce05b63773927b8afb35e75fb68497882bce7778f524b9c7f3f2befcfe3840e99bff90ccd305bac66e |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\174__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml
| MD5 | b8218972668b9e8f06798be702f74d30 |
| SHA1 | 674221f64534b568a2c0970d540ca39957d7ad43 |
| SHA256 | 511321996af989947ee1a15ae57772ccf742c2619afa4819f3facab83cd08d70 |
| SHA512 | edcc89723146ba494e9d37c37cfa1d476dc1575361157aab23552bc59c7680182efe78c402576c236235f43a9c1c6ae5765b9150149002289328cf9e577da66f |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml
| MD5 | c4ce40b68fb3386aff7120cf8a34955c |
| SHA1 | 677fa777877265f8897ce029a59ab1040f7b25e0 |
| SHA256 | 5ff7c2a57c1de314cb27a2a9cc7db60591439e3a262f53b10e3056f3461b9b3b |
| SHA512 | c1cd06d42ed3f9a556bff6eba4b0e151dc050fd2315bde81c139a5c4510c332686ef520f64175d3989ec7e02e9174eacdc0e0ff081aeb932baad84aa2ec049c5 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\184__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml
| MD5 | a5b789490e210929d6f33c8547e6c457 |
| SHA1 | f5748b41493a17564bf3565dc712dcfef72739c1 |
| SHA256 | 4cebbf3fef3f240729fad5b11bb24397db5689875a81dfd3507a4238f79664ed |
| SHA512 | 3c15410a1fc8e49a61c547ab7f4e7553b9844e44dac8110ec07a1bf13afc2296ef70ff91994b9c0d3d62e4f3b3cb03910c3f6ad5a626a5c9bb1e6474dcb070e1 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\210__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml
| MD5 | 9cb5fb90f42219febcadbc6eb57257f6 |
| SHA1 | c948b86625804155f9ac9478a07cae11d8021563 |
| SHA256 | 1093af6901915021573eb2e3bcb49af7f1eb79df351806d325b80f1baedaa185 |
| SHA512 | 9c9031770c5c67f40b93dc7dac91822f3b5eabe1deb83eceb2a878afc810a810ce0521f966e68fa49aa1973cec342cd3ef6096ebaaa191b885a542e4a178ca5a |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\212__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml
| MD5 | b84ae69de4df8dcf4e21ed3dee2264d6 |
| SHA1 | f7c77b237b71adfb4e11fd36ab0c2c90c09f9045 |
| SHA256 | 7479649f4176c2a256e12d26259cba094d654d57dc58cf51fbe25c14e67c7fd9 |
| SHA512 | 776c798064b11985fa76b112f0899a22d32e9a33929f177523905c93454047f7763fa54cc7bec486095cacb65b85fc3d4bfa8b64e00f4d731934f9ba54d31f73 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml
| MD5 | 8a6c6015821a7b3e6cea958b2a6c18fb |
| SHA1 | 0b5c28d4c54d84b26e8c55d9d8d5597f75b04568 |
| SHA256 | ad9484f24235fdac13bba66e24d5ecc16b72c6de9bd27a3922f60833fe07679d |
| SHA512 | f776f99b5d0e1c89e3f21aadd4a95c1d1f69396aaea98439261c313cce1eed81205046e6b628910aeabc8964194e3b19767cb368692bae6579790ec91141c109 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\221__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml
| MD5 | b30256abadd6af8badbcc07d790003fe |
| SHA1 | 3648553e655f8c752b6ae8f287a8bc88f1dd85ea |
| SHA256 | 90965c341840ec297f47e6b77a04dec7b3aad5fe2ee05b5237bc8db14d1daa67 |
| SHA512 | 49eeb1587bd07267ce70398b0793a03906c8fe1270518f2643182b6aac05fb6246467a33c1acc35ee488e482a1dcf29525bcfbe221511abc483b9638535f6e61 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\239__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml
| MD5 | 790b47ce33356b9493e981bf105da7ce |
| SHA1 | f3e76e5e4ab005cec31b3667e08a9acc1e0292a0 |
| SHA256 | 0782dfda506cb45fd2541d473b203e3902e9affb4eae0c4dbf4e9b10b792e71f |
| SHA512 | cf2eab2e53d0b39527cf91942ceca7f6852f337b8b003410829b249b3da60350c6b397faec3ffa6e63cdfc36841beeddfe0d2f707303e47ed40d49127283c003 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\230__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml
| MD5 | df1692c9be09836b70cc7c40622d46db |
| SHA1 | a7240257e995f056ed1a821669d52eac171e5c03 |
| SHA256 | b85bcfe95d9f1cbf4bf252e8ba7bed1c74f181f0c41bfd9c3e625bf70027c0fa |
| SHA512 | 8d30f9e2178f6c00c49e6be933a7259c7c0902705cbd455b7c2f2d8f735fd77bbe2ac1d6cb1b7cd5db908f31f4fb22d727971e779ef2ff63540abd4c9de80061 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml
| MD5 | cc9fde7e84b9a905cacd8eadca610fd6 |
| SHA1 | dc05e28b682154c668ab89c38807a8ee395069d9 |
| SHA256 | a3653744379deeabe4198ccb180e4659a1990eb9f997ab7967d5ba5eb6552129 |
| SHA512 | 9563c271e51c6420080548ca2ca64a51a28c2bc2c6a37d06fa9539808e77e62d7a1848c918aea808c0ed20863e321147ecb41d310ca41c9ddc385aa99377ae06 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\242__Connections_Cellular_BitÄ— Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml
| MD5 | ec532088fb20a5ee48d6c8ad1186f05f |
| SHA1 | c6802a9edd6aead5b65e75619bf0f10bcb99aae1 |
| SHA256 | cfd53bdada0e2b0411845b9a96b1cd3840fc146e5dacd0dd63ee944ea0be80bb |
| SHA512 | a8a0004f9ff4d2ed8dfc0869877a3cadda1ce3a63f7311de00fc5301ff53ae50b7a7ddd271aef63f4a3f3a376e5149f78bcd1c8b536793ee433953dd79102432 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\247__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml
| MD5 | 23d7bbb69fe74c98ae030ff56c1a3b95 |
| SHA1 | a0c95fb1e65348938fb79407bd2e21cabf28739d |
| SHA256 | 9d07d0612ffec02a518f9613569f2b8756d54bfd1e576140d278df39eff347a9 |
| SHA512 | d8558b0ac430e12a47eae58290777e5358064d1ece51a8170b68274ecef9cc580acce9e39eea914ccd337e277f9e4a5c6bb592cd7d1163fcc614a3a84ada6b6a |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\258__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml
| MD5 | 05572f82de4f01b1e6f280b0b62a8334 |
| SHA1 | 6f2cdcbc259ce0b5eb381ebf7738f62281f81680 |
| SHA256 | 182a1c0c5b24b5c7864676c8b9776fad26041adf276fb3cda84b1770e6282a72 |
| SHA512 | 036d7fd403476dec5c0f6e866b6c8c224120d9d94e419b64791beabccf37b7b906232f53872d4fb5e6e6eecfa9a523decd8ab2cab67c2cc45f7e5147e7be7443 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\261__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml
| MD5 | 214a5891e06c2c9ebbb41fad5dc1d56a |
| SHA1 | a37c204143a8c9cc04a80e9691cc40ae168d277c |
| SHA256 | eaaf24595832984b62df6b0affecd5ae0330d83e1f030c0ab67a761800ee4ab6 |
| SHA512 | ac33690dfd319cb2e512b1b2403f4bd875edf1489c88f8fc5b311d6ed856125cc356c43c78b9b4cd847f3ac21162fd54683bccc902441902b770423b56633b40 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\264__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml
| MD5 | 5bccd8ff10735da26d5761d10b294a6a |
| SHA1 | adeeb1f862cc5e00a8c346f1d6a35faa492fc317 |
| SHA256 | 7ffb21772afdf16b75c7e774fcef924f07dc104279aa2cc4f3b55ffda3d3a7bb |
| SHA512 | d1a8b63ac73780383b31e084f7af82951319f06f399cc4e098629402186104e6347583286d62c8bd70d828d8d9a3dfe7dcaa9de32ef7437eaf705739e7574ee7 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml
| MD5 | 832d4a5215870ff40d202bf272fe8c8c |
| SHA1 | 03b70a912fbc6e0770723a34461f28cccb95ec66 |
| SHA256 | f4f3c00a8386c586b850de86d730be4a6dab72c78e163cfda9bc84d27dfddf0a |
| SHA512 | 44323e05803402aa0f7439d4c0d2ab8f2b04de29b84b0fd49d8477d9056a8705d57b2fabd9db9b15fb999220180646bf24cb62a3825a5c4b4d37f15e823a0f3d |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml
| MD5 | c9e547be3e3a1f035bf4b987dc1ea897 |
| SHA1 | df8805d4654b8c0aa4a709df70ee2b62a9fc1ae7 |
| SHA256 | fe2f74a1e0b16a66452888eb4d734bc455cf1304481bb495d59afa8cf9cae93b |
| SHA512 | 34de156f7c6bb36046218e7794c33ad77a6f648daca3d83bfbe46c3a180b12598042f5987c2a1be797c0c2bc6fcff893ab2016ddffdabcbf027a805d4ec6520e |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml
| MD5 | 9ce3b1ec053bb5a3b04ce82abafa835f |
| SHA1 | aa0d2dfaf3c48ba81d3a2d0e75bddf402b6e913c |
| SHA256 | a7f6f61d90c3b63300c11367d27c72e678f342dd15dff902198d13f105a3cd7c |
| SHA512 | fff0ff7c687e3d54168165c0cb301b420a2ac66115c5a5fd4521fd39107c48f8d9183d9006a65b39d048f9268413a5935325f03bd8903caafb06c72a01b6d8cb |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml
| MD5 | a7df3766ea38999716bcf1033b36fad3 |
| SHA1 | 0358f58e82e74f352a60b3bf3bbdc83709fbad03 |
| SHA256 | 4adbd25ead88997e2bc08be72437a9e22b1e5c9e11dd7c08a6840aa6e0024d30 |
| SHA512 | 69f0b79df39c2c371b86fe287fa4108beb9cec248b2ed91ec5d1a3a21529d3ade794be0b937a95a18a7f8e94b03156590983dfe2984b0b8a88e0933199fd9a60 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml
| MD5 | 68d60749de7d5fe71f2a479f8bcedb7e |
| SHA1 | f36b7163e5fb85a4475661504e1737adcc6d8556 |
| SHA256 | e83a13db39a0c9cf347fa3f6d4a204b7f1df841dd9711c51d7c475d0ab87d551 |
| SHA512 | 1baaa55dadf2ea6844a9f87601f34e3c5870df08062d17cc9e8945c26dd802e8dee409beb002205bfac3a20f6aa791c48b24bd9345ee7ec9ca97d3a2d5c3fcec |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml
| MD5 | 3d35b336ebb3fbfe61ea1e1041d510b7 |
| SHA1 | 89f48aa90a320eaa54a915e99c0ea62f18a00081 |
| SHA256 | eed8dd47d83f07f5f5c744159df723672a6d5413a474a48da390102132829527 |
| SHA512 | b5bb1a5b461002dcfdcf4349cc2578b433035002cfaf664f2948b838e9ce48151e2411f0edabe195350eb8f27441bacfe85a66b07294045b60f4238e210bb373 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml
| MD5 | d00e81a86830948bf7d7ed15874c46b5 |
| SHA1 | 3b7afc68523945247ebcda3f165934ab61208de0 |
| SHA256 | ff84331fe60b287e19364350a50608486b8232f7cf390c9410d0fd8d55a0a4fa |
| SHA512 | 315fee20dc56c15e06fb6747be5968e32992d4ff9843a44b59cf519409cdb4037c8e6389db7ae1a1559750e4e2b837fed8e8a4f0649458de3a33c782cd8b6b06 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml
| MD5 | 56f8973f2639280b45ca0ac1ffc486f7 |
| SHA1 | 68f40431fb546a6872c98f1ed0c724b8d431530c |
| SHA256 | 283de789c3f9ae6115e627ecb921b7b39bdaa1b82289eca5e60da0b76d07a502 |
| SHA512 | 00d31f362c60bf17f5fd29e4465e3de8dfa1e5759a52956504c486d509de2bd33a578f9959491be681c307f0d69b62dd1a006bfff25c04c6a5283265221f3a9e |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml
| MD5 | 1a6514b5e65eeab78790c78c5cdd5953 |
| SHA1 | b3b6c689f4c34ce080f11909a8dbaebe3bb50ee9 |
| SHA256 | 107de77231d7e9e73318f3a56e06dd4ab22cc84aebcf90c70a9e5bc1bee14278 |
| SHA512 | aadcf3e4743745734ac147a3be12e967a369d15020a0a27244a4f3558672ba682acd4a12d360335b0a01a7055866557ef2d8bf9662be51a0abf1b4495172e92f |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml
| MD5 | d379e9b8ffd9301de96c455029dd5c38 |
| SHA1 | 0c408bedfdc3efed7a29f1600f38e261175ef4e1 |
| SHA256 | 37e58b86de0358dccb1639f19b89157fbff05b9828a9ccd1c28c79db69b89772 |
| SHA512 | 4aa46a8f83cc782b17f189c729f1064f98e717f93789e46a6dc05db2b96e3beca81ba89132d52b53a72702b24a93861fcd2812e4498c8c7000707a19901643b8 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml
| MD5 | e998be3d3bb15661763e4ff1e1c9a3e7 |
| SHA1 | b60a2f72939336bfa0e69f47147135877d2e014f |
| SHA256 | ede1f5301a42845ebacee0eddf1719dce68bcfd93d9f21ebe901f9e1640553c8 |
| SHA512 | 6331ce75901719dabc736c7af884d7758989a4a782c1dfaf434c59c576ef5af214288949f1be033c667fba6f611e78c7dfbbb9ebbe7c97ad638ad49455c4665c |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml
| MD5 | e6036aeee060ee03a43c0703252cb36f |
| SHA1 | bb1459c01bb153e3a2960dc56759423ce01e256f |
| SHA256 | 8d61db14747e1bfe393ddf9f98e7120b001e2dbc28b5d25b7db6a0603d22f176 |
| SHA512 | 5e29486ff87ccbc0fe1fcea45d506c3771e6283876a1905071a83b5eabb349e54e363d91df8fed81da2e2581dc99e1c17bec7b2ec9d234b30fdc73cf3f47db8f |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\384__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml
| MD5 | f679f386067f41d85d54dd9d53f46e62 |
| SHA1 | da66b795db1fa70040ddadad5c56ba7dfdb49964 |
| SHA256 | fd4945aa4371c27363915abe442524bb9d0d6461880904d71c1bc05c9cda94f0 |
| SHA512 | c6e6f9c5d8a74657980d4ffaa0c0a106be4ef5616b2479548d2795b6a91fc1dbcc75be4f19f7ab08058ffb30ed2edc82662f98764d557a519bf21859fa2fe164 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\385__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml
| MD5 | ce5d3eab1fcbd68c99e6292cab237c86 |
| SHA1 | de1adbc7e465212f2830799c10810548987ee697 |
| SHA256 | 1a39d9b1f9c0d5c642e180ecc14bcb06bdfd4720edd747f5727f6f7b6d1b8509 |
| SHA512 | 80fb614cc71dc9f73286d5395d76ce980bc6e1ff15833afa741cf375910cc0775a6d51f4fa742907a6c629e354a12436a00c9e3c2de88646a07c69f61a83120e |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\389__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml
| MD5 | f44a1000506e2f6a96e3e803ead50529 |
| SHA1 | 657a1103795bbe63b3686ba44c99e25b4af65536 |
| SHA256 | c24a434f5121d69f6aae8aef0c0faa9161df78dbd3e8546f9b4fecc2d0cf0197 |
| SHA512 | 776c7887a88119e749c4c13477e3156c7615c141d99561ea69b7e1c1cc23b1eed8491f7adff74a7092dce1902f493583a61fdfd0851cf1c42a40cc47b3eeb7c8 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\399__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml
| MD5 | 17536ccbe836e9925123bcb6f1dae7a0 |
| SHA1 | c1fcec3ac6fa95f89287c19d4594dd10f31225c5 |
| SHA256 | 62bc267fb2e522d79590ec334d73d406b0e2df5ea32aea381c36bfa759ae713c |
| SHA512 | 061aef77080e0d72165c2f83c65f672f973ca0ffa31a0f2ddd20cb440c6d24c03335162cdbf614a33456a3db9089fd414ef7b49e5d4788fc3c68523c5e41ed28 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\414__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml
| MD5 | ea7d7bd6eece99eb35daa1e5f1decd60 |
| SHA1 | 1f6763983967679efdaba16cea3ea3ee97cd68bf |
| SHA256 | 9e132485d5107211de325a45e7917cbe3e4b5b9cde3e4ee91d7d2102317759ee |
| SHA512 | aa79444dee5810832cae9935b883c71557be3d3b048ae1005c5104a43559345bbea963771375065c88210ab12e14b25b83930d9f75f9666028aa1fd0df7c2225 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\418__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml
| MD5 | 18b77975210f1e67cdeedc23056261f5 |
| SHA1 | 52beb536ccf0829980d237e30b8cf6e66f4bd5fe |
| SHA256 | ff9d6abccf001aaf2429cad1844edd853e3ff0c576638a3081b52767e199a645 |
| SHA512 | a463e7a24c5447f942837a91c81407e2b5a654ec19b030f03d6269835906fdef8f81dbdb1bd81f28af76c1b0e90cddf8b565c0e1368ffe21922a808298cef866 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\426__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml
| MD5 | 97d6d52a254a9cbd2bad939ce1926af8 |
| SHA1 | 15a64b0f07658da802cb0bdd43c9c6f2df2f0af9 |
| SHA256 | bbfa41253ad301a1cd9c7f6321bff365068178f26cd84e8afb127fb4001bc4be |
| SHA512 | 98e76665962acd459228cb9635d95bb37c6e538eca7ae50107c665c93be334b907178f87749b3a4f33db34152b9d9035163fe2429306eb3ac45ee539e242c3da |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\455__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml
| MD5 | c4f30de85d94d65331ebdaa066be7be4 |
| SHA1 | 64a73d1035438c0407d9bda1a9f10a1eccfb5d65 |
| SHA256 | 463c406427b6fc98c2bb71993fcbe47f9965389ad8b6e8a7eda224695e8e2be0 |
| SHA512 | fe15f8868d16b03bfeab1ab5a7b347823907121254f3c89744ea9ba1eb0e504cbe7614129127381ea78b4aaa3f007142f535045eca0767fd1446b18a6e37ca57 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\477__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml
| MD5 | 1db1bd9f0f3d2c261347ca9b278351e8 |
| SHA1 | 6ef97ca278e1efcbfac97ad58bf8d41cd1ee93a4 |
| SHA256 | c38ddce4c7d430b93408979c091f901ac3e5cbb112fdef114e87b683b09ef8ff |
| SHA512 | 09584069cf9a1133201f5c681360b76791778523223e3fd957fdc832b9f4dbed499984094ee64808977d5b3846f7180f41059db7865adb8187a8d16140c85e18 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\48__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml
| MD5 | 8c10cf7fb63a271a356a191b948f5ec2 |
| SHA1 | 00eeb01656a2d7c6ef07265a54df940c610918e3 |
| SHA256 | 22fec3bc784546d70e79696b405d950aff355b6f429f266ceacffe0cc2e5ba02 |
| SHA512 | 8105bb959ba3b50898dcdbe38eab38f2d8e80856df163cc0e2053ead82276e7d58794febdd43863e78c200091e0c6e4b85a41c56925b0cfa4827667d56ac8ce5 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\500__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml
| MD5 | 618d5a49e6251bee9bfbe75c474c1da4 |
| SHA1 | 1b59508611eb56f8116308d9eac0f4b075c551ab |
| SHA256 | 704b9d42580fd1b95c6f1a35a50e1990afb453f784b054fee8db288d7d56e24c |
| SHA512 | ea0b70a8ac5b54bced1b89c7d1643988a46d8fa53e3dd0f1fcd5434ae8e7ac8ad5ab48123e6147ebcb823e7d681b37c34c0349f6fbdf1da1bd4935d57fb216e2 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\502__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml
| MD5 | 281814d2404251097e8f324145559472 |
| SHA1 | 00ac40f798400a5fe20b1b0a7107ff673a615b5c |
| SHA256 | 37e6a9763e777697fcfe41bc5d1236fc197d6c7d8a1ab64d711a9847233397cc |
| SHA512 | a97ca2096324360c054a34f0430fa8015ecca96b6365d2eda73e7ba5faa100616dcbe61f29d88e2d4ed97457d88172f7dcfa26dce7adde74fb4e5b3029c96a7c |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\497__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml
| MD5 | 295952536db5fbb6a2a731247021f555 |
| SHA1 | b2d6d01db3d0bcdeb5e0298791a4e7207686f014 |
| SHA256 | e6ff459ebc86a128b3e37b46d41efd52eedbe5c955acf3d20dfbf99a33fb2557 |
| SHA512 | b3a2d70506a524fd8bf1f40a5394b6818282c848dfa8d768de648db931388a347021cf9a917f1156cf98bf071fbea35669a11ca3980ee0365ebe0cc42c43cf41 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\490__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml
| MD5 | f0aac468ca67aacc4af622247350e466 |
| SHA1 | e59788395d918654bf8359fa992e9f0b23b25933 |
| SHA256 | 213e3a2ae54f25b06fa2c6712c23310e8cea297ecc0d77c984cf1372e8c115f3 |
| SHA512 | aac26ac350e25eb754a8f96247201b827785f20f4f88b99dfcbd487e90f7e98fece696a996b7fdd73e5427c9e9408dc6184d7cf0d2ccc117c13c57b6d3ac7ae5 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\506__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml
| MD5 | f4f65e7495517a39bd68b3937ae5fcf3 |
| SHA1 | 45bf79ebb236a29f78d4ada66777982055764877 |
| SHA256 | 53c26240f787fbc905d0ada0d2876b0fc0f95a4767f641a61abab4f6dfad182b |
| SHA512 | b9bba81c5a03fe4f5b9f9a481291bd7f80127b6673d63b088425dd9fb16c5cf16b3e40bab385af97e5e62e7b731b6e65e39f601863e1b2c78f416a3bb64e7482 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\512__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml
| MD5 | c339b3f518bfc65c3a4568de89fbcdb6 |
| SHA1 | 7d030fb45cce7fd8a24ce3b2f45d97183d5e4434 |
| SHA256 | b03298ef97737bbe9b33b942cb52fc5826565adc4498f1a197830a77c58e829d |
| SHA512 | d431ed495d6cc95189e08a905f8bc64a0957e14e192cf13424ceafcd1358cf64079eddb52c257617278737feb96951c4d9090be95cb43ede3733153809512c08 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\513__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml
| MD5 | 74c5747a96ed8e17f4835ec431fc391e |
| SHA1 | baa70378f8c072730b9d16869f32a65b7e5d8237 |
| SHA256 | fbd9604ea3ee112728696a6a8372e2f032786852b511029d77fb73e06614294b |
| SHA512 | d561bf9775e174a9c5c212dcdb7fa31fcd10f31cb956c4a3641c9c90bf2d16ab625d575a21bbe5faf262c81bbf8754799073d3f6ffb900c5cba6d7f63f4261fa |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\523__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml
| MD5 | d37af2d76d58a29f7cadadabd2ad6f3c |
| SHA1 | f683f06b963401ae19bc5284022ec6449d2f3f5e |
| SHA256 | 381f9f243e527541bf377599b978020b325370543c0dc89fdbf23ee764680773 |
| SHA512 | ff55684f713e7f642b8a0f49be4b91f00ba40216017535268c8284dce8899f34fae102366d8855ae33540fad3ce78e0705662766bf897a0b9e9a7b5712577801 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\541__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml
| MD5 | ccd9d8aa4c9fbad1069e4dd2c4982652 |
| SHA1 | 58cc653eba0694d39e7615ee7e049c8441fe6600 |
| SHA256 | 35e1150f8a8236fd8c2be2c6da618b5f5366caabb763b7453201f5c430441aae |
| SHA512 | 7530335f5f01da26479349321531093d3da8a1cefd4e916496dd254273076df9ef5eb91ecde1221e37a2525e76a8578a6859ec79a15ddb0a69e2e39578afb8f0 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\54__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml
| MD5 | 18ed71dfb57d0b80d5bf2d298ecb554e |
| SHA1 | 466b0161a9ce5bd54585e660fa06f14b3bdbd1f4 |
| SHA256 | 2dd23156fbb26642d6f2194611e536f77213eb212f6a23654f9d5319a82ac556 |
| SHA512 | 492e0f2a864d531fc507f9a32a1908a47e911236fba48458e80807f06db07db1a759faebf44f60913c972134bd3ad91cf0acb47dd680e3aa52461399ee2e5cfd |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\592__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml
| MD5 | b07d3123f68a0e9f972ab60b77563b33 |
| SHA1 | ffae7a0ee7688c0de6ce5b3511e919a306ca4c60 |
| SHA256 | db4bffd310f1893d5b97008313dfa47dce4929bcbc9eb13d2e13053f485010c2 |
| SHA512 | 46e484c49ac6d72bb32d445250f0a1afd6fda9feab8e20de4b8adfffebd3a1ca11031f51d456485492191bc29b74b61006a0a74ce5ddf5a818bdf2479f1e6f44 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\615__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml
| MD5 | 27f4380737c6edbfc219e4bc35bc95a9 |
| SHA1 | 6771b41afd3dee2135392400536094efff75eb43 |
| SHA256 | e0ee29ce7978a33861e6e63545deda9e734ea784ee8e4ba6fd6aa56b775f6ca9 |
| SHA512 | 6ad6ab1d47859076a78955dbfcf50124eecb9bebbea1fce25017aefb92f1114770588c28a514d5cbe89ccbc059e8ed866752741af4a5f3cff23acc44521747df |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\620__Connections_Cellular_Truphone (Germany)_i0$(__MVID)@WAP.provxml
| MD5 | f159f67739ff0623442a955c060d49bc |
| SHA1 | 51f941230a2018a45c57cbeee04828c48ad84b01 |
| SHA256 | bdaa16d795466beaf62c4042146d0dae4fe70cb71a82520a774a14d50eb4faa4 |
| SHA512 | e93f5a777918be1c9bcbc1909cddf5e62d51464e2bcf2fe7c347393b0faabaf4fb730cf574d1fe7fb4ed924f316d56587f99adf1bd43db2b9d2c9e3c01c81276 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\63__Connections_Cellular_Airtel-Vodafone (Channel Islands)_i0$(__MVID)@WAP.provxml
| MD5 | d17390d8f3b9d439d6d64d8281a48d03 |
| SHA1 | 2e9ab664cccc6f5fdd5507df19c4f6b72286b787 |
| SHA256 | eb548e0f3a79fbeb4cf9497863f31bb11a22d29dd17960c013df59fc01bbbd9c |
| SHA512 | eb334013e533f5c837611751da6374d2466515c3120dfc755fffc209be2733387c4725e26264150b3d6e8f7d2eadba3c6a2dbf93cd953dfa6d520cd9c6cebfc6 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\651__Connections_Cellular_3RoI (Ireland)_i0$(__MVID)@WAP.provxml
| MD5 | 537fd216abb1e2cad053594cc91eb955 |
| SHA1 | d0bdd5324c0b31fb4a3cb48c0d8171e68d9c3cec |
| SHA256 | 70c2a2bfadbeb56185d1aceb04db11541388c25cb71b104b6fb3b6e1f89ef1ec |
| SHA512 | c95eeed9aaadd6e964117881523f69528d67d4c5951a803d516debcf3366c9e2feb28765768e9ce12dec9aeffb3d577d5f8659f71124df83c196df354eb126d9 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\654__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i1$(__MVID)@WAP.provxml
| MD5 | e5b0327c41376ef19fc5edc9152529d0 |
| SHA1 | 57b27826d6538bfe6baf9161eae727e6e614ee79 |
| SHA256 | 26df0a7f3645a1ea2058196ac97b67e582bbd5229da670d1e4817398fc3bb6ff |
| SHA512 | 91aec142ff58700f7906796afdf1a10984b5b3414f8dd415611614cfa96b0f63edea5959a84710f270a3910019647060d9e629f1b444466d7a934a850389806f |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\676__Connections_Cellular_Lenovo (United Kingdom)_i0$(__MVID)@WAP.provxml
| MD5 | 792a64401688470b9b5ec4a1123eb802 |
| SHA1 | 49eeabdff56444dc52bb1296caf0e4edffb32fac |
| SHA256 | e9a88cd3868deeb7370e877a7abd90c5f0d69c7a2bd65c6bbae30e74133b70d1 |
| SHA512 | a1bf2ddb2133149429b59f9691edee82ff30217912d66b5e206078a22ef1a1de6d0cc35e23097af4c43346660d2dd06c7b7066bfc7e429372fc89a37ea27a1cb |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\698__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml
| MD5 | ba6b70827fa83c75783b6103bf2ca12d |
| SHA1 | 84c5365d68700cd9ecfa69e8391b10cfaf37262e |
| SHA256 | 31887f638809478672800789d032efb4d421c276e1d632d7488283cc039395e5 |
| SHA512 | 6bc32ab88ea07333257cb0859e0adea54e450c39d0a3a98153bdd5f90e5fa5cdd232f7c8311d5fe0c9665acea8409ac37eea5ea975fd393a3079a0e1f6519121 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\720__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml
| MD5 | cafc2a2dde2f05e2a60677690d2ca245 |
| SHA1 | 8bd9c447b79435b8497212ef76f5b43dffb030a8 |
| SHA256 | db91bef58cfa8c3ad4587f4d737202a2ea4374deb35305e8e56a4e0b57232a7e |
| SHA512 | 7f293929a1147163d71c612084c7fb99740a1fdae3a3f9d7782f795c10c1b7b2e49617e9d6746938167a2dd49bc5c53788bd8751c61ad145d2d42700ae1f1575 |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\721__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml
| MD5 | b4d351a08ff1ef954b7d7b4357e76cf2 |
| SHA1 | 0060841fe855408ee1b75aca5d440261e975d7d7 |
| SHA256 | b960fb5cb94682dfc4a873035d65f8befdcb9bed0e7db0feb905f0dcf437b38c |
| SHA512 | 999ecb9c36516b27739215c144d69df24136f6d8a3a2c9df228a879bf8b804c7f0c75be7ab2624eb48d7b4c58b1eaa1e134483939537acf618599b47cbaf9a5d |
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\74__Connections_Cellular_TIGO (Colombia)_i0$(__MVID)@WAP.provxml
| MD5 | 3e0a582d1ad7720a269e3480f0740d40 |
| SHA1 | c8ee49aa68adbd2580762ae2256bf5a51da8da82 |
| SHA256 | f4e5da9aa987fbfc9485237a81368552e4578555f8afb1242a168b3ce3a50e54 |
| SHA512 | a2ea0612460efae7949fa698ab168dc106d0e357e8c8611ef987a684219042e3671b6ec501700b2e64a14cf03c2a91d6c0e4ebaf9d802ee859c591aa99ccdc02 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\0a8c1492-65ca-6a01-de25-0e183559d10d.xml
| MD5 | 234c58fcbf2775edbfda910d2e0cb945 |
| SHA1 | 16314a6f5604aab01e76d5e7f7794b40c23a4785 |
| SHA256 | 68193f3f98611b2aa42be4d2995b0b9a2465277c7520231324a08460639a41a5 |
| SHA512 | fddd87a902c108de1d986dc6e4fa7347e3908076d1ec3f64b19602d3a2318ad5ee0a1d46599ba860dec61843c2954d3cc9e91aac9718a82d1043e32b3dfb6bdd |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Security Configuration Management.lnk
| MD5 | 0403a22306e2dcc6da0acfbdc0762e55 |
| SHA1 | 03154c7e570c75df81ad8ddb6ea8a9defd38d27e |
| SHA256 | 033eeac8e125a5efb66f100fb9ae33c9fd1780f452b92f69a8d6b49ba5e1737d |
| SHA512 | 2f1497b4e07230afb315ad83fd6e7ee61ce3cbb6d046f6ad28fc5e5e718dbc597499be23abf0f390f5c36c532611388a8ad5ef0149084b5f41f4cda0c5bd072f |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
| MD5 | 8b550761ab80413c9c09f7fb472dbfaf |
| SHA1 | 67122822562203c17dd3f762194e470f90ddfa97 |
| SHA256 | f5ea79165516de2e7e1efb53d016983f5d18c3184413f044a4002f4b751c918b |
| SHA512 | 9546013cf4d45a2c4c609524b7ed4adecc7dc2fecded7c3b7085415a1bcd1c25db5d88bb591ac05fa5a6313763a8e8d5d8fc6ee6610b454cf7696b647e7781fe |
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\04\109005
| MD5 | 256abfbb6883823718eaf33f62510d6a |
| SHA1 | 9a8c7efca7e5aefbcbb86a9ad6cffa0df3704bfc |
| SHA256 | b707241545a346265aab1ffb32ff64b55bf8f8dc1b56a46ef33ce3d15db11d33 |
| SHA512 | 7542d09f09c7e9a69a60f95b05a464423b15f997dcbbe6efddd814424e40606b2c331d896d48670d32cdad5a6a9f62d8d0b265523b8eb4bdca6e2dc8ca698018 |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm
| MD5 | 8776c367699ad807af292f1f5d085d4c |
| SHA1 | 9209e352bf9d3999f94881a75d6f7d39bc6d7f77 |
| SHA256 | 18b602cdbb7656129a359046fc68faf1b990da88c6c3b3e6b20c1df399cc0645 |
| SHA512 | 83a17d98d175a122fe98cf89c476826769d8fae0d74dc93c8fe48d12089e26bfd501a586db3783a03e1bfe07864ebec2a6b5a48415554c61cd565131ed40a9e1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\CURRENT
| MD5 | 4ae71336e44bf9bf79d2752e234818a5 |
| SHA1 | e129f27c5103bc5cc44bcdf0a15e160d445066ff |
| SHA256 | 374708fff7719dd5979ec875d56cd2286f6d3cf7ec317a3b25632aab28ec37bb |
| SHA512 | 0b6cbac838dfe7f47ea1bd0df00ec282fdf45510c92161072ccfb84035390c4da743d9c3b954eaa1b0f86fc9861b23cc6c8667ab232c11c686432ebb5c8c3f27 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ro\messages.json
| MD5 | 6ac0a150c33a548595395c755a7ebba4 |
| SHA1 | a4adaaf6cac597e56de957f3c1137a4f8a2bf225 |
| SHA256 | 79adab38bd93e2f14609db60ad34a2165e5ae868556f862c4569ae3d8a81a35e |
| SHA512 | cffc1d3114d35f387b47a2157b6f8a819ff65f75625afa782e3f41f6956a51f734d0ef7e94390c4f030f6d0f7d8c57a3e761f2e46bf37fde870f2b157c3a4ab6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001
| MD5 | f5cfd73023c1eedb6b9569736073f1dd |
| SHA1 | 669b1c85ecbafe23c999100f55a23e06bf59ead7 |
| SHA256 | 9e1736c43d19118e6ce4302118af337109491ecc52757dfb949bad6a7940b0c2 |
| SHA512 | 5d8c1aa556fc17d6dc28d618f521aee37fc0e1826fdbcf8d106e456fc3bcd3c76e712d23fef3378bd2be17b80eb5bfd884ccd89b67490b63c7bd118eaac471d8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old
| MD5 | 2dcea950234175e3edf672936843ab5f |
| SHA1 | 4ca6dfb9ed642bbfc0002cd47abaa2dc895ce0d4 |
| SHA256 | 74ca16b1138459ef2afb19324097332626ee7c897687c5adc5488f93bf0c11ff |
| SHA512 | 483866f3ee1d730f1052b0ce34832e0e42145296df490a68901b95e616f2dfdc39fb13e2ed80bd259c43475830f6a74257a5fc8d163e7f1dd17d39556501dfa4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG.old
| MD5 | 9ee38aeba19f4d46fcd9eda4661325d2 |
| SHA1 | d458ade2d50d219b089b0985ef765a80843602ad |
| SHA256 | d99258f5d81067df4e95825381104fe6c90d04d01bdd2915954dd06f75d07c10 |
| SHA512 | f352805d5ebb6b3351dee65dd1f66ae5493ea36dc342c31d8e714fd11095739f755a50d865b9bcfc40c60616c9bcee4cbbcabb6c18566fdb73e778cd41112738 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser
| MD5 | f536fbf78e26387affb82ee89943b870 |
| SHA1 | 3ac8e44a9491c16bcd86dab6781acc4f7e1f76a7 |
| SHA256 | 34dbd6bf55d0d075d666181d9278b8387482a8b5804e44e1ddaafe6876dadc15 |
| SHA512 | d9ad640884f40495b4255bd221f0902ff64f84e3136053d03abee7ca417d32a1d72f24a75cb67bc50629e102bdb2f81c0bb087e0eb5cb82fa3d67c4fa5d92450 |
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin
| MD5 | 1595ed4372d33dbecabbfd411c6c8f46 |
| SHA1 | 8b8ba962b765110f762f873edbc3193adef48b33 |
| SHA256 | 8f6abb9e202dd8027ac9abbd475a24e62659a0b2683613f219c21d1238816ed7 |
| SHA512 | e0017291c0d0685ede7a6492c2683a90b37482d21037840ab3e2cef4ed381bbffa8c31ef3c8d06db0a800eff69ba4505012886f88a911997657b3f26284142f1 |
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008H.bin
| MD5 | 83a9475b33cad765c41dd3deb5be2254 |
| SHA1 | 57000314d786c690b6affe01bfd4c3e50d124b62 |
| SHA256 | 2c7a2cc69b6956abafd94377e8df4393aeeecc57b5093af67ad0f65705124890 |
| SHA512 | 2b21d5e408af6772fb77a68d618887a50208539f376a4750c8a90ac42e8c334ab8c98ab1e30860ed475e83623f2f7a07929a038a9c0f31567d53d9c03d449fa9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini
| MD5 | 897208d5df122e307ab837d982b2c085 |
| SHA1 | cf4ca14a7adcbc197cd84c1997efdd076911d608 |
| SHA256 | eaae98aa73fe0b561c8b02607a524fb4853bbe81c6de8c3d8a9b7449366809d4 |
| SHA512 | b0aa03063c42515de12fbf6d89924a3ae7d8bdd64d7c9bae94c75d571c939655253f3e87368fcd96f5784b2aee8fedac8f66200b8672ab47cc8b37c57a9ad334 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk
| MD5 | 61d2c715839bcfa06ce4d23dd84e7457 |
| SHA1 | cdb61e6100ac4882ba4863875f63e38b8b804ddc |
| SHA256 | 1f9ec15f6ff239e14a3a243a98f19ae7db16d425a63b2da0908cc0ffcb1258e7 |
| SHA512 | cb6577068e0b746a0ff0148238fd5be9e02e4ff6218fc21d78194a06ebd3f54aa12a1a9b80a4cc9a9f66f72f49eb875eb367b344f674807af11373770f75d952 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\safebrowsing\content-email-track-digest256.sbstore
| MD5 | d7d2fed9b7c55fe72a6cda66725cb7e8 |
| SHA1 | 2cb154a1c4a0553658801a088edf87b5816cbbd2 |
| SHA256 | a6df5cb2b51fa56609c7daf08d28f0e41801b96f9514a9d179992a63afd516b5 |
| SHA512 | 0ba4d570d624cc5aa6af629260668ad805285fcedd61002999734fe04cae47016cf52022c327cf22935ded99b30c52d9f041ead60a3425365116bf1bf4cbcf5e |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\safebrowsing\content-track-digest256.sbstore
| MD5 | 32b5e7886d1928c44fadc040471cc550 |
| SHA1 | 8654b4c6c64309b1ef7d78ad939c0880bf4bc997 |
| SHA256 | fb020d1cd10cbd766a817dcd2f4429e1a39955bba6755d3594a9fd84a08a9f11 |
| SHA512 | 1a171d635be9eb9699acdb16485040b9f2e9086dde341428db245bb309494eda3a2cb173e6908a22847cd015ed179e3caff87e4b2927b3074ce5f4cf56e24e72 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
| MD5 | a50b718c3518b630251fb54b92bde360 |
| SHA1 | a9582222b6f4df2b4e3e4ee5fe91d25ff086b943 |
| SHA256 | 9d2ce1c032646d2a3381b68bc9201e3dcd53b764e83a0d356d67cc4926ece015 |
| SHA512 | 95e0676e3177262d29c4105edd4ce1fa1c2a2da5cd3289ab0f873fba782a0185e4bbede5d64fae1f6c4cea5ca3ae0697d7113e6ee63f229431bfaf3f8990c517 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
| MD5 | 80be6efdf5a776659777bf07d4aff891 |
| SHA1 | 1f98e7ba8de8c6b39f4b202739ca71fa2629fd6d |
| SHA256 | 9ebc694d4895efc802ea27714a71986f293edf4b63e9918c27d65871b06f43a9 |
| SHA512 | 03a5434f25209a74a0abc6045c66a45e098d487227cab71004363c8c823840b49596857e8f757f42b8953f9bc2066209b1e8f52104d1837705828cb2676119cc |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | f7aa819535e83034f3bb522cc8c6da75 |
| SHA1 | ee55ab6faa73b61b68bc3d5628d95f0d3c528e2a |
| SHA256 | 90558d1e3a0ecb9febbb4d7abe8e9281bef8ad0e2a42fee83d3d837eb74b7f3a |
| SHA512 | 38f12c5292b494c9ee2f3436c1d939ab46bac1514b54f36b0bf27f2ca03affc1c62582daff38bea77fde5608c501c18f52ce116673b17394f022e0e92b23e4c8 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
| MD5 | 3dee8cafb2684396b42a08cc5dd2d132 |
| SHA1 | bb065abfada882e3d9b419b3c57e0eb740bdb6ab |
| SHA256 | 9552cf2fc804becaa59379ee29e4be6800d0aac515738799dbd442919841d23d |
| SHA512 | 5da7572aba77335fbb766b99be920d9c5e616c9cf724cd0248d0361b43bfe281bf74d08766fa9f47316e51ddf6abb29484b41f09752f326eaba64710760e1f26 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{53de8e38-9922-45b2-82e0-9d63e6a1fee9}\0.2.filtertrie.intermediate.txt
| MD5 | ca9c491ac66b2c62500882e93f3719a8 |
| SHA1 | a10909c2cdcaf5adb7e6b092a4faba558b62bd96 |
| SHA256 | 8855508aade16ec573d21e6a485dfd0a7624085c1a14b5ecdd6485de0c6839a4 |
| SHA512 | 65faa9d920e0e9cff43fc3f30ab02ba2e8cf6f4643b58f7c1e64583fbec8a268e677b0ec4d54406e748becb53fda210f5d4f39cf2a5014b1ca496b0805182649 |
C:\Users\Admin\AppData\Local\Temp\scoped_dir3092_3014094\CRX_INSTALL\_locales\en_GB\messages.json
| MD5 | e66d4ab75e9862302da5825bbf066c5e |
| SHA1 | fd5c26be1c56ae0af5e626741ca5896858e43073 |
| SHA256 | 4925b9b6329f24346bce043f2cdabb940199fd87188f3ae77c9559bf7cfa9f43 |
| SHA512 | ed179e34d1d6f2ddc85fa6cd8b866f192c1c4ff2e2b715d9ddd95bff6e8f45318dad7d4da607960268e1cdfd78d48f04b4ea1a9b01ae70fc1c7da856a178d8c8 |
C:\Users\Admin\AppData\Local\Temp\scoped_dir3092_3014094\CRX_INSTALL\_locales\pt_PT\messages.json
| MD5 | 2b0e63420f5cae3932461d8c74a9e788 |
| SHA1 | d19b5095d30f9f01f09864c26386dc5b911ecd55 |
| SHA256 | 42345ab2147d5dd09780b2e286347110011a769f122210e7b9e9c2249036f15f |
| SHA512 | 11a25eb4cba596d1b203bb88e2b69231c8f8ee59786ea335a66ca77dcfbc36ebb8a9b4e957b992c3ed38f58d1ef8c7c606d8a16dc84f8220cf517999b4f7577a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F
| MD5 | 4f00b32a70c5d829f8199614fe56af64 |
| SHA1 | ff2afa238f88ce8cdb4430fe578c58823cd6d752 |
| SHA256 | e3833793f7412667cdbe15693f5dc4994934d1a6695392f8bebb74f985658256 |
| SHA512 | 6ca12db615454c1b842040e5047ab24906d372b15b547653553d39ebd18cf4f90a360c5032e415d00ba313cb27def27aa8eb7e94ae3d86fefcd856b693f0c6aa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini
| MD5 | 29003687900cad69c06a7907f2738e79 |
| SHA1 | 1270acf3b52426101025ff311e6dd17c05a9db2c |
| SHA256 | cae9ef701fa7d83ab66e5c8d7d284d497bd13f76bef2b2594c5568c31fea7e8d |
| SHA512 | 34c9c04473bd8a4da755a88a04a9ccab0bae8fdc51332dcba4aad045ae8305491fbdfab41821f6b838729d1e09fcf99513db3817c84c5be96a41bb23c8d0b0da |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\.metadata-v2
| MD5 | c183857770364b05c2011bdebb914ed3 |
| SHA1 | 040e5ac904de86328cca053a15596e118fc5da24 |
| SHA256 | 094c4931fdb2f2af417c9e0322a9716006e8211fe9017f671ac6e3251300acca |
| SHA512 | 8ac7790c0687f86d2d0ca82cfc9921c8cd6e6f5392594317d5ee6f3661500de58ebd5ef6300a412c23ed1cd2748c5eadeeb9719f32758590bd4168a0259bbd70 |
C:\Users\Admin\Videos\desktop.ini
| MD5 | 5d2a33958ebe530732fd9c258850c5aa |
| SHA1 | 8a1d854c73b0a9adb04dc4db317a0b9dd1708b76 |
| SHA256 | 696bda342649ec9268da57b6a279df6f24b0e857d5e6d0605fd25af95adc3cee |
| SHA512 | 561c0480b0cc5f75acd24f9ea36f4e6ddee35261a0fd75ec2c495e940b6e7d41fa024110b58aa9bc2f6c69736cceb6cfbbb6198d9c50ad8965d6d30067bb52eb |
C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk
| MD5 | 7a4228aa2003a72a296e741bfa8246f7 |
| SHA1 | e94ca8cb43d671cdc3ed759980bfbaf73cf4c6f8 |
| SHA256 | 462fa5c6568794276673c9159500918afddf8f170e580fd1f3d483c48934b050 |
| SHA512 | ed66dc35762f661f760eaf0feb82e22c823f11e552c9f938748a8b158ecf0828f40d48afc4d5cc07122f41a13e7b322950b9f156808b125bc7a1ae19e066d304 |
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk
| MD5 | 35705a33e80294bdc078f5582784f4fa |
| SHA1 | 3b8d2bc3650098d604e3363fdc41e9bfc2f4609e |
| SHA256 | d0e438519a8e2075e13430b66debeb7204e5e8ab41fb24eaab20db0bdb66d835 |
| SHA512 | e560c350940f15a8d5c5187ed833190cdef9e4862e8f06dde9b0204ad1a0decb9adaadd27c4b7015ea5e7fabe7d7a63538ba72def9997e56300cc8ddc4249061 |
C:\Users\Public\Documents\desktop.ini
| MD5 | b252d37ad6eb57bc4c866bc135cce6d9 |
| SHA1 | 1083dd42d0613fdf3ec930899d9e7129d448f7b5 |
| SHA256 | 6c3aa53f65399f08045d870f42d5ca08276b6938eee0e6a8cd61a473f8b78178 |
| SHA512 | 32b803cffc5b844e20e57a2372e797ba913578f5f8104b9c4083245647e4f65009695d0ec2397973132c570600ec39ff6a2275c9952533bdaba183ee620c712d |
C:\info.hta
| MD5 | 985eb5c7903c52066f5aff31e85a82ee |
| SHA1 | 6b10c869dffdb5ea3f0bc594bf7a3f162bb7a105 |
| SHA256 | 578fc02bb575dd91622ab488f74efbad6ae277af424df5767dcc1c5d69c298b2 |
| SHA512 | 95e105e3c756b40b3488614c9a43f1fdf4a274ce041c810b34eaedd6c7fb2d82a9392c280219736a5a95924be6cdca173d585f6f9c5c3a019938793b0640aec5 |
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win7-20240508-en
Max time kernel
1559s
Max time network
1559s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
"C:\Users\Admin\AppData\Local\Temp\49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe"
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win10v2004-20240508-en
Max time kernel
1386s
Max time network
1172s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe," | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Deletes shadow copies
Renames multiple (99) files with added filename extension
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Drops desktop.ini file(s)
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellExperience = "\"ShellExperience.exe\"" | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Program Files\\Temp\\AESRT\\AESRTback.png" | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Temp\AESRT\refresh.bat | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
| File opened for modification | C:\Program Files\Temp\AESRT\AESRTback.png | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
"C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\Temp\AESRT\refresh.bat" "
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
memory/4856-0-0x000000007449E000-0x000000007449F000-memory.dmp
memory/4856-1-0x0000000000130000-0x0000000000298000-memory.dmp
memory/4856-4-0x00000000051A0000-0x0000000005744000-memory.dmp
memory/4856-5-0x0000000004C90000-0x0000000004D22000-memory.dmp
memory/4856-12-0x0000000074490000-0x0000000074C40000-memory.dmp
memory/4856-205-0x0000000005E10000-0x0000000005E1A000-memory.dmp
memory/4856-206-0x0000000074490000-0x0000000074C40000-memory.dmp
C:\Program Files\Temp\AESRT\refresh.bat
| MD5 | 0c7022bc17761ecace63d45343c9d2fd |
| SHA1 | 7fdf53bc92830e4e5935f61d745a055edd3fc9e3 |
| SHA256 | 98ba9ab619027be3265fd7827270e1ec59fbe39b79f98c65c17712f667c7fe8a |
| SHA512 | ea434972b6fbffdf6c59e083cc1ed55557b4aa9113413f387b20c5eaf212a86ce995d4c8a93251cc22b9fd8b7ae4fc4125bbc85f5caca2dad8d81f4bb05dba5a |
memory/4856-210-0x000000007449E000-0x000000007449F000-memory.dmp
memory/4856-211-0x0000000074490000-0x0000000074C40000-memory.dmp
memory/4856-212-0x0000000074490000-0x0000000074C40000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:18
Platform
win10-20240404-en
Max time kernel
614s
Max time network
1601s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
"C:\Users\Admin\AppData\Local\Temp\1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 25.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.143.123.92.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win7-20240215-en
Max time kernel
1559s
Max time network
1560s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
"C:\Users\Admin\AppData\Local\Temp\1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe"
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win7-20240508-en
Max time kernel
1800s
Max time network
1561s
Command Line
Signatures
Phobos
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Renames multiple (314) files with added filename extension
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66 = "C:\\Users\\Admin\\AppData\\Local\\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe" | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66 = "C:\\Users\\Admin\\AppData\\Local\\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe" | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Hearts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2Y8NTX1F\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\USLGY7LX\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SKAMU6WE\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Public\Music\Sample Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Chess\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\1D5U9W0O\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\FreeCell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Mahjong\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Solitaire\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9PLWLLW7\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\X7K1QVVO\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Purble Place\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\access\libdvdread_plugin.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00435_.WMF.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690Nmerical.XSL | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FORM.JS | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\ja-JP\sbdrop.dll.mui | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\America\Santiago.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WatchRestore.mp3 | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215709.WMF.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayman | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216570.WMF | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\HEADER.GIF | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsMacroTemplate.html | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\it-IT\wmplayer.exe.mui | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\nb.txt.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21423_.GIF.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR7F.GIF.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\Europe\Kaliningrad.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Games\FreeCell\it-IT\FreeCell.exe.mui.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217262.WMF | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Charitable Contributions.accdt.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\misc\liblogger_plugin.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00683_.WMF.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\validation.js.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\preloaded_data.pb.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\access\libsatip_plugin.dll.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtospdif_plugin.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DVA.api | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\PREVIEW.GIF | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00524_.WMF.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\oledb32r.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19582_.GIF.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Pushpin.xml.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\MOR6INT.DLL | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\Europe\Budapest.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\THMBNAIL.PNG | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ms.dll.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00152_.WMF.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\wsdetect.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\Asia\Damascus.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\Europe\Monaco.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152694.WMF | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287408.WMF | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceqp35.dll.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\EnterMount.vsdx.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscale_plugin.dll.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREET11.POC | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\misc\libvod_rtsp_plugin.dll.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239997.WMF.id[FB7A0894-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
"C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe"
C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
"C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
Network
Files
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id[FB7A0894-2378].[[email protected]].Barak
| MD5 | a43bd6e71bfd1b33adc01c1fd10b084e |
| SHA1 | 04e5bb68e897d82fc57b4836f5ea18a99a6a75a3 |
| SHA256 | 6eade2e2c5466d702acb7afa9fcca04261d5dd3038499ac29a026c4a2c9cb714 |
| SHA512 | 9afc776d4fd7a30594dad50d07987decc88294ef1b4799fdc60ac56eebba7cb5df4ad7eb50e32b9ccda85083f40ebb520ece6dab3996bf9897ff4c73b0a069e4 |
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Mendoza
| MD5 | db10fd32bfe67918ed177579d4be9d76 |
| SHA1 | 44ecf4c5a6fbbd1ace84d0efe91f13d6ba6bb738 |
| SHA256 | c936ab1da7ef4314182c8edabaeae90f8d51ed45bc48848d35670adf5b470d31 |
| SHA512 | bb574ef876e7529d4f3c4c52cc54aa1814f2c02030b83a5bd7223d4b31c992668c00e4a7e68d4f1caaa6493db4ac84eb649fe59e98feceb9828119cac1e74b05 |
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao
| MD5 | 2b62a30906a2b8bf3b68abd2ef9d105b |
| SHA1 | 9898d25a214dba04ebd7e3030ac9e2e90ea7a369 |
| SHA256 | 075561eff2cd3ad586776fa904f0040282c5f6a261f6a8fd6a0a524d14cd2d2c |
| SHA512 | 6db5955477a9bb5386c1af03df526496f9e64533e6c3071c8e5c44062541e91e9bb39096da947a91bdfa5e7de53c1e047dcf427c1dfde94554d7458f8f0862ea |
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil
| MD5 | 1ef5e829303a139ce967440e0cdca10c |
| SHA1 | f0fa45906bd0f4c3668fcd0d8f68d4b298b30e5b |
| SHA256 | 98ce42deef51d40269d542f5314bef2c7468d401ad5d85168bfab4c0108f75f7 |
| SHA512 | 19dc6ae12de08b21b36c1ec7f353ce9e7cef73fa4d1354c436234167f0847bc9e2b85e2f36208f773ef324e2d79e6af1beca4470e44b8672b47d077efe33a1f8 |
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana
| MD5 | 71c7e24524aea1022361143d0a876c84 |
| SHA1 | b141efff466f27664599dd2aa91f0b7c50736f1d |
| SHA256 | 07a692cc9bc920ef8caed75ba9af60ad2d6b144c83bfde3b91a77b5bcce277a3 |
| SHA512 | 4cd51849de464e0139ce77de3003af1ab1b6c639862fb7d5e8362f33ef0a9828f8af9ebd6d4b4ce9dc5a67084bc5c1106fd3b3327fc428e25c75b780e98d37ff |
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Karachi
| MD5 | d13b5ffdeb538f15ee1d30f2788601d5 |
| SHA1 | 8dc4da8e4efca07472b08b618bc059dcbfd03efa |
| SHA256 | f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876 |
| SHA512 | 58e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46 |
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk
| MD5 | 985f599bb4b81c01d5b5d16ad241d5ed |
| SHA1 | a90b24a33383273378fc6429b95fdf62c4c2e5d5 |
| SHA256 | 36bce57f9ab26334f370d700cd0a853618cf2051afbe561ba09b0aae5dc371a4 |
| SHA512 | fd8f3414083a7b4c75e9a5dc043f38db062971dcac022194c274d5f5816867961736dbf0e17b7da19ca9c835f2e11864e0f305895e8c76eee3d0c5ecdf3e0239 |
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide
| MD5 | 0a876dfacfdabc170818581a2e6e6d54 |
| SHA1 | 376fd52e52867f959cb2076fbbc4d214778a7fc0 |
| SHA256 | e28b98a94e0077340a3aece749f2d400c3f06890cec9447f4c2567bd1e7a5839 |
| SHA512 | 766fb737e92fbd233563887cf8335c9aa4e96d3a970c28b7ddebbd21ca764dc85ee4ebd805538f697ad8b2d59ed0c53bd46d9fb7077d54c136f9c22bedae9cba |
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11
| MD5 | 65435a5d117aa6b052a5f737d9946a7b |
| SHA1 | b8b17ad613463c3c9a1fe928819fb30cb853e6b1 |
| SHA256 | ea49aa9f6f6cf2d53d454e628ba5a339cc000230c4651655d0237711d747f50b |
| SHA512 | 4f85061ef6c66bf0e030af017af8c7154ed3f7953594ae2cf6f663e8b95ba978a54c171b01f212880e2711c2fd745a12b959ed27e7f6b1847273f70a4010ccde |
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Bougainville
| MD5 | eeb20c9bc165677800b6dc7621a50cc9 |
| SHA1 | def5026103297fa44a2185104f2ee400cb93329c |
| SHA256 | 6a3a9301bb8dd782bb5c170bedfa73e9e7c60235e6e1840f14bd14b812127ef2 |
| SHA512 | d4e72f43c75de83deb0526233423726503354d7112618b44c94e695d159a02b6da4823a2c9a2be8cf71d2c7e42108d0db7edbb54a640579f853e6d110e7599ed |
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury
| MD5 | 335a7c8e767a2dd0ecf3460eaabb0bbd |
| SHA1 | 111ffd83edcb095d251067456a3a60b754b4c717 |
| SHA256 | a0bf83b3948dce6afe987c170a5cd711a3d65fcd5c70e3b7bbfeeb1578544609 |
| SHA512 | bf0772423bdc11a4029439acef8922c6c541519ce98bce97681d1a1da32bbf3a73f506138d494d9cc860b6afb3584094565db7683f6b2a2cb30e3e94430d1933 |
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT
| MD5 | b8d5d64c3ef0b30644898a80682f5121 |
| SHA1 | bbc7b3902250307a2cdbb314abe98e34795032be |
| SHA256 | 2f329134686a44ee0362fd0c8b5d071e38bade32a5389e31282f64f565e76759 |
| SHA512 | f1f90923769648e585f3f38724d203e4bf6a10cab7c6708f7791a83dd6348b3b9948eaf481baa7bef31ff63d75b6fe1ec00cb888dc1acc8b65b90d96bff39638 |
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf
| MD5 | ab9d8ef2ffa9145d6c325cefa41d5d4e |
| SHA1 | 0f2bf6d5e1a0209d19f8f6e7d08b3e2d9cf4c5ab |
| SHA256 | 65a16cb7861335d5ace3c60718b5052e44660726da4cd13bb745381b235a1785 |
| SHA512 | 904f1892ec5c43c557199325fda79cacaee2e8f1b4a1d41b85c893d967c3209f0c58081c0c9a6083f85fd4866611dfeb490c11f3163c12f4f0579adda2c68100 |
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF
| MD5 | b85026155b964b6f3a883c9a8b62dfe3 |
| SHA1 | 5c38290813cd155c68773c19b0dd5371b7b1c337 |
| SHA256 | 57ffc9ca3beb6ee6226c28248ab9c77b2076ef6acffba839cec21fac28a8fd1f |
| SHA512 | c6953aea1f31da67d3ac33171617e01252672932a6e6eae0382e68fa9048b0e78871b68467945c6b940f1ea6e815231e0c95fbe97090b53bf2181681ecf6c2dd |
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png
| MD5 | a2bb242dc046bacdc58e7fbbe03cce85 |
| SHA1 | 052ab788f1646b958e0ea2c0ef47d00141fc1004 |
| SHA256 | 486a8212c0d6860840d883981ca52daaad3bf3b2ab5be56cdc47ed9b42daba22 |
| SHA512 | d9bb4c0658f79fbcf22697c24bc32f4ef27ddf934e8f41cf73a2990d18cdb38379f6b61e50edef8ebdf5a2f59a0f8fa40e000b24f1c55a06cfa161db658326ad |
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml
| MD5 | 118db038cff249fc1b96f7a8f2b27620 |
| SHA1 | 6f804438c7a4af3c57191138510a644d24bde92b |
| SHA256 | 8d43407158818d7f3e03cc0a6ae6d789e9e393467ba847a998214eb4e292b989 |
| SHA512 | 4ee3a5d2c49d50ecd97193828389d3339661f90d8b8d41bea5fc4ffedb26578c738016fc772217f3f5049adadcf744273f6b9f60ba379a8e39fc60188be5dde5 |
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml
| MD5 | ceb1e6764a28b208d51a7801052118d7 |
| SHA1 | 2719eea8bde44ff35dd7b274df167c103483b895 |
| SHA256 | 99d48b66d590c07b14f4cd68adac79e92616afcf00503a846b6bf4599bfeabc0 |
| SHA512 | f4a2df6229bca6c6ef9ef9f432847683238715eddcb1f89c291da5f5900c9a3461204d8495c3450c8bae1c1a661424089554d316468ba1b039a2c50d6e69bf29 |
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml
| MD5 | 2c16868331f82ff43059dcb0ea178af3 |
| SHA1 | 983589535e05c495ffeae4b0b31ddcfafe92a763 |
| SHA256 | be9ceb4464b22203feffd3700c5570b7d6d44c5d0d357148e1e6d5be5e694376 |
| SHA512 | 184653d3e40df84cd0052e5d9477201f276ce0e8cbb5e4b7bfac86fc7da325eef476982910be24c20725a6db6617fffd88998d6053c1b694718bc7ab0bde9ea1 |
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml
| MD5 | f7c78514872f9cb5585f8d69532cd2d0 |
| SHA1 | ff9dfbb62a3b48c85b6434ee831fb33a8dba9526 |
| SHA256 | 5f7bcd85900e62abb00ce739eaad53d80170a4a6152d951b6825110d2fc17965 |
| SHA512 | 50ee6ae916ea0e806b73c2e5bb727f6ee4837a696c5bd8559ede78148b40a5d5cdd135e28c8b5153a8fef568fd21ef0708ca198ace89e7120ffb84fd9bc91c01 |
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar
| MD5 | 8b550761ab80413c9c09f7fb472dbfaf |
| SHA1 | 67122822562203c17dd3f762194e470f90ddfa97 |
| SHA256 | f5ea79165516de2e7e1efb53d016983f5d18c3184413f044a4002f4b751c918b |
| SHA512 | 9546013cf4d45a2c4c609524b7ed4adecc7dc2fecded7c3b7085415a1bcd1c25db5d88bb591ac05fa5a6313763a8e8d5d8fc6ee6610b454cf7696b647e7781fe |
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml
| MD5 | a75d7d422fd00bf31208b013e74d8394 |
| SHA1 | 3d59f8de55a42cc13fb2ebda6de3a5193f2ee561 |
| SHA256 | 7a12e561363385e9dfeeab326368731c030ed4b374e7f5897ac819159d2884c5 |
| SHA512 | af3a1e15594a0bf08ae34a5948037ef492e71ee33d5d4ac9f24b18adf99a34563ab40ba8f47f2adff5d928f18d8a8cd60fc78e654e4d6cf962292d2f606def66 |
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml
| MD5 | d7d2fed9b7c55fe72a6cda66725cb7e8 |
| SHA1 | 2cb154a1c4a0553658801a088edf87b5816cbbd2 |
| SHA256 | a6df5cb2b51fa56609c7daf08d28f0e41801b96f9514a9d179992a63afd516b5 |
| SHA512 | 0ba4d570d624cc5aa6af629260668ad805285fcedd61002999734fe04cae47016cf52022c327cf22935ded99b30c52d9f041ead60a3425365116bf1bf4cbcf5e |
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml
| MD5 | 437687da72730cf42ce36bd093b78b3e |
| SHA1 | 693e31dc362426bc4d7a6b2954f7c80267476d66 |
| SHA256 | d0d0b1face19fe4a88c6b51f6ced55ae0e00ac548b75809d88089ad431da5d3a |
| SHA512 | 7d05e270926dcb452ce405dac9dab6e9e1a0dd247bc93f0940826eb4abecf827acb6f42ef32d3b6f6ac4b46b28d522e0b25f6b8b679affb9a198db8ba4fe2daa |
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml
| MD5 | 48e296d8287ae11c252e4277ee885161 |
| SHA1 | 8a75b573549c2791d38acb3a4d215fa2153b37eb |
| SHA256 | c94a9a55369ccc4b41a71b9c18b04e1778a0913447ca6b5a630135f7a7ac0c1b |
| SHA512 | b17a5a8a6009bfde681829bd7be3b550d8b8bf6bfee19bdd55567163890550980ac0633fd956f117006892638f408c63449d4520b0716e6866ab0858cc3f743b |
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml
| MD5 | e7b188938a141c90dda76cc258c01f8b |
| SHA1 | fdf0e86d2f90e51797779674e429b6f826107a5b |
| SHA256 | 77cf0aa8aa6d73f27ad7faa42f7c9a76a689a60d74483f96050dc1cc0adb88c0 |
| SHA512 | b106fa59882b0345ce6885d902317af39a3f538731d100e4a92920ee7895ceab8a62d563c4137f8e3e1c7bd61ad6c017ddb301adbc01c7463984b3b245b3da54 |
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml
| MD5 | bb95a9de280c528c32806d0d5231de6d |
| SHA1 | bbffb8596f1bc68df5603a10a3672a02ebd3ea8b |
| SHA256 | a7ca0125b93e1a5681d5a9c294ec3a4e5680cc58e44fd223d2dac04232b7367c |
| SHA512 | ac4cad4f24495aa6b0d5ed8aa439554f479cc2fdba4d5dd256f1983fa43a4121c8fdf79ad7ec9d9a396a73fd480bf2f5141ab5303d50c8b6d2ce47d158010a80 |
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml
| MD5 | c9580e2bd3527b65bf5b812b477ffe30 |
| SHA1 | 66e921f302739af54e7a991ce38a1d37ead7c7c2 |
| SHA256 | e77bb87374bd3a9b3ccdf932d260091a3ffeb1d1ad9d236b54f0f6797585ebd7 |
| SHA512 | e86e61aa09e93395f03b9976d6af4f775be3e017ca371a837e538d440e04b7813d2855c3b7c2444aaa357c9d7a3b5ccca7649c6c557bc3f520b953d96aa93577 |
C:\Program Files\Java\jre7\COPYRIGHT
| MD5 | 2a79a18a4fce30f9d28abe3b0174812b |
| SHA1 | fce91cb769cb486bd59d97a59943e69418c03e06 |
| SHA256 | 46570844fde2506ac28543dcde5bd20877b0bb2522a0cb11671513722ddb842a |
| SHA512 | 4ed0cfe9d66106e365977378a53f7881d1bd795fda7e89bc8e879888b54bae79ce80746bde779c9aad058000f06d1b96d8e0c7bacb0b871d3fc075e684a0f2f9 |
C:\Program Files\Java\jre7\lib\management-agent.jar
| MD5 | 4eefd60f439096ed98b6d8a585da12ef |
| SHA1 | 75cb70498807b0c823cac760e00652842c1a63c3 |
| SHA256 | e743d6195ff2f42282e101f9471874e8df79dc05a69ca20abf22015d48d28c6c |
| SHA512 | 78241e2336f4ee826719d5adc70543db0f0767a1660f723ddfce72c170322a13c0f3c547eaea6b6cfc47cdf6d8e5edcaff4bd003cbf3eb9d3435bec5158fb8d2 |
C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg
| MD5 | d1950d80f172e80f1c48685c51835807 |
| SHA1 | ae9fb8e72137c1729ffb559aa5f541bff78661c9 |
| SHA256 | 523c41464ee47d61350e15bc091bc970d73ae2d00bfe7a88bc7fe00ae6202c75 |
| SHA512 | a6af7912278d814025fd2825a16943917461c881a8f2ff1972497a3a9f6998e349c5e375d69bc8697ae7197054083e0988198c4fc57cab3184f98f82a07a1a1d |
C:\Program Files\Java\jre7\lib\zi\Africa\Nairobi
| MD5 | 9e0573ecb4a0800788a3aa64ad731bbc |
| SHA1 | fa205d2a65684c6245a2272facf45fb12ace4014 |
| SHA256 | 136dd1a7d0a62859f2077a62b7673c5c712fb750604a15f5f6140ab2c5112327 |
| SHA512 | 3c01530d43156962f4a2305472eb5dc77464ae3bd88f932a2f55e72355c4c1db1df050c94951a1375ed6f69bbc4102ef6ea45574f4ca293123685564a1334596 |
C:\Program Files\Java\jre7\lib\zi\Africa\Tunis
| MD5 | 66663b7d29e1bcbcfabbf26496f44d28 |
| SHA1 | 652e5ca160b40dbdb15b9a3b89ef967d6d44d455 |
| SHA256 | 8474486baa45dc211adc58156a75954f3542dc65326d6e5b157288711ed74e75 |
| SHA512 | aae76395ca6c3fe5e58a64618fb00ba73cf1198450da008edff89366bb9fb5bb62ad91f06b65a3af57c45aec92a67b2d51075c9438b526f5edc0aa4d4f38e17f |
C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Juan
| MD5 | 128e5d8a837d1d9b540b96013e4c9f19 |
| SHA1 | 641eb152f889f8027c1fecec8fd81df2540400c0 |
| SHA256 | 58bd661ff1a892697366215a8938d1c616cb4523e1ede78b49d155b132430917 |
| SHA512 | 2a64edb3c126e9d432f8c8592af3121423a93af9d266649bb33b73e3d65a5504db3f00e268a51fb59ddd3e279f03d2048b3b243e9f5602b2399584928ff2a316 |
C:\Program Files\Java\jre7\lib\zi\America\Blanc-Sablon
| MD5 | 90c805bcb9fa376aacfb38d598ec7bb6 |
| SHA1 | c264d31acdf5c68a97ba444c7fd7e8af853122c4 |
| SHA256 | dbcfcc77f5774ed3333f3963eb84a324fd967de4d62c96631be6af1d6b3fe136 |
| SHA512 | bdd9bfe471648e8a116ab65d97e56f38b2d7516e0ba522de25b284c7b29d089dc039bb653f1b08e6ea0792150cad576adc48890dd6956a6aa29e5175cc5e2f0a |
C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica
| MD5 | 1135e286fb5224ef530f4ce0ec4a2835 |
| SHA1 | e1ef9d5aba553828ff9b4ff2cf9c1f25b085c6a8 |
| SHA256 | 4a93894f08d98d707cd9a0274f4c9a51bcfa27e701359e12befcc78ffb488817 |
| SHA512 | f57b77dcd655d347fdcfc3a1beada329998824caa5db061553a7c784a163b4641076ba99677a4e648d0477671aa14da7f883b2df8b9ed6eed3985e7c2c8ca4e2 |
C:\Program Files\Java\jre7\lib\zi\America\Matamoros
| MD5 | 93a2fdbfe3bd18cfa0620f2632efa4d4 |
| SHA1 | c0b705de8aa572a851737c34f1721c501473d31d |
| SHA256 | 3e84c247e11701fb5451865acb6262c8495d47c5f397a772a7bc01c9ce9f5b12 |
| SHA512 | 1e5454026ba8100ebf7a32dbdda862c9c315b1f6a758242a7c451ade0ff87ef3757fd8caf58c96a0bd63e7bde72217b9664edfa2bb426f50a9ca9cbc2dde655a |
C:\Program Files\Java\jre7\lib\zi\America\Nassau
| MD5 | 4401d715587a3bcf3830b14dd764a25c |
| SHA1 | 33117586fe2f2cbfde2a7ff3b1fbf74927a65e42 |
| SHA256 | 8b3827b7bae22f976e2a59e9957ba8b3b9cee57a4cf923a4da970a8f3c1e79c5 |
| SHA512 | 7b63cc90c5cb65c3a54ab7249b67d9f12eb86237410eb51e961bd39777f517d65b62a08f018e8d8ce89745c2222b2302a9a007c88771968e81e97a60ce037def |
C:\Program Files\Java\jre7\lib\zi\America\Noronha
| MD5 | 527e3a39bc066f9dfcc85c57acc8d262 |
| SHA1 | aed5fa100750d77de0ce7e7c2e6d7a322131c910 |
| SHA256 | 43c2ae1019ad57912662c9bd170d8d6986299bad4ec76811e70c98c4a1ffe3b6 |
| SHA512 | a1a0266e0c1b0e8b33e4dd242be63b258df4f2d1ae748583649dcb22ba82c7cd27c4ed12f632f7fd745f484621a303f8ace8c8f91646c74ffc71cf0ab12275a4 |
C:\Program Files\Java\jre7\lib\zi\America\Regina
| MD5 | 05640f18f5c0807dd96697e31fc5d8ba |
| SHA1 | 659edaff37a05ac603d08c90d2b5d26d9c90c78b |
| SHA256 | 86fbc959c7ffdeba173fc2baa99a8a93d75ba5d6a83a3e3300bab1b0a46b1d42 |
| SHA512 | 000113934c92690a06eb580a6128941aef65c5d9ac043811627175332a0a6aaa4f55bcae211aafed8c5a7cba9dae94a162785c749c08392cd42978cef1771b48 |
C:\Program Files\Java\jre7\lib\zi\America\Resolute
| MD5 | cb97b848abcb6376d491ac6bd9cbeadd |
| SHA1 | 3800020090c3bc180b0cf63fab7b39905680453c |
| SHA256 | d6369598c0846422df1f6e1029041784e34d3b6fcc12a3ba0fc1613a0f80530a |
| SHA512 | 5c910d7062750c5f76f87e174eb0b1225453fbf36ba072d04ca025579af6a051c7af85c7772a4756876659ab6f8cc4429c11b3620c3f5298e0599ea4f8d5a644 |
C:\Program Files\Java\jre7\lib\zi\America\Scoresbysund
| MD5 | 81ed540e1204e3237f63da49df05a7d5 |
| SHA1 | 88176d30b1bf7d6f87f1ba92dac451b883dc1432 |
| SHA256 | 256fb9c4796b15a7ec4b0d5319e9e493ca4cffda658310420bdfd31e1c59da79 |
| SHA512 | 92b183b168ad7cf33673e688094d8199cff7c3063aa3e2b83891838f02ac1a79291e6a36e8216040c588306191634cf51484c79f56106492408dd09079e0f807 |
C:\Program Files\Java\jre7\lib\zi\America\Whitehorse
| MD5 | 1036f4aae37bd39b2ecc451c487e33c1 |
| SHA1 | 8d60a72a4873cf55fa7bac47dff692303d17d157 |
| SHA256 | b61465acf0031e6a4cc34a66d568bd1735668abf591a6badb1f5f5bc20bf9919 |
| SHA512 | 3ac2c8d3259ecbc41b186c2861ea6be3e6f9cc6b673a2ef610d42c91b359f31e941aa7de1d6ae801191870acdd6590ec788839cf9c069a7fc658d84582103a62 |
C:\Program Files\Java\jre7\lib\zi\Asia\Amman
| MD5 | 227fd460860a3ad1fd2b245793c07f95 |
| SHA1 | 71d8da21d4bb33f4cc32b70b174815e40eda657e |
| SHA256 | 693195cf289838146418e1bd05fd1a482c36ff75a77874609d615247285d5b99 |
| SHA512 | ce035dbe02b8e15091f7fee997a823dc4a0ef12c14e4f7d8441b9d3d9878bd17036db61e24d4e67db2a6e1f8b50168f6f03311b19713c688691ce4298b1deb2c |
C:\Program Files\Java\jre7\lib\zi\Asia\Colombo
| MD5 | 5f54d1240735d46980b776af554f44d3 |
| SHA1 | acf7707c08973ddfdb27cd361442ccfba355c888 |
| SHA256 | 2c80619d7e7c58257293cda3a878c13e5856f4e06f6f90601276f7b9179c9e07 |
| SHA512 | b1f542f68a48608ae53904fbe2105bd8f3e544941abb38ec9d24cb7a26f916ef94cfb431cce0c64077dc2934913130d78492914a5e9ffc52f311e68217caef15 |
C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka
| MD5 | 709c6a80af0276b170c521117ede47c6 |
| SHA1 | 8e6d9001ca20e76482e1ab88d54d47c65c8c7836 |
| SHA256 | d8129de4286dc4fd245c7776b51d76aaa727956e8fc88ff928eb69ff7fc17e0b |
| SHA512 | bef13fa741340cb7c1174406f76f9c65445c76ec091e47daa8537b5f769ad2231347c61144ce8f6e4cb16fd5cd27bb169930c3f8c3b5b9e24e6609491fbbd4e3 |
C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe
| MD5 | 0d4ec840c1db49efd9ea0f2dd0a7c66e |
| SHA1 | df44812586d12298c713564804b42142fb68a8c9 |
| SHA256 | 2091501cde52f2dd75b74ad947075b6381c5f503af97a66b592b7caebe9e36cf |
| SHA512 | 85585ff43a93051adce2aa4f7213bb5a8e4b4160bc1ba20eb061fe1b7d489cc07676b512e00c37ec63d76e08cc98598901ae6babaaf57a0c59eda9f621c1bbfd |
C:\Program Files\Java\jre7\lib\zi\Asia\Jerusalem
| MD5 | 433b6e531d44ca54bab63198a3f6b388 |
| SHA1 | f1dceea33541fd68c8e9caaacc76f062da393a90 |
| SHA256 | c00b114d3e1a4d978c0051e7e8503f7fd30dea142240d6b950164a37cce3edaf |
| SHA512 | ca77aab2370179c0f5eeb6b8ed8b56eae5c3083860f51eda2031f7d5772e2018011ad5b004b1db1e1b5bc2e4c0f300735eac814cf913f54791fa26375d3eaa11 |
C:\Program Files\Java\jre7\lib\zi\Asia\Manila
| MD5 | 38397588c4d02f8b95c263852e9aee7a |
| SHA1 | 80691ad30930c04fe1bb2f645f9c6c0548ece80d |
| SHA256 | 42d699d9e89e439804c0981f96b1a3fa7dbe42c6be1dbca6211c6faa4e0e2463 |
| SHA512 | e46b5c1865b53513bb10be9e3a2c2a54ee9e88f83e8802e85e728a2364ab649ecd4af605b41d7583688f8a78d1b49e36f1ef5b8824ab89885578eed8ebdbfd15 |
C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk
| MD5 | 88a4ef65b666e053c28c9e023d8579f5 |
| SHA1 | 4a9c1d641605648e7e0ff0f87d1ea6d21ff42a06 |
| SHA256 | 88d5d20f83be8b19edd7cf53771fa94c1a67429f7bf9cec90822dc84a3a434a3 |
| SHA512 | 9ef796e128b899f33feb0fba39017a0365e6289c3249ef6d2aae61c6c0283febf89626323bcee6e1e3fb9e80c4908c2ca09ddd53396ac41c78ba2e5c47500f0d |
C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda
| MD5 | a1534d6e98a6b21386456a8f66c55260 |
| SHA1 | c7239c0fe3b7a00d812e548f4cb9d8d863e8c251 |
| SHA256 | 4c555a3d8b83f80c2e0d0b647769e82148ebe7e27811d0a63277d6f61abafbbc |
| SHA512 | af0302203a3ccb765aa4ce1b1ab524ffa500d62e179ffb527b76d2b62f5ba31b037902d8d46278378e7255a91251f06c0779fe4940d47a582415a201b0e401db |
C:\Program Files\Java\jre7\lib\zi\Asia\Seoul
| MD5 | 64321e9c7da09049fe84bd0613726226 |
| SHA1 | c2bed2099ce617f1cc035701de5186f0d43e3064 |
| SHA256 | e43fe96a7f7ec0a38984f78c064638b2daa75e261ab409bbbe2d3e590265ec7b |
| SHA512 | 4f56b895d0ab27f71ad4f5e54309538ab3052955c319ca5f718e6b8f8fbed1bd5f51f036eff7cd82d4403ad4b93395ddf75dc8621041ef5c5ca916c1113104c7 |
C:\Program Files\Java\jre7\lib\zi\CST6CDT
| MD5 | 359a1339722ce22ffdafcf70fb387a3d |
| SHA1 | a958f03b193b09efcd8d35934c33b524b4e0cd7b |
| SHA256 | fbb4fa31c3fa0c14ccb3fe426e39dcad529b17e379309c0adbe27fcc93feba50 |
| SHA512 | 4a90df2fa4bfee474f9e79570ae05a26b6752f0244ab755a49ac0d38f69f28ed97b134092f353ded2c968a3d9baf2d08a73eee2943e8116b65c4c8357bf2dc0b |
C:\Program Files\Java\jre7\lib\zi\Europe\Oslo
| MD5 | 677bb0dcac881a5a4638ede690ca721c |
| SHA1 | ab8e52e9f345d8152a39110c9ebbc07bfe37b182 |
| SHA256 | 97d364e2d3d35f030a038c41bbadc42d0c15fa8d79ba569987e19fddb2e80f9a |
| SHA512 | 6485b77c5bd7581ba0f80318493879df55d29606e30bd8a609f18a94da581c46e2284287869d3d1b7dd2857a5388fd97c87070279305b66e10d67430d5c96a06 |
C:\Program Files\Java\jre7\lib\zi\Europe\Vienna
| MD5 | fb4aa89fb89bf94d0590a3174d1193ff |
| SHA1 | c3812f2105099071c24141a994a9d5087199dbf7 |
| SHA256 | 655a3ef0465a9f30fddf25f4dde0c19a05c6f9069b83961800c1944165955273 |
| SHA512 | a494c0d9faf3defa9ff320421d0c00e4e39845f7e998c6a06c50b5e7edbb1ed7a948dda23ace06a3433843615553d2357f1cb04acb4ad1155ec43f1d07511524 |
C:\Program Files\Java\jre7\lib\zi\Europe\Vilnius
| MD5 | 515d8db6175667b02ed715ba8aff0b2a |
| SHA1 | 44ca509396091b269d47da24e3d7e09fd8da7268 |
| SHA256 | d50e2d8474134908822ade46e27717d1a22aaa2d4ebd66ee14c988ecafc01461 |
| SHA512 | b0003c56ca6ca6789847ca2d75eb762a7da8870cde67cde39baa6d8a50c0a4c62fa1cf67bebb892ea50515ea7913209bdd0ae946b76ddbb1aef46a8f9cba5b8b |
C:\Program Files\Microsoft Games\Solitaire\desktop.ini
| MD5 | 22577911e88af39f79409e6de8eed4d9 |
| SHA1 | 93436ea60c5dcdd2e9893a025f560ab72422ae8c |
| SHA256 | e08dd9962eedb16e12840ea2a977cc07bc5fa8d96259682edaa080573d525e4c |
| SHA512 | 2db5f3b0000212518614c74c73dca3205cda5751aa2504ad9bf9b98be46e98143c064980dce9a8a6372305840946717c38e244d9e1f2ecbdff683fc1f0a8fbb5 |
C:\Program Files\Mozilla Firefox\xul.dll.sig
| MD5 | 69016e6a597d194701476b8e04d4e028 |
| SHA1 | 71a24ddb0c5bbd321d3f09d7b322c3655fb5e129 |
| SHA256 | 4740d289d0a31bc1fc00e255845b3d8ba7cec2d6d0ee92177d23aa293f9fca3a |
| SHA512 | a9399ea57f65c6569e2a9e9ebe9fa2da7184ec92a555549f39cbbe9dff15530ad526107a2a2304d822be37580a965c6ea4e88a46adebd8ff3af402d2c25321ae |
C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png
| MD5 | 6294c74db1a4aac788765b4e0a0278b5 |
| SHA1 | 81e9bbc06946e3c078d1c1aa150ca93e501ace6d |
| SHA256 | ab3df617aaa3140f04dc53f65b5446f34a6b2bdbb1f7b78db8db4d067ba14db9 |
| SHA512 | a4a83643031063cab4226cef7e215765e6f997ce7719173632a66a45bfc0a710b3e6bc19a590108bda91576030e2e37f77e339a3f4e71478d96dafb0d46d2941 |
C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json
| MD5 | 994efe849df864c50be59da9ef5cf50c |
| SHA1 | 1d3915f08d43fffec3900735e0518dd6381f0ef8 |
| SHA256 | 52dbd4365b026555e3382c056240376d3aa319c7e46c1aa7c38caa4883570517 |
| SHA512 | 80ff4b5e8dae2c6eeb0a8e392a61ae2d7cd5f23867ab6d7c386a2a1440d10b461b517f6719f5e5559efb7bc2100e24eb3bdc3e922f83195dcde9876b509fd8c7 |
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML
| MD5 | 05fc90d38e2468528ad10b5ce0bff46f |
| SHA1 | 3e50a6510e30a9183cbc4a727d4ee3a6e3786102 |
| SHA256 | 4f969244f420a506355a2c1e81bdd9841f1263818b9189ac31c5c5e14ea41acc |
| SHA512 | f6e585b7f0046e95b5c808133f17f131ac9c50ac41f0f9c09d7e17509f77891d5e3d9f71b7b0322fb4ed187d98425f2a45f6addf428a9436bec7af74fbe679fb |
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\PublisherMUI.XML
| MD5 | 950ebe96859f7ad2194cce45ba32bede |
| SHA1 | ec77126b84fba5f858a84cde4373e1724c86d481 |
| SHA256 | 1db92b26f408ddb6f3ac47574cd49cf4dc131efa8090477bf6d0a5feea4bdf1c |
| SHA512 | 4755508c6a9fb44d196c2fb4de3cd229b5526f48e1baf0057db858930d5e940c0e7c2c62cfc1e66e558987f2e93d11abeded72c709020df80c0b773607c33d8b |
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\PREVIEW.GIF
| MD5 | c42c94e7e22da680544d2ee9553f5327 |
| SHA1 | 318f931facb45612173e8f845305001d1134d88c |
| SHA256 | 0ae208d8333b8d56b0871129f974ea63ad90303e5087fd1092d7cc7a66e85ed6 |
| SHA512 | 23bf222aaecef148138b5b2cd55e46084913986a7ebab17ab82011890ee179d00403bc5573ba7a783f280ef829e6cd5598a3153aac24d8fe5b2992064c30ed15 |
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.INF
| MD5 | decc47bad99272317818a41e7a522d85 |
| SHA1 | 8d92c3a841aca4b24ae76a488c4e9985570c81d7 |
| SHA256 | 153e9423e652627ab50fe46f33f0ee612adefaf54ad06bf70947650cdd32871e |
| SHA512 | e8982763416ce78756050b0383398505979193e92a5cd7541758756a7e1c188405073329fa8f737861b4de5236c8a88f797cd0bf0083245349eee2905d906a7b |
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00135_.WMF
| MD5 | f08b597fc0dad2e60eb47c729ec5a0e8 |
| SHA1 | 6102ed704c46ebab3fa452e0978e001f6799e7f0 |
| SHA256 | 86d911c492b42593042265fd0e6f48a2cee1f9090238e1d849420feae106ccdd |
| SHA512 | b64d872c27d5fd0918f8b6df4c9834718f669ddf7823e191115e64f1784961c0ef384b9de3310bac1e5c10fc52ccee0a94392c5c595f271e169649654e2118ca |
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02097_.WMF
| MD5 | e3d6d9c99344bef76ff5e6fa940c1379 |
| SHA1 | 84da7a8bafe3d5898bef2d806b318af5adcd85f1 |
| SHA256 | dd0a8ab83ad0ac36cb27968e73c3b8c87f5d3080854b214a74b53c152f534036 |
| SHA512 | 63184737bdff4cc24545d32c83df3656d772538a91644870386aba113dbb09763d4357a45fc5e9197bcb0f3b5aa519d5f8fed6ff48d4d8f953e56b96fd43209b |
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00241_.WMF
| MD5 | b0d582502cd3ceeca01a0741bc96982c |
| SHA1 | 015498c371e78b8fc5ed5d0831bf2f8fcf803d05 |
| SHA256 | 255c3a22d46b57e3f291eac23e404ce7b331400041930a0b43eb777bf8ed06fb |
| SHA512 | d0b92159fe96a71ee641bb11365923eb89c391045c2b275e5fec0512ffca3c430cef1c25270c7440cfbb36d2e525675fd80b69ae2a9273f27ea384d19c58cf07 |
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00636_.WMF
| MD5 | 42968ab756f9db46dac524acd13c5283 |
| SHA1 | 6cb4841f1adb1015105a551e1de9a673f2169650 |
| SHA256 | 7fbcfcd86bdfa943dbd68f67c3fcba6e7ab86fda2d14d28862c176bf18579fca |
| SHA512 | e42291e186e3b3f2e0dd3325d9ffee51a5b1b80fb0125a9fed79926f95f400ae38e7dc60c03718f3b6c8ed970fb9d2d9902bc8648c9d8f0fdf0f9fba8f735dbe |
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00351_.WMF
| MD5 | dd7428c326b6303dcda2df68badec0ef |
| SHA1 | 83d0d1df0c2116857baa8ab9c2d5f856e29d6b04 |
| SHA256 | 59f4c13183ac051510c1eea1127c45540085a860875b07d4987d64ddbf46acbe |
| SHA512 | 402a8282fd6f050b125d6ae5efb9fd2bc9976356101714e908743d20f0cb317e43180936e44b709cf83cd12bc628674b74d46a1579332e54d0176484274bcb67 |
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152702.WMF
| MD5 | e6cac7c8bbd43fe2143bfd898b8482ed |
| SHA1 | 39aaa86b0b3ffae902d53caa85b2fcee95c08ac1 |
| SHA256 | 83e89195b31736ad0c35ecc6fe7132f35f7195bd8b0b9d49fafbdc5d8353c5b5 |
| SHA512 | ad1e842da94eeb805c396d3c416f15a1db6d2e8300900fb48a3776545da4dc0b960da186d80d8d72071dc80ea7fd5de81b1bcbb364db4fad4a6148680bef4a38 |
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01745_.GIF
| MD5 | 2b0c8bbee7ca3327c8a7feecfc38e496 |
| SHA1 | a9a272d5884ebb929b7d6d6573fccfe9f588b7b1 |
| SHA256 | 6013c9170030c639b5465ea1e72f12c4e045fdb481d07f964c37e5fe44ecb355 |
| SHA512 | a3aa35b4b089507b6ad63a81043b1b5e121f9549b151811cd05e6605a848616d68531d400990bdd493ab88d19142616c41416004519083f2c8860e77aae8935b |
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml
| MD5 | 7e5a19c335555b4fcaf22078f0a5e362 |
| SHA1 | 55079ae8c6067cd839503f9c3ae7ef9deb72892d |
| SHA256 | 202115097d1bee389d4d4d81db00117252be97d5691af316941f3843ef7a05f5 |
| SHA512 | 371b8cf9a6485a2c59fb928a8b460caec1f7a572126641f568f77133b78e0e7b91fd52c10e6089c286d4162050ce50f9aeb1886784d75d338ab02a6b7d357a68 |
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml
| MD5 | 0fb569bd35d44c9ffa7d4728af4e734f |
| SHA1 | b41945703b8efdabbb18c60ccd93d2115ceb78fa |
| SHA256 | 788ddb3f7716950d0d204e6cad9fe3cc1dddb6140f615cb1c76bea0541722c20 |
| SHA512 | b94c1fd2dd103b19b5fbac6c76d3166be91b01d659e1c912a26ccc48664a153c62cbbbf15ab3869aef08fdc8bb3918e4ce83bb97a1a428f55ce12793d50ee646 |
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml
| MD5 | 5360b12f6a07af7be93437d215f72fca |
| SHA1 | fe12fecaca49a131167d88817c4941514ea408e1 |
| SHA256 | a0cffb66ffbe1d4701a3aa75ae66af7ca178b45f5c722de3d9021a543129f80a |
| SHA512 | a0b23b148cd30b1d4a41e81aca63179eda341bac1d1c3bf83924d0bef90a47e11f2de08b4cbb879331d507184ec1df9b59c18951e740b94247ef726b15fcc410 |
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml
| MD5 | c3c9945cae188df73afd04c6251ba98d |
| SHA1 | 4327d33b49b3c7046cdff83bdd31c724bdbf4118 |
| SHA256 | a2a40bb99c6a44d49eeb216549045620e8cb9fb90fb165eff71f846f30264096 |
| SHA512 | a674c78678624d59cff6386381c0e4e459836484aca4e617fec26729878743d2ffa5dd4a3bab0a0f0f27d60095739cf4ee0a6b0f4a5d79d31b43a7ecdbba02a2 |
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml
| MD5 | e2b1e53f26985bc0bc2a99c7d107a1d1 |
| SHA1 | b0b9bccd847f973baaed9790a33f3f77d2d1db1c |
| SHA256 | 3dc463a76fc170607c07b104c3cb531362ce7d6e10c1a34e0c0f370aeae08ce8 |
| SHA512 | 0c53d4208a6b0cc0e6959d7eafc24012efd854316ac3830267861fd02f1da0246a268e75a7549b8b5ede05d08798f22f87c7bc305b62dbf76632cdff107ff718 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10264_.GIF
| MD5 | 6f6b5e30af6a9e64b7b6a19c39de7e0c |
| SHA1 | f4e37133cd52efd2967e90d645332c44a56b6832 |
| SHA256 | babd6f664158d665504571b169a1e81ef75470cdca4fdd7d95be6cdb7826136d |
| SHA512 | 4521a9829f60e2f4af33d4f72dbeedac048fcec352554b449ca36bcc32b64b65151bb7fcec78b389c37ed5819acd4c7f61e9ec08591408dd2400cf78ab5d67ed |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21333_.GIF
| MD5 | c7ea739796f77dea0edf2dcebe980a6b |
| SHA1 | 5bab75849b9d716b8fec896e7b0f2d37659b3bad |
| SHA256 | 4cc7e6272db6b1ad7581f76c63c694e926e20698e9b02223d5041a55960463f2 |
| SHA512 | afa36a9eba55e94eaaa5c64129338d6af50a0a485c2b37075594e0415b8d2f2d181574a8b99969a92f90790085f761fb66b1a03020afc715fa17121b803ac534 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21339_.GIF
| MD5 | 60c6b126049a35e50fffeadf17279275 |
| SHA1 | 1d58c87e67c4b9d2c7ddd6b1f9c033eff16ca9b8 |
| SHA256 | 77133f431d5e12dd850002c0d3d4e0fecbe3a7a699d604dc8c5eae9976e1d260 |
| SHA512 | a3e171c1c71e0c8fb05df6d783f5ac9c7ce0f9c3bbe653952ea048adce025192d5eba4ed8cc7800bd52afd265256ecea887ea63725c49cf563455ff321d45e76 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21434_.GIF
| MD5 | 81e4bf29a6552cb0df60980b937ed4a3 |
| SHA1 | ca18e846361c6f84ae934ac108d5df987e977925 |
| SHA256 | 8d84ef2aa665b1d6e1a15112d9c53eab04b68a09a088de5392ee63d51060db81 |
| SHA512 | ff58938f4d4c80baba6b15d20744b9762757cfc6834d8a5023b209f07914793881361ab457eed2fb0d17e28a8c99c541a142809f19715d0350c4487e78846ed2 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21505_.GIF
| MD5 | 6790430bcb39e961b83668cbaa1573dc |
| SHA1 | 9f01e584f766dfbb5e49d6e32f7dc51fea2d0d91 |
| SHA256 | 5514e3463923ca8257bc073bf34413d0426a6b45bf569b5a5b74c7c5298c57a7 |
| SHA512 | 6fe6a31054dc68ee8c59da7de683ce56963f27b6a3e8ed634184c5ac99b6cb4dfdc2ab7980b4acb1f9b2a44ed61cd363ebb388b44cf466c736789d9bda98573e |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115836.GIF
| MD5 | 4df019b7bb2ba1e54ed725a85be04261 |
| SHA1 | f40905a7a7dd1623fa8f075715c862f6b944e961 |
| SHA256 | 33c35642a71ce7d31f92ebe614045d206968f058cb345c7df4ab397a2655f16d |
| SHA512 | 654f35be8431fb1e9995a75ea93b9fb04fa12e7ed94923df34ec99bf8052c46effb28ea46417357e1a6ce6f9a8663525d5ad48cd74942968df2a178396024ac1 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115842.GIF
| MD5 | 5dc32f41bef844b95b3a8d79e9633c42 |
| SHA1 | 50cf558caa78030567cf4e265f7c9cba3a2d904b |
| SHA256 | 86d2cf5b090f43ee54d8f7c1dcf746a853951191457ff6dac96269a9d24860b9 |
| SHA512 | 99e7e8bbb58a6727ddbfa71f9dbb7d02658a11d7e735367ead3cea004ed3edba9cca8997117745fb40733672879b5f466a7e39cd5684729eb413bce49c2019ec |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14595_.GIF
| MD5 | a50b718c3518b630251fb54b92bde360 |
| SHA1 | a9582222b6f4df2b4e3e4ee5fe91d25ff086b943 |
| SHA256 | 9d2ce1c032646d2a3381b68bc9201e3dcd53b764e83a0d356d67cc4926ece015 |
| SHA512 | 95e0676e3177262d29c4105edd4ce1fa1c2a2da5cd3289ab0f873fba782a0185e4bbede5d64fae1f6c4cea5ca3ae0697d7113e6ee63f229431bfaf3f8990c517 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14768_.GIF
| MD5 | e0a6fc12e9cddb11d637714157db14e8 |
| SHA1 | 5c2c7b2a90861b03082d3af01f802d42b937476b |
| SHA256 | 2f1411c6a9eed5ac2ccf7eb35456b8601e3c96907765746895325407cc307cc4 |
| SHA512 | 3f30489d8544921a38f743f905aded78827948c695acce03cf892121893ad7193f7810ef5e5941e2183483e27cd384fa37dba257931f392fe0781eebce384ebe |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14801_.GIF
| MD5 | 8edc22fedce822ad66c7733ea98784b2 |
| SHA1 | 9c0986ff2345b18e88d604e24a105ba386d87b21 |
| SHA256 | fa807c957eafe34b850cb453a096df2e5899f0902a837fccd59f9aafa869fb44 |
| SHA512 | 31bdbaf34b4e8f2edff432a5f1ee5fb571105081cea907b6cd41c529f4a9ec4956d009378f3b4fd912abab84605d78da298d4718b75780814e1fa1e86386d20e |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115875.GIF
| MD5 | cafc2a2dde2f05e2a60677690d2ca245 |
| SHA1 | 8bd9c447b79435b8497212ef76f5b43dffb030a8 |
| SHA256 | db91bef58cfa8c3ad4587f4d737202a2ea4374deb35305e8e56a4e0b57232a7e |
| SHA512 | 7f293929a1147163d71c612084c7fb99740a1fdae3a3f9d7782f795c10c1b7b2e49617e9d6746938167a2dd49bc5c53788bd8751c61ad145d2d42700ae1f1575 |
C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_COL.HXT
| MD5 | 0ec3bbc188caf04134280e5a95f00446 |
| SHA1 | bd398b51e76ebec0b43d756e04548a1907e8d2ba |
| SHA256 | 97779f7cae716a4243ac78cdd8c051cfbefdd111d26740978dd0f4c962c2aa7d |
| SHA512 | e67b8b8f0a30a663360fbac820bfe536abb5534db6e0475424ad3dfd526793663ba5e7d866ebea85f67c9154d6bbda2d38789255f83567be05848cc0d7c1934c |
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_OFF.GIF
| MD5 | c2dc578691371996eab94eb37f6896e4 |
| SHA1 | 9c09715d6b50b203e161cfb59bbbfaa7837532c4 |
| SHA256 | 9f3a97071dc41574af5b54e44945fabef8d5da339d179476a78dbd624a60033e |
| SHA512 | a3778926bde4b74eb0dbda8c7857f2f05c6abfc39222f80332bfdcf7fcfd4db9b81ddca44c45a1155244e667f98f07c7211c25a29c68a62d89b8637e8ae05e70 |
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF
| MD5 | 3e586cd8128ba5d03ccbc121909e7421 |
| SHA1 | 140dc52658e2eeee3fdc4d471cce84fec7253fe3 |
| SHA256 | 1207fbf437a6d60bad608c9c4a7397194c4f3768142a32c7e5f3a1415452a992 |
| SHA512 | f1759159e90975a7baf3c666e402f9063909bb11f47371c9472ae40315ba13454f0ff4aa418c7d0079eebc09909268b5d2d39ef871f0e5850544b1442f9d6f1d |
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\TAB_OFF.GIF
| MD5 | 9cb5fb90f42219febcadbc6eb57257f6 |
| SHA1 | c948b86625804155f9ac9478a07cae11d8021563 |
| SHA256 | 1093af6901915021573eb2e3bcb49af7f1eb79df351806d325b80f1baedaa185 |
| SHA512 | 9c9031770c5c67f40b93dc7dac91822f3b5eabe1deb83eceb2a878afc810a810ce0521f966e68fa49aa1973cec342cd3ef6096ebaaa191b885a542e4a178ca5a |
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Main.gif
| MD5 | 79b9e09ca5f8f8ebd840da4c96afeccc |
| SHA1 | efd9e4cb4eb7a896db0cd0de5138eb5be50864db |
| SHA256 | 318e9e1df845c4135ab519baf8e2c9e617df90e2b3020741ab5d926bb0d4cc93 |
| SHA512 | 2df29a7c367151d76b4adab7002e0e90337c1ee07f935545cf30cb729ae91171bceeec0e2611e50d91d097797bc221ff63f949e225629f23a0dc5de3dae851da |
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK
| MD5 | 301657e2669b4c76979a15f801cc2adf |
| SHA1 | f7430efc590e79b847ab97b6e429cd07ef886726 |
| SHA256 | 802bbf1167e97e336bc7e1d1574466db744c7021efe0f0ff01ff7e352c44f56b |
| SHA512 | e94480d20b6665599c4ed1bc3fc6949c9be332fd91a14cef14b3e263ab1000666e706b51869bc93b4f479bb6389351674e707e79562020510c1b6dfe4b90cc51 |
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK
| MD5 | b9205d5c0a413e022f6c36d4bdfa0750 |
| SHA1 | f16acd929b52b77b7dad02dbceff25992f4ba95e |
| SHA256 | 951b1c95584b91fd8776e1d26b25d745ad5d508f6337686b9f7131d7c2f7096a |
| SHA512 | 0e67910bcf0f9ccde5464c63b9c850a12a759227d16b040d98986d54253f9f34322318e56b8feb86c5fb2270ed87f31252f7f68493ee759743909bd75e4bb544 |
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_COL.HXC
| MD5 | 59bcafcabdd1f16e7b9889ee10dec858 |
| SHA1 | 116cf3bc4321fa20352d009e1d0cea588a9b61e0 |
| SHA256 | 006f8885e892963b3d4a0b53141f888ef5d0b36770d43b82296bcbf800a89d13 |
| SHA512 | 2d0fe70022c2bd7397b94c78b27d6c3d2426a644a1601b6381084941e9b1dca913d0e0787d8e463d69d7730031233f5b85ec76b480b736ced324fbd45727dfad |
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR00.GIF
| MD5 | f5cfd73023c1eedb6b9569736073f1dd |
| SHA1 | 669b1c85ecbafe23c999100f55a23e06bf59ead7 |
| SHA256 | 9e1736c43d19118e6ce4302118af337109491ecc52757dfb949bad6a7940b0c2 |
| SHA512 | 5d8c1aa556fc17d6dc28d618f521aee37fc0e1826fdbcf8d106e456fc3bcd3c76e712d23fef3378bd2be17b80eb5bfd884ccd89b67490b63c7bd118eaac471d8 |
C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.XML
| MD5 | bec4473fc43b77e28e60f89da4e29c00 |
| SHA1 | d5dbc7c6642a8a23da14f952a0f64fe874e8191b |
| SHA256 | 5e06bfa9ebccfa3d8759270620b6860f0b92be9d69ef7d7802b78ee5b5f07f96 |
| SHA512 | ff2c101c1172e64481be5e98b2216d5eba93b81210a1a67adecfe05bcf37c3d965c06b368ddc1ffb7e4187cda0373720f6a27476f036a41517762d5cb3729aea |
C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTS.ICO
| MD5 | d4a7e4b0851785143ecd98f019ace3c9 |
| SHA1 | 99d3d7b7167a9ce2fe67a0d296bfdf60ba7a8a8e |
| SHA256 | ea3a2d1ae34d98f545d82a53ff2d1c6e5334ab4a0a4cd902e3fcd0fb697bf32d |
| SHA512 | cfaa3e8c5f61f0b662c6e04296ae67b83d81fe96eed7872bc503c131cdf47576777d1857d0575ca309652f63f5de2a8ad6fe072bd3c3127eda3d353e61260c2a |
C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTL.ICO
| MD5 | 8722af8683c6dedfa35cf708f04e507a |
| SHA1 | e411318d7904624a56946cec0059e380b0a4bd0f |
| SHA256 | a338f849bbccace695e284ab83c0cecc84876fdb292078f1186b31e9b6a07127 |
| SHA512 | 1341ce0453aeae411696a7343f2f6a6fa991fbd483433841cfd4b202ad476d77ba62b66ff547baf4e29a5bd38e7c1f2f78ead201ed1bb8ec50b98eb763bb11da |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp
| MD5 | 79f7ca0fba179cb0bc93eb2f178e4ace |
| SHA1 | a529d3822d5bbe18f6c3acfe44b19f0449e76f9f |
| SHA256 | 86a618c687c518ca93f7151a26391ef0e19101986d30f7eeefa420b0574fc5ec |
| SHA512 | 3924f19e1a9e1b9b9eac515c1d5dffff2aafde9745ad8d20b0d71dfede631875c611b58b2624fef0273830341b497fe7b554710d18bdfedd57c36ac0a764947f |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp
| MD5 | cc084392f2514a4337b42f4865e2cc83 |
| SHA1 | 79ff391fe2ea7244cdb5a1e1e5bc68ee0cc1c17a |
| SHA256 | 3bff857daf1c246b3ba79bff08805f403b65b0e2a5cffb40b078a383eb861514 |
| SHA512 | 9c19d048cc3c0b34e8191368b9d243a4a9a25bdf4c55b3d51da4e97a679ca8507dd7368fe3ba22cb32451d433533d215549a276271462f8d1d1c2a9ff37ab68e |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImagesMask.bmp
| MD5 | 5b4d40b272eb1356f8a88982e76d4451 |
| SHA1 | 4344a4f7503185c3830fdc877e6d44ac0f1198bb |
| SHA256 | 90ebb694c6e15523caa8196f148f47d1c9c477a48c49d638354530e0c2b811ba |
| SHA512 | cee35a29ad193bb1f672cd69fb0c6ea7d35ab7427c5a33757842881d8db17b0eed1e1c59dc52e577ca29f5b74f83f9b023a61b844eab469eeedd04195293654d |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Earthy.css
| MD5 | e2bdd4d017ce36dec632e386e894a4e5 |
| SHA1 | 973c9f51425416d311a4fb1b502de562b57f152b |
| SHA256 | c23a5cc2d7277749c47ddcad301aa92fcbbaeab54e552813333c1306c5cf2425 |
| SHA512 | 85878f146a7bbcbea9b35cb48c79bfafa27d7872c4c312e824944d9bc70f1548624a2f58839958c8033981b6aeb01b65ab2f454a75963f91c282871d9df90075 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GreenTea.css
| MD5 | 6c3081b7bee29dbf58f91f2e18d844e2 |
| SHA1 | 9437dfc92ec5cc8e0b938a23d11f43cc3d1739dd |
| SHA256 | cb973b51d6e0730a068671ec24e50257ecac543574a2678214b7009fd6620d9b |
| SHA512 | 2d12c25529f1b40724e5d4e452bc5c5fbe196646e29411c5cd8dcbc2897c65cae881d9be2ca5a9a18c36e2e62127a625271c3c0f5970d52fa29c4c4a9b52cd75 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\VIEW.ICO
| MD5 | 385592b8ece89d5bb6c8ff79b132c562 |
| SHA1 | bc14ffc7e1686ee066f445f1ab95714ad631b9e3 |
| SHA256 | b57536fb8401facf2e6aed14ed0f15e42a4f38b1e05eebc1a8be1613909c5165 |
| SHA512 | 62ad043d2e28c8e5eddfb9d46edbacd40ac092b3fcc0e5bca70ac0d07d9d4b80cbf194f99803bbac70f3b963f9a3e7ae2ba29ecf3d71535ea3ab257115862bc1 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Groove.gif
| MD5 | f536fbf78e26387affb82ee89943b870 |
| SHA1 | 3ac8e44a9491c16bcd86dab6781acc4f7e1f76a7 |
| SHA256 | 34dbd6bf55d0d075d666181d9278b8387482a8b5804e44e1ddaafe6876dadc15 |
| SHA512 | d9ad640884f40495b4255bd221f0902ff64f84e3136053d03abee7ca417d32a1d72f24a75cb67bc50629e102bdb2f81c0bb087e0eb5cb82fa3d67c4fa5d92450 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right.gif
| MD5 | 697538917066fbdc54bb7922e0f2eef8 |
| SHA1 | 21cf57e715733ecaadd17747a6956fea5dfcc3e9 |
| SHA256 | 1270be94b76ac32534581f51fecec7ce90ed9e0f3693f310058fba0c6ca8aaa7 |
| SHA512 | 26806e433c67cbcf7bff91a47e214a312929f279739bdf2ca0b5d26f04e40f76f6350161c7aaa44de48fe70aa6bb67293d9736aaac526f1f794e94f135538be1 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right_over.gif
| MD5 | bd38f281632881248ac7f09eef8a6319 |
| SHA1 | 5a40ad5f3ec39d2ad991e0b94683a0ce987d5066 |
| SHA256 | b92428daaf38be6775a2b1ce78f5c8ce213b90c6e6fbd95bae56458ab90f7437 |
| SHA512 | 1e102e101b9c679ff5bbb874806650bc12a69dbab6fd446617e392c99620c81e35c2233a745934692b2e4f20b46a7cf5e90cf38a97b87ea588d525ce356b6099 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF
| MD5 | ab58d658c2dfe0393df78f57740dcdb8 |
| SHA1 | 096427e4fce6a16c49a01f645139172fbf077ba5 |
| SHA256 | 882993b55cc0c527f0a6059b69b3faf4ef3ccb9cecd3d8847ca0e49a1444debe |
| SHA512 | bfbad9a939371aa29f4ed8c5bcad0d0299766bbe6dc1d9d6233ae0c060a394c0b8bf665b11a28c3713d434340dda690cabb578ecf3e2a4a462d797f0b3f30df2 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF
| MD5 | 0ad4cf7b35f62b8ff9c73f481594fbdd |
| SHA1 | 08b895c85051d99477cdf56d80c4006c262048ef |
| SHA256 | c55b90509b8cb9bac53fbdddfc93d4e572685c509f1218423c43a5d6013bbd48 |
| SHA512 | 697f1c0117c89ea0486b5b8e9dded787eafcfd710251cef4cf5cc275b1572a5cf9d499e44fa672aca8a77521a33b2e5040cf69c7cc3947fec2cd75d2296edecf |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF
| MD5 | ec8d9cf15661e1e246997637ac868ca2 |
| SHA1 | e172de70f1a3707fc8501f5a2207613f376169dc |
| SHA256 | 82f9a5d07d2ed70801a407aefc9336fb4582b17a23686cbd30ce31881a289b85 |
| SHA512 | d87760b7b4b1b286af229762c9c2b81847c803410a2a36834861ee85533ff2c2614753db56db863c73dd6ea6807c1074a317e62f066870dfb6fd4257bbdefa2d |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF
| MD5 | 9d1101f2c45ce53f2ead40247bc2629f |
| SHA1 | c7c2770645e7611ae33bd7a0b3ed948d39f17c06 |
| SHA256 | 47f0149b43961165c5fa224dbd2d1e956cf0a26b86d15ee3e12652c2a6e013ca |
| SHA512 | 91ae75b332bb98b6116352147701514db0426f710600bcbd1bdfe31f20ab83c2c21c794244055372e5d11ee177f8dedfd31a1d9a744b84be0f57b580a8464ec1 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif
| MD5 | 3b8883ab58438b245c89bc76ee848752 |
| SHA1 | 7b01b457344fcf92362d14247f2c389ed0c89b6c |
| SHA256 | b3b87c3ad568de5a1f07702392e3bfc76f41a47b2fa1d710198406c3c5172697 |
| SHA512 | 200a52dd5e9334f2c768fb2d152a82cfd551c0991eada79ee92ae41e8beb82a1eac2d90fdac2d9741afe0b7edcbe046cb92a6cf339d25709b53d51f5feb55b1c |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SAVE.GIF
| MD5 | 9c1b2a47c87f33de47ccfcdc098e1806 |
| SHA1 | 4ea8f90ce4f6569e41788252674776594ca668f8 |
| SHA256 | 8d77e83b50a81c442acd64cf5a57ee30906256da88e661e87cba51320f2cdda9 |
| SHA512 | b317fc3bea365325bc928e347d081bf019c0dd35e764172ed105212e86ab4ab303b92bd1bb0752cc27c0a7d46548e199df353fb84873e812a744878d9d34bd30 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif
| MD5 | ccd9d8aa4c9fbad1069e4dd2c4982652 |
| SHA1 | 58cc653eba0694d39e7615ee7e049c8441fe6600 |
| SHA256 | 35e1150f8a8236fd8c2be2c6da618b5f5366caabb763b7453201f5c430441aae |
| SHA512 | 7530335f5f01da26479349321531093d3da8a1cefd4e916496dd254273076df9ef5eb91ecde1221e37a2525e76a8578a6859ec79a15ddb0a69e2e39578afb8f0 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_hyperlink.gif
| MD5 | f25638c3ccba37aad21daf44d061ded1 |
| SHA1 | 2db65949b3b8b9f2ec83a7aebda1d4379c17391e |
| SHA256 | f2d7df9f7c7a829d151f2d26f67f11bb6b824fb5ed649c159dd6124c4b4dce60 |
| SHA512 | 362d8d85fb18947f6924d956f93d8cc8eec7febac2cc8aa5bebaa983ce257c1f0eb416663d650c0958d33d7ddadbf79e636a26cd6f592ab38057d7dcc2227c3c |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxerror.ico
| MD5 | 46b109680d8e37a25b4ca79ff35e270f |
| SHA1 | e1d4ca57aa3114a7931c7a5bbc8be1ecd8bd7882 |
| SHA256 | 54a918ed71329a2e6af831153825cb69b8cd45938a352d3b0882c92969a353dd |
| SHA512 | 7533cfb7af8b272d23734efddd2eba7524a746ac0664621ba3c05f139417f6e68bdf6e38c57ea16e8552d0b491a37f320f8f95d7b9e39e3c171a28f81643197c |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OnLineBusy.ico
| MD5 | 175b6d3035eaaf10bcc78b54ab021ecf |
| SHA1 | 480f5c00b285f824d6eec209d6937e05c34d1805 |
| SHA256 | 868d0516a42b8340eba07ffaa00f5928e1d6a7daf2a3c4d96c1b86b80e2e3e81 |
| SHA512 | eb0b26da872e4e957415ca60d0114903a3b62dfc6f4b02db745004a32ce55d791baf8d550284be03157a59a433fdc9e39a3129155cc0a73cef87febc51fb2f6b |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\PersonalContact.ico
| MD5 | d33c6324366941b3c100293e79426478 |
| SHA1 | afd047c1461a2ce36b775cc94392672eb43f1463 |
| SHA256 | d2a2840f1282913c2678160f13f3204616a9c302ae3b8f47bf17783ef3323aa7 |
| SHA512 | 7cffef992a6008d2d5b1cd768ae722d533a7e2a637b421ab67f16175328ffc9f3a4cd72ed5db695796d335371aad94c4bf9003fe685c3833b7687b59bbb6b940 |
C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendtoOneNoteFilter.gpd
| MD5 | 9546c10433c45bfb9947449dd8d304de |
| SHA1 | f8ebbbe3ad6a8cfd13607fd3a7fad7a3a7a50158 |
| SHA256 | 6778c7c7b6b6c1c273e668169a7652a681da86ad62d03f7c5aa120405069feb2 |
| SHA512 | 90c6dda39740f839fb470f838c35d5f264a0a8664c57cbc66c431082710ee633ca4672b3b64902e7bbb7a61e9b9f4eea251a7d8b6d5126de6d73d3480fdede5d |
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\AMERITECH.NET.XML
| MD5 | eb74234cb882f0fedae27f0b9e9957d8 |
| SHA1 | 973377cb3ecbbe475ec49d45f15ced0a02143a1c |
| SHA256 | 0645a4a67dcec462dc9f335bb0564e6e39bf12ea7e40cf8de81418210102c2d1 |
| SHA512 | 480e05680cdcb4d72456228a7a61f2577eb2e412760fce40a5b4066d140d41545110b830851b764ac483a6630dd5ff1e27ba1f95643fa3fcb801eed514ba4b29 |
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTOPENWORLD.COM.XML
| MD5 | b024a04198ed894b334178e411856122 |
| SHA1 | ca7552399eca0ceec6a3dbf393396fade2f5f550 |
| SHA256 | cadbea407cb411d2ed1c47c77536b622eb7d53d4fd3ee3b9897d554298683fe3 |
| SHA512 | 466ef38a6bd49fc816e208b408e5bcc7d366dc7eb9072600ab21510b6e1417894bffeee5ec96f5a0a535d8e541fd505ae3450f2233e5a128bb073394c530e879 |
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\WANS.NET.XML
| MD5 | b4052c951a5d5df0482bec08dcd1a1d9 |
| SHA1 | 99f3e0929eabf972e94c276c6423499860202f65 |
| SHA256 | f860ea6cfbfe8ddb3862a09c1b443f3273dac1a4757ce9e7a3b34d46f971ff10 |
| SHA512 | c26450d504e58cdbba0ded009158837855dadd8040b0c05845ee25b540567758c650df3d6b28c3571adff47e39d8ef99b30144250477524a19ab172d0870ef82 |
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.TH.XML
| MD5 | 938fcac2676e99d92efee069eacacc37 |
| SHA1 | 575b35480aab9ada77d22f922bc57cb49a7580a6 |
| SHA256 | 9b8747ddedfdcb06f34ca5161281e28aafe3bec2e4b21aa731e17bb46dabc6c1 |
| SHA512 | 515074b8b8c14986ab86913a659ffa007cab07db5c6798ef6a4e12279ad3bf68262ac42ce991ed20a06825a8e5b8d0efc48aca38dad5503178d1dce0ef68c33c |
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.AR.XML
| MD5 | dc5794fd7e35debdd2e25f3e22761cce |
| SHA1 | 348034e08eaa9434bcf5713e9880f60bfd33ba78 |
| SHA256 | 15dfcf446deb114d465215cf49907aa5efc5fb8531f97607d50148cb4b680288 |
| SHA512 | 6a9b27a6702e40ef03367ce611716816cc4debac9086983148ff75c4e8656f10ff5edf73e95e18efe9e0ef7b721350e86a20919061d0ce1266258384ef98b1d2 |
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IT.XML
| MD5 | 0b0d4b77b1494ca873f4311cc88a9fde |
| SHA1 | e88f8c3100290bbcdc224f4db05a77811726fe90 |
| SHA256 | 60107be66c9efe4d6aa0a3864f71d60b3800c8d6400daa36c05609d099b5f891 |
| SHA512 | 0a2410540f096ebd0464f16681b7375152fe8844ad2fed5fe86b352a61d6c65695051c82a36b77156a79ac633943463739752163d48b26abedf2db2c49ba794d |
C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM
| MD5 | 7d0a27db87cbd4243eacad312e5d7f41 |
| SHA1 | 9b077bbd55fc3718e25dd9b80b89423cd9495633 |
| SHA256 | 8ae7498b01f40e9d2a04df8a8a91cc0b180eb9eb64b78129f59a6d6ab547816b |
| SHA512 | 88ed00f2eba7cc1e53fafddcb74c2c1029f2866c4379816b0c53a6230dd5a06eb33092647b36c90f29ebbb7c705fcb065514977acb06fea4cadd43ae144f73ed |
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.Lck
| MD5 | f1d3ff8443297732862df21dc4e57262 |
| SHA1 | 9069ca78e7450a285173431b3e52c5c25299e473 |
| SHA256 | df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 |
| SHA512 | ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3 |
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.000
| MD5 | cea67ffae620e6410ed0590dc6ec9b92 |
| SHA1 | de0e7c9e496fdd650fd8ab826e84b256eeb85812 |
| SHA256 | 2dfba633817046c7f559ed4b93076048435f7e1a90f14eb8035c04b9ebae2537 |
| SHA512 | ba21e55aa88dc8b12e13ebff9e67570177db6aacfb606658650397e6423937d882b1e1c93ed62d12de0dfd59791d78c6a73d68e55f343cfa1f85235daf3b89ec |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini
| MD5 | 0a9c72f9db202d3c13e46b9a902f4a6c |
| SHA1 | c0ef3c5679f5c071f592f49042733f9542a59e4f |
| SHA256 | 57eb66eb632b72c290761008baf8118400f3a914e5ea4ff8621c3d61d529c89c |
| SHA512 | 2788ba119c86c5f806ac04b1435d0ca668ae665d843d99128cce7b2d79726434d15c2dc0d3d991cd9fd2a492f14695f01a7c5e825211e7a6a593cfb6a85360c9 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk
| MD5 | 3acc3cc8c26b9cd4f8db480174d5210f |
| SHA1 | 0084bb4735d725d16042918ea916d3e39d379177 |
| SHA256 | 18df269c236e68e99a2e97691011172e3c2c600448a13dca21118370bc226335 |
| SHA512 | 614d3e11bf7670772edc4135db9ea0056d23b2b7374bfafd47bb3de080cd2e35b83b336ce3eadda374b869af5f28b0b29998f011455b467cfd4cbd47bc1ab7b3 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Memory Diagnostics Tool.lnk
| MD5 | 17240404cc21fa5bd98a4a03b059f656 |
| SHA1 | 17bf789e27311a0ab774e7a293b834c82c425d49 |
| SHA256 | 54ad5402b99458324b0e2a71fb21fe7c0e16eccf508b444034a6585aae645053 |
| SHA512 | d05635f214f250f97319544464039754e289ee5424729d053b5efa90159ddeb6b1ae3902aac8ddc711b5ca51e78aab299f06fd8c19f0d14c9ab621941983a7ce |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Remote Assistance.lnk
| MD5 | 98ca7859082dd1dc8570f548fd1a4894 |
| SHA1 | 4687cac842d71ea8ddca89cc681dbc83df8aa787 |
| SHA256 | 56ef96896db0a2f66b66a8513c0c1f699c5c67f1b23d5e7daab3e679e37d48e3 |
| SHA512 | c215566e992e46e77bac8dc462301b82206f499d46153203129bd4b05cd1d22621afc2ae828a998369fd0e3578f575fcc53b429023f74c3d7eaf01a8a65b040d |
C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn
| MD5 | 80bda6f948a1289beefa36d2ba38194d |
| SHA1 | 948905d56e776f1efa1e026b309c6669b089a2fa |
| SHA256 | 9cb5d05f0db60b9e0d1b76af229fd2a705903d6a1278d4b815faa536a60c118d |
| SHA512 | ebbc2ac06f50c65430f2d3df2dd94434a6bb0e431a48e5929d57b944882f66e488f6abb668535f0bdd5007b92d18d2c4b726ccbc547c60c6adb3c8f5b7f4e586 |
C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn
| MD5 | 55b53f1413edc16c71b2ed8377f7cebf |
| SHA1 | c4c7cc19e754412b38845e6fa4c48d20b1c51da4 |
| SHA256 | 3eefc4790b52024832ea4c03c6e7a781f3ef9416866a959b2777fce101ad9d61 |
| SHA512 | 23301467411dbbfc5b302282dcb483e3d2758f7b4f999f32717e2d758479fab08e553149558c4a0c2f69b8db739a3eca67e78ef8ddf3d6304e5b577044d55b8f |
C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn
| MD5 | 565aba2aa486212bffe024fefb3a8ba0 |
| SHA1 | 13f8e2befaf22d391595db2f5bb2efd761cb41ac |
| SHA256 | 891c1644d5e29e33e5bb88666853f9531b93a3d6fbbd4a8b01e4e8701f836bea |
| SHA512 | a7a9610937383b8b9feeacacbda08f5d05692cd1550b238caac7a94d17399d689bc95e5afbd7a378e4cb2524d59c3bc3591e975a6aad65bcb6f6cd2e65cbe8ea |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index
| MD5 | 1681ffc6e046c7af98c9e6c232a3fe0a |
| SHA1 | d3399b7262fb56cb9ed053d68db9291c410839c4 |
| SHA256 | 9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0 |
| SHA512 | 11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT
| MD5 | 4ae71336e44bf9bf79d2752e234818a5 |
| SHA1 | e129f27c5103bc5cc44bcdf0a15e160d445066ff |
| SHA256 | 374708fff7719dd5979ec875d56cd2286f6d3cf7ec317a3b25632aab28ec37bb |
| SHA512 | 0b6cbac838dfe7f47ea1bd0df00ec282fdf45510c92161072ccfb84035390c4da743d9c3b954eaa1b0f86fc9861b23cc6c8667ab232c11c686432ebb5c8c3f27 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG
| MD5 | 28e37d39272f9d6d788d86cbf1810af5 |
| SHA1 | aef68a573fb6ec07b0188e2bda3be86c0e79c299 |
| SHA256 | 06ea118edadd836a02b202c05bc7e47356b57e28c01edf1dad6cc4cf90c662e2 |
| SHA512 | 1546ae0b5381c79337a67259b889cbceb216358ecd37e7e70d34ebcd52e3aabf1f13952240670884c8fcc705fffb339d0b6ad63c32e412e23fa70e47fe489473 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000005.ldb
| MD5 | e62da29ac3a82185101eb38cb426322a |
| SHA1 | bb7cbd9ba983f9dceb9fdeaa062f2a142bc84cb2 |
| SHA256 | dc2021c180e2d8367d094b4c07d11bd556d64b33d1fe8bf58e208e8da8f5dd55 |
| SHA512 | 158c590f882fae0fbb8c8bf37e30401272167b76cf26736d0633d4af28c70e91ddefd155090ba13e19c027f8c0546b8176049132370a0068f9c41a413aba5558 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000004
| MD5 | 871bdd96b159c14d15c8d97d9111e9c8 |
| SHA1 | 8cd537a621659c289f0707bad94719b5782ddb1f |
| SHA256 | cc2786e1f9910a9d811400edcddaf7075195f7a16b216dcbefba3bc7c4f2ae51 |
| SHA512 | e116d2d486bc802e99d5ffe83a666d5e324887a65965c7e0d90b238a4ee1db97e28f59aed23e6f968868902d762df06146833be62064c4a74d7c9384dfb0c7f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png
| MD5 | 251a7e1401487e69a415fde9d5128b27 |
| SHA1 | 9bb2d9b5d93e8f9dfe5337014008bce57b3cdb18 |
| SHA256 | d1db33e3ae5c6779e11ecc0ddf3962bf0559582980b5e5a92fd5caf91cb1bff2 |
| SHA512 | b572720338c60d4c27870e563145269d62470bd32cfb6ba4dbecc881632273189946d813fb6c6f4ea0539f9f0a6975c89b1bcf7fe7c297a005a4b15d8a4eccd2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\64.png
| MD5 | 1b09d4b3b183d0e78c9627ba6b0f925e |
| SHA1 | fd441ff31ab04f40acc054b90c34bdee299017bc |
| SHA256 | 2555bb5583cd7eecea012833776c74683ce3479d1c1553733366905bc820ea83 |
| SHA512 | 5426ddbc2ee693f1397c0a44ca5c6f1f8b763189326edfbdae4e82157ffa525937f78f0461f9d9b284a4a2491c7b1fe20d887adeb3ab7a07186b46ab6f5f8038 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\64.png
| MD5 | 5eba5d7f4a561ec133faf5a6fa54a84c |
| SHA1 | 8ec9a9b74632a3b8ce7189f9c58ab3acdf5aaa12 |
| SHA256 | 0abe90866c4fbc89ae5b4512dde9df1c441a2f5923ee3e7932cf34532a6bf773 |
| SHA512 | 5730894b7e0e4899ae77f45c6a63e02f4a7757e9f9dfcdd24f1029a72caed7f6a40d5bc52cc711a5b4b4e2ad0567ac25373cc019736fec38ec19235e0fb7396f |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\X7K1QVVO\desktop.ini
| MD5 | 53553242d57214aaa5726a09b05fe7bc |
| SHA1 | 931613845dd0e72f1b1a5ba0c89f1c34e5cc089d |
| SHA256 | 1be2b3990b410ca4fb38d1f79019c4018cd8820b69618646c81d22dfcbddc802 |
| SHA512 | dd0a0b9213182c99444bb7fb2eba5b28f521a768880be2539706730693ed9ea462feb4fd46b1deb5e7d4f31a284f2803b476209b451c9dc4d6ed056d71736d64 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{120FC654-0D4C-11EF-BA8B-4EB079F7C2BA}.dat
| MD5 | b4202f7fe985b9648b4676e6f70832bd |
| SHA1 | d37c2b3927946ed617455b3c5913fcab0bc1af52 |
| SHA256 | 6cf1b57d59e7111bc218dfb01dda93ac0f776715599a1c69f89035bd20c16a10 |
| SHA512 | 447ea3de41bc400836a5a3df01efe61c2b3d5d646e9310f399c4842c5268d96042d8432d85fde19dcc8f43a2243626e9de850c9ce37d46fe0d0dd0fe5b2b6a88 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini
| MD5 | 897208d5df122e307ab837d982b2c085 |
| SHA1 | cf4ca14a7adcbc197cd84c1997efdd076911d608 |
| SHA256 | eaae98aa73fe0b561c8b02607a524fb4853bbe81c6de8c3d8a9b7449366809d4 |
| SHA512 | b0aa03063c42515de12fbf6d89924a3ae7d8bdd64d7c9bae94c75d571c939655253f3e87368fcd96f5784b2aee8fedac8f66200b8672ab47cc8b37c57a9ad334 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini
| MD5 | 68cf4c147c95c7e6a1e5a6ee6dc7a185 |
| SHA1 | 4204d04da17eea4650c1e921106988ea61c97d40 |
| SHA256 | c38f1294a259a7e943728e76d1a9d2e0992d22f4cebf6de1fb42204e7126d19a |
| SHA512 | 94dc7f770068c869ac5471148e7ce30670a0bde0014c98a295b4c9b68bb5aba33d39fde081be849c625f501bbd66014214e2c5561b8c0c0deba02e9c788ef098 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm
| MD5 | 6df9012b2b7cb3c55963499a26309bba |
| SHA1 | 6d7aaa7d2bcca4a8758b398ab7617839203c828a |
| SHA256 | 80bd5cb5a9ca35dcdea1d59b5f1778f4114f6215af38004a02a99a1d37383648 |
| SHA512 | 32aa05aca47a17b6afdbadabe83e929e5a55777c5f5ddb0c854ae78ef403a2baeda46e7f1f1fd7de5237749f43d5f8ce0c95e260ef25e27e20cbdffde41bcaf6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
| MD5 | 3561c0dffdb90248fa1fc2d4fb86f08a |
| SHA1 | f68f30ee52133e400606a6be91d2d982388b43a2 |
| SHA256 | 4fea5e6a3ec5f5474a26d858bc77b6d7bd3ab864ea02d988683fdc648602b248 |
| SHA512 | 6b83e8fc9a2ad34694319eff2972435d2facffb23f6e5d6b2eb7381bd9012a489912c56ab6dfce07ca387b777496f612e63842aa294a208f5360077f37e87b1d |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\safebrowsing\social-tracking-protection-facebook-digest256.vlpset
| MD5 | 654285e76e3062621bb2a7abadeb9214 |
| SHA1 | 90514492cfadee2303e64fe5bb1c852fc7caf2bc |
| SHA256 | 6c2b87f2b54344778d2eb7f85ae86f2079206f40d185896f7dd3df446533e8a1 |
| SHA512 | 2ddd07e926504fa628db2e422ed2975fe4d0d99f8effbe43025e19634ad34b7f54b5de7be5dd32972377fe67c5a6d8436c525a1fc9db2d8ccfe676c1d9084c99 |
C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001.log
| MD5 | c3eef41f29629d2c7796d9c3ee638df3 |
| SHA1 | 65c07cdd1c2108cb27649aad8690f2643d018e41 |
| SHA256 | 04893027370077030b48fd90535706dedb3b2d31e4f6ce5bfbcd1c8578017383 |
| SHA512 | 96898187fe2e319b120c3026a300b06109bc1c9720660a30d8a3705d7cf58f37162d61e904f64b798c4368e4716c3adbbbdb8d047dae4822c131f4526d5b331b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F90F18257CBB4D84216AC1E1F3BB2C76
| MD5 | 5d52c133dbb0c7dda6de26ed1ca2c54d |
| SHA1 | d61596a342190277c0440fb1eaa096e22ec92a23 |
| SHA256 | 913c6e2c32d99e4baff62cf421a494730cb043924f2c6bf46406573b59c641bd |
| SHA512 | 60bbc39283fa13b09473078627965c153aa35cc330bf37ad9b0827725b1f0fa81e72378d0b88194641cf2c4777a9c4148e6925df180d1315f7b674b860a3d944 |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | d2a70550489de356a2cd6bfc40711204 |
| SHA1 | 02ec1f60b2e76741dd9848ac432057ff9d58d750 |
| SHA256 | e80232b4d18d0bb7e794be263ba937626f383f9917d4b8a737ba893a8f752293 |
| SHA512 | 2a2d76973c1c539839def62ba4f09319efa246ddc6cad4deb48b506a23f0b5ddbc083913d462836a6eff2db752609655f0d444d4478497ab4e66c69d1ef54b5c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.Admin\times.json
| MD5 | 0d7db7ff842f89a36b58fa2541de2a6c |
| SHA1 | 50f3b486f99fb22648d26870e7a5cba01caed3da |
| SHA256 | 140eda45fe001c0fe47edd7fc509ff1882d46fbcb7c7437d893c1fb83012e433 |
| SHA512 | 6e6570a7cc802760730db659a4ede4221ac2cd944f4b0d97b0a5c8a9f2a072899e3c3fc5dac336b53f8accde81cbeeca6c5998a1471a2f91eb60e3e13620368d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\sessionstore-backups\upgrade.jsonlz4-20221007134813
| MD5 | 5896cf4827474d1dd04f483e94f82442 |
| SHA1 | 372c979db150dedddc4d4520e68b1922a282ce01 |
| SHA256 | f9a250dc807b5a4fbf459bf5a1ddcd7347f0e6f21f8df32aaa7a79013e540af6 |
| SHA512 | 23f167acc659615289dfbac3a7d9fdea5c3a7de690051e79b5ff693c2a29c518e12be87850c7136b43cf321eac9695847bf02924c4024b5218e196e9a9f389cb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\SiteSecurityServiceState.txt
| MD5 | 8e19213e1156d922d41679729f7ba8ad |
| SHA1 | 0feefe21a8a6e907bc59f677a1445c27e235504c |
| SHA256 | 44b8aa4d28701168922acf61435ea4bb442f97b0b14ad7a2510ed68874ee2a72 |
| SHA512 | 73fa23139775bb332d83bed892c293331b1b092da27796a9f105321a4a1cd109635940a899ab4527e819a60cb2623da160ca7805ba5b16f992a53f915e873689 |
C:\Users\Admin\Downloads\desktop.ini
| MD5 | 65fe580cf845ed035c4e57ad02a987cf |
| SHA1 | 6a7fc08e53675bd325b0e6426eec4ce52db7f2a6 |
| SHA256 | 4afd6e7f6ef862c727cf5780abfde2094eb56e93383b6e9d4cb7fae81dd17cd1 |
| SHA512 | bbc34c4f8892aaae0831e02cdc146ffca22efff5e70601bafa084bb0824e88c87fd20988e602fdcf649ba0322ea1d74cdd5bc7805525987c4115096173e33b76 |
C:\Users\Admin\Favorites\Links for United States\desktop.ini
| MD5 | 59763dea4943fa0a7ec51296d5f2c7b3 |
| SHA1 | c3b3795c396c3f64ac68d9304f97b34adfdbf206 |
| SHA256 | 6eb69e26de2a26eda48af77d4cec893aa0cf4748a64cbefcfe11a22c1e680ad9 |
| SHA512 | 92c41f07d1aad07acbe943f36731f4739b5bd84822f660459e464262d45f4970203210180655683feb51868735d9deaaf37fb8308d415376bc631ce887b94fdd |
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
| MD5 | 1477fccb6f5105178b8a4959217a35a0 |
| SHA1 | c66fa5d6d133a7cb7247edd1b32fc6b82dec3dd9 |
| SHA256 | 118980fc1bef9a9da8a06e2a864d3f5f5573b37786bac8709746a8ca26a12523 |
| SHA512 | 1715a141037d97e12c98f91a62bd44e76364af02e8ad5024699e9dc3951d005eb3471de1bde3569a61af8e5127883cc1133b6274928bde3c5ad5840e36ee764a |
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk
| MD5 | 393017b9101a884b66d64849d99a7d05 |
| SHA1 | 6fbef1dbdae7b9c1eb817a8c762704f4301192da |
| SHA256 | fb701ba16878b120e90469d8238b8765f8a157f6aabf76d94fd6aa09b591cf93 |
| SHA512 | 175fcd4da63f57f127b2382965a38a9359fee7f7a694803bd4f76e8715ac9c607e6ea863b2d938514e727f539613b7e93ed3110c47b30ff4530c3e142237c555 |
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk
| MD5 | 9081505b52708b1cf5f639883942d813 |
| SHA1 | 1efd3054cc8a59abfc3e52f5aa5702c8fb18b0d5 |
| SHA256 | 5cad8b3db8fbb29e0cabbd785e1e3449ebcd5b04544cde14c93812a93860cc47 |
| SHA512 | 23b0249a981614c2ac604fa68be9876919513ebddff84aa08e98f05495531f0c4ff7f1dcf19e2b7d9b6040c65e96dc3c210a695f66b20c25b020461cb9c116d0 |
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\computer.lnk
| MD5 | 25a495be8250cc90b02a483e82df99c6 |
| SHA1 | 0f8ca0d9fa83bb38a8a400a893185e589a968742 |
| SHA256 | ba1d859d62b101dc263d6834aaa81378941736dfab33b15243a4bf3b45691735 |
| SHA512 | 6926347d0da33ecdf2af9d5ef5966f2108da941447c4e33ca90eeebf82a4171a1439bb3b285c31387e08b5fbd964851fd98d4c352975802de74ce02b03b7bd0d |
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk
| MD5 | 6ef918fec6062ec3fa9aec3515ff22e9 |
| SHA1 | 7b97afba8180e32e17cf04e2ebc14306fbd37a63 |
| SHA256 | 9df18e83bfce0d614cee8a1ce8ab9500f4fc8c1b39f41acb9b7caaa317fb55f2 |
| SHA512 | 03c347f8c31b3aed7c3b73450b774fac8a917d2ce7ee9bb58e9da6c3121dd6fd88334ce9ddb56404c1d9c9a964319808577f62855d559a66606537651780b7b0 |
C:\info.hta
| MD5 | abf48e6543e2934ebfb945fcc10021f9 |
| SHA1 | a6c89b37e2487ebac75b513f6888dfea6cc00f00 |
| SHA256 | ab6aa98d729bc94151d36199610a600a23aef4c01a075dc8186a64d1fd3027a6 |
| SHA512 | 047d8ef84dd70b08e95653df9d34bd9afecb1482fc1e6c59c6b49a6efafd477d6b95b3c8e4537eb04eb889364e14cacc368b08277edd1fe0c2f0d61be6947e14 |
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win7-20240508-en
Max time kernel
1558s
Max time network
1560s
Command Line
Signatures
Agenda Ransomware
Processes
C:\Users\Admin\AppData\Local\Temp\37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
"C:\Users\Admin\AppData\Local\Temp\37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe"
Network
Files
memory/1916-0-0x00000000010D0000-0x0000000001268000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win10-20240404-en
Max time kernel
510s
Max time network
1581s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
"C:\Users\Admin\AppData\Local\Temp\20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe"
Network
| Country | Destination | Domain | Proto |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 198.252.108.34:3012 | tcp | |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
| US | 198.252.108.34:3012 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win11-20240508-en
Max time kernel
1800s
Max time network
1804s
Command Line
Signatures
Phobos
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Renames multiple (550) files with added filename extension
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66 = "C:\\Users\\Admin\\AppData\\Local\\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe" | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66 = "C:\\Users\\Admin\\AppData\\Local\\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe" | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
Drops desktop.ini file(s)
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\NativeShim.Resources.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsMedTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Context.Tests.ps1 | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check.cur.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\ui-strings.js.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\OptimizeConfirm.aiff | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Res.dll.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.MSOUC.16.1033.hxn.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vccorlib140.dll.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-32.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedge.dll.sig.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\HoverCard.js | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\customizations\mergeSettings.js | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\ui-strings.js.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN026.XML | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\OrientationSensorCalibrationFigure.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_TestDrive.help.txt | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DetailsList\DetailsColumn.types.js | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ReadOutLoud.api.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\ui-strings.js.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptySearch.scale-150.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\createpdfupsell-app-selector.js.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\he.pak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_tr.dll.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Locales\devtools\pt-BR.pak.DATA | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Loader.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\TipsStoreLogo.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsAppList.targetsize-32_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\ProfileIcons\pwsh.scale-150.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\id_get.svg.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Tar.dll.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMEEXT.DLL | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherAppList.targetsize-16_altform-lightunplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\Microsoft.Toolkit.Uwp.Notifications.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\FeedbackHubAppList.targetsize-24.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Match.Tests.ps1 | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-125.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MEDIA\PUSH.WAV | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DocumentCard\DocumentCardLogo.types.js | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationFramework.resources.dll.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.50.24002.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_AppList.scale-125.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DocumentCard\DocumentCardActions.base.js | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-mac.css | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyStateCCFiles_280x192.svg.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSI.TTF.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_selectlist_checkmark_18.svg.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ar_get.svg.id[5D9C8428-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
"C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe"
C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
"C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 64.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Program Files\7-Zip\7z.exe
| MD5 | 26f7a83fcf6b31b786c91895d1bdf46e |
| SHA1 | ee774dde283164e3728f154a218de091f87d161f |
| SHA256 | 3701a7e99b37d6738cf1406569b5b3a7aef28ef55ad7def4191ba57835d502d6 |
| SHA512 | ffdf7aced2f86ca568eb13c1b44458b5336aefe5c8517c86d3171766f7694f7a6ba112a6ee3511eb50712b9f954d1c3de12e3e68259174efa8ad41f8d55c5991 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db
| MD5 | 1681ffc6e046c7af98c9e6c232a3fe0a |
| SHA1 | d3399b7262fb56cb9ed053d68db9291c410839c4 |
| SHA256 | 9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0 |
| SHA512 | 11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5 |
C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md
| MD5 | ddc4cb14453391bcb5f4d645b2916a6c |
| SHA1 | c4738d174c90c285e17bf51a9218256f45f96ea7 |
| SHA256 | 0c19ba9eeecab3cbbdf38da08c3fa0266f10ce8166e056715931efc543335eeb |
| SHA512 | 34a32b92ffb2945608439653b5ecacba49fd3312ba5487ba14796c75b07655f0d8f735453dac117d46d204d3f810126f8a189f82c015fa8bb6ea37d9b8e0e30f |
C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif
| MD5 | d13b5ffdeb538f15ee1d30f2788601d5 |
| SHA1 | 8dc4da8e4efca07472b08b618bc059dcbfd03efa |
| SHA256 | f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876 |
| SHA512 | 58e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46 |
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
| MD5 | c5b7a97bda04c48435a145f2d1f9bb42 |
| SHA1 | bd94219a79987af3e4d4ce45b07edc2230aaf655 |
| SHA256 | 07ec9bf950252d0254d4d778698c2e4173f36dbc3f57f51f34d1b85a07c2eab0 |
| SHA512 | 7eb1a26cf8ef725ba6d1934ca4802f70cc22539017334c1d7a6873afeea6236bcd643b52630f7fa9d8a9e692f718ba42cc704ed5f8df17757028be63c3efad80 |
C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml
| MD5 | 809457c05fe696f5d34ac5ac8768cdd4 |
| SHA1 | a2c3e4966415100c7d24f7f3dc7e27d2a60d20c9 |
| SHA256 | 1b66520d471367f736d50c070a2e2bba8ad88ac58743394a764b888e9cb6f6be |
| SHA512 | cf38e01d3e174ff4b8070fb88ead7e787143ce7cf60b91365fafd01cacc1420337654083a14dfb2caa900141a578717f5d24fa3cadd17c1a992d09280fd8dc44 |
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK
| MD5 | 301657e2669b4c76979a15f801cc2adf |
| SHA1 | f7430efc590e79b847ab97b6e429cd07ef886726 |
| SHA256 | 802bbf1167e97e336bc7e1d1574466db744c7021efe0f0ff01ff7e352c44f56b |
| SHA512 | e94480d20b6665599c4ed1bc3fc6949c9be332fd91a14cef14b3e263ab1000666e706b51869bc93b4f479bb6389351674e707e79562020510c1b6dfe4b90cc51 |
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK
| MD5 | b9205d5c0a413e022f6c36d4bdfa0750 |
| SHA1 | f16acd929b52b77b7dad02dbceff25992f4ba95e |
| SHA256 | 951b1c95584b91fd8776e1d26b25d745ad5d508f6337686b9f7131d7c2f7096a |
| SHA512 | 0e67910bcf0f9ccde5464c63b9c850a12a759227d16b040d98986d54253f9f34322318e56b8feb86c5fb2270ed87f31252f7f68493ee759743909bd75e4bb544 |
C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html
| MD5 | 3be680b6a8edfdeed37bf5068a37dccd |
| SHA1 | 75bc261fc558634731e683e431e4a31c5b463107 |
| SHA256 | 1777e4f7955cb5900c97d92081efc4b11704ee3b265717a7d7152972b49a36c4 |
| SHA512 | a3c8a91689105a14c49b020826944d32540353c56fb9e9a011639ff5107d25e1d3466f0fc487ef953c6bbf0c006abc5204e3a8f0093e1c633013a547f8ecab21 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions.png
| MD5 | eedd2d13e3671d589714446755b78b38 |
| SHA1 | 2fdd23507187a259f5a7edb01611a37b6b09f4da |
| SHA256 | 467082e15a8ddefd51088e12a6189f9923dadfdf363ac1b0448ec43dc483cb3d |
| SHA512 | ef47a62ce6ffb0c5b34b2c6d72f5874dbad4109b98aaa21f56b8b2d83471f5ebf983f6dfd889399abe4fead6296cf2ca3f409a4aa4badad8cc3c48f688323837 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\remove.svg
| MD5 | b651e9101be833e87337050028831efd |
| SHA1 | ee594ba38a6324369ffc7b4dc89407d3436e34d9 |
| SHA256 | 4717e5fb82c0ee85a7c97d022f410990a62efa2492070e42385cfeab67afd619 |
| SHA512 | 3552858c2a688c95a76c0bb8a6a76b119b744b2e8ae7e7f30135ccd8a145318762faa52c1783a639fb179056317caeaed20c15f211db1d45bc957bc3ce591aef |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg
| MD5 | 1bf37c0336c12ccaa1c62386acacc858 |
| SHA1 | f1e187c79588e4e9fce931997443d7e5cafd1db6 |
| SHA256 | a9044f3c6877f4fa6789bd90f11813a22696bda53e0be17bf52229b70fa87673 |
| SHA512 | f75100874b1dd43c49f54a9aa4621e8bd1efa84359ce44ece2444b639c7bcbddf6564f6c4be089f5d656550c7293b9f5ec4a4b20880939fbeb5ebc21e30866b1 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-default_32.svg
| MD5 | 81cfb9735fea15ca8791a3c34a78d992 |
| SHA1 | 9b4962166a47f5edc62e5fe3c4f8772446db9296 |
| SHA256 | 3d89171c24a889bce28f04adb60f08a141584b7c345b158536a72a8070c252b8 |
| SHA512 | f6ac853f4012ddcb29e5079ec00bf058343af1a6d6cedbc9613056db0575c77e964b0864c9693a6e02a525d5e13ccc54e0e7fd938ea39c3d2c6005db959b346a |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-hover_32.svg
| MD5 | 55215e8f92d35f26cca06fa9d5d221e9 |
| SHA1 | 994838c8df5921e3828749a7703ebfa8383e43b6 |
| SHA256 | e94ac27227c8a25c3f8ede219fd80ace01e7176a12111125b31ae1dcddd487ae |
| SHA512 | 7972d3fb8c305a1b41f3ec4a618c9904c1e655fc757f1dc83f9d9041433f3c30e6708ed3d4fb3166cc41d9773df3f159aa44333f76fdde28f317676046bc9c67 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder-default.svg
| MD5 | 2807924fc18c958c38a7004a5dbd4091 |
| SHA1 | 85534040543c3306284e6a475999c46249a35e4b |
| SHA256 | 0345bffb28f80f4d0ded1a2af09a337b18ab3a80c68205bc8321a6ad4d409500 |
| SHA512 | 264d29c6b920b3005ebda1fdb0e0ee6e17059c69d63969c61ea4b5c5464022166ccc04b2c1f69b91052c3e3dd551a087e8e5379d2a62c452184a12b278a8ac3a |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg
| MD5 | cd5d2472a2bf9ac7eb4e15146b30bd2f |
| SHA1 | bca600423f99b87df44fde9d96ff874017037afe |
| SHA256 | 038589c0f8f0b9fbed7fe7835de0237de4a28ea404078955a78c0b8145fa323c |
| SHA512 | dde83047b85cf0afd4ac77c9f4e850ebba48a1e1d581ed78c30733f58a9d5e2e22d34a2b2e57e4527f3c314f84922c3aecd6366052d46e0d6157990ed888a27e |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reminders_18.svg
| MD5 | 3f16cc51cf788a50e6cc1ae60897bbf7 |
| SHA1 | e5a8c8f5227ca6da79589192892e81b6a3f43686 |
| SHA256 | 30f1d12f90b61f22130b22667f722aeca0aadd59ba3e19d866d72a99a3f0ce3d |
| SHA512 | 17686bb9e01aa108b9b62b33bb70bb8aa35e4d88199281aaacbc8d8da7d54f1f353bf31a109dc22a4e404780ece4cb3d23f0ec81f80e9553ef060011e568134c |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_hover_18.svg
| MD5 | 30c9bd1aee3794fd46bc99fc2a359212 |
| SHA1 | 9817640da0b98babc461d277a39b323dc9a76cd3 |
| SHA256 | 4b10fc416763ad7b65a6d6fb3c0016505ec5aaa7a117021a26e4dd6d11fe7d1d |
| SHA512 | bae367b7555f5f7f677abbad1dd548225c2580ffe21bcae5022f8eecf8c97cfe8f7813fd86c31a7f9052c174610ae9d2ae21ac22b381701975492e2386f67f94 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_hover_18.svg
| MD5 | 0498cfb8aae1383c049e8ccdd85f3abf |
| SHA1 | c5fbfcc70b441e91a5ecd23295c745aaf076aa4d |
| SHA256 | ad125b854735c81b5782a65b5b006c7c991e28688b6dd8e5998f432976b9223c |
| SHA512 | 113f19bf726f79473ae2b4406a76676ec0bc4709a26f374aaa3bbd9d0b5790ee4fdd8ebe1a3ab68995973923ae33df7c1c6798e93bf060643c14acfabd4e9302 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right-pressed.gif
| MD5 | e3c4dd21a9171fd39d208efa09bf7883 |
| SHA1 | 9438e360f578e12c0e0e8ed28e2c125c1cefee16 |
| SHA256 | d4817aa5497628e7c77e6b606107042bbba3130888c5f47a375e6179be789fbb |
| SHA512 | 2146aa8ab60c48acff43ae8c33c5da4c2586f20a39f8f1308aefb6f833b758ad7158bd5e9a386e45feba446f33855d393857b557fe8ba6fe52364e7a7af3be9b |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\ui-strings.js
| MD5 | 0d3a12fd3f68decc694da04b57e61d8c |
| SHA1 | f73d4d591f6ef0b2b04fc90d2e840329f7590743 |
| SHA256 | ee0352f75df1009fa6f5eaf323a1ed55c127cc679ac6b9de70b1b3f8dc9ece76 |
| SHA512 | 2c58a879d4022b441056c85c301ce26401da5f7bc9619debd35fa3bd98b5f1cab8f21e2ae5a177865c64e741dae18f39f99fac1cf00c468ba0e281037d5e883c |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ui-strings.js
| MD5 | 68b6f0644d50595a97c9fd60b8d8e697 |
| SHA1 | a4d0edf9264ce1922dc419c7f3b3cedb2814bea7 |
| SHA256 | bf9b3f1f9a3a163d41b1b20a2c410355e6ee72ae97725a7bad97ad23993b0b5f |
| SHA512 | d1a26cc27c302f06419abf97507c0a4d06729aeadab615acaaac0c3fcec6d7715e10642121a4d773ad3d5f613030728e49fb3d07303fad05f7a342352ebad003 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png
| MD5 | 65c9f3fb24b80d8c470d518f901b9c60 |
| SHA1 | b9521c39944357d4b55b91f9f3739575d1f3bef1 |
| SHA256 | 8de76ee7eb6b32c307d4a46a43ac55bc15b917e2a24d36c3d001878a97fd39d6 |
| SHA512 | 6572d65abd587055a69980558b2568266ff76555faadf3ddc93fa65bdd7a009a2fbca10f37f44c27ae889d3de99a3673c2b9ba6e6456242e951703fa32d9c636 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\ui-strings.js
| MD5 | a778c47dd8521d6a12093b3e97ed8474 |
| SHA1 | 2099d940cc672373884e1c622bbb606e9e9438b9 |
| SHA256 | d5343776747d802d64faedd9954d2a4bf555a6cd85396c55c39a8fce4c5353a6 |
| SHA512 | 7c9c9b406c1b79b3298e975abb3f64927b6beb9e8784b75927e19ba649936c19f04d958d07499a5d5c52049cf2d3600e32f6f437c98b2946a977ca82c71e7224 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\ui-strings.js
| MD5 | dd24e91615f1963a5c64bc9878a0a8d5 |
| SHA1 | 407ece3322d57d16a448b5522d4f29229f80b8b1 |
| SHA256 | 4cf9816ed1062189ff0c8d427fba5e912cc68fc9af76cf7f08fd255977de3b33 |
| SHA512 | a88d5e6fcfd998b0abe79b5b314f3f83f424be9447dca01e1a64a3e7313eb247baa894c10c5758c6788cad27582c09207d00d2e7bc41515e7f1751e05aa812ba |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png
| MD5 | 3f7323acc829bc8b3799148d439b3d47 |
| SHA1 | 3d3c540c4080462a8013d6db9383ad69606779e8 |
| SHA256 | d9de646d51650572b66a6cf8a52ad1efd46b7a47830fa7972da0bc05baa2fad0 |
| SHA512 | 09e2a175dd874ac369331fbfd863be20c9ecc005bfd6c7eeadac071804653265e4f7195d70058f2f73951a6a6e202fc96930f2ce71c2d815b228edf01729b559 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js
| MD5 | fb4aa89fb89bf94d0590a3174d1193ff |
| SHA1 | c3812f2105099071c24141a994a9d5087199dbf7 |
| SHA256 | 655a3ef0465a9f30fddf25f4dde0c19a05c6f9069b83961800c1944165955273 |
| SHA512 | a494c0d9faf3defa9ff320421d0c00e4e39845f7e998c6a06c50b5e7edbb1ed7a948dda23ace06a3433843615553d2357f1cb04acb4ad1155ec43f1d07511524 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png
| MD5 | 7ab2ac51d33778dac850c5dd8b4ba45d |
| SHA1 | b3f47f20c438aa488fe835e0145c014853ee48aa |
| SHA256 | ca17d6cc1f7ab317c34a7cb767ad017163e71726ac648518679c6b1c59fa86dc |
| SHA512 | c14ac0ad209625e0acb2ca9e0afc5f6c98901b01f92b675d073b72929455f47ccf29cbfdaa248c602b02fc2bce484c56753b1a54e66f6ce9df2ea57bed88962b |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\ui-strings.js
| MD5 | 07bcf4e882ae521ec6ddfd0bb2a608db |
| SHA1 | 88e2ab25dec6ba9fedced9bbd21da03639da9409 |
| SHA256 | bc9df2774317cdca8e5a702f249a6994fa3b63852e7749124e82ef1f37b89aa6 |
| SHA512 | ceafee63fb03e94b418bd87c6af91a53c9bef53b86eddb51a7aee77d8ad5e6654045da12c3c28f3ab4486d2f6f135f7f834790991037708b0301085f62e22fa7 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\ui-strings.js
| MD5 | 0ec670fd70f5e89c3d2727df9f2a5398 |
| SHA1 | d19c88c8e11361d4f29719518b8543e0ecf5ff09 |
| SHA256 | 8267479623714339b61159b2f8235b15a38ccc1199eff859e5dc13359f8711c3 |
| SHA512 | a429234afdc29df1276238d3e329299a6fb5b1ef6044429c1acd8abb95c0b76a14836b47805c5d464cfc95978f5e3b10eceae6c26a2964e2c352fafe1d7dd6f8 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png
| MD5 | 2a78f84427d1d591409740722e60d793 |
| SHA1 | 304f17d9c56e79b95f6c337dab88709d4f9b61f0 |
| SHA256 | 4eae979bb805992739f77e351706e745076ed932d3ef54dd47ba119c4c2fb5c6 |
| SHA512 | d687c646bba8b801511a17b756f61a1209ea94938940fbe46d9e4893f14606f9e1e5ff468ba4a77474603f5cdbe0cb9df3d24767e5c9ac81a0b373dcf4a4f3ac |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png
| MD5 | c7fc95def1d53bd3e747248ecbd3cd5e |
| SHA1 | 1b251f02465f9c7dce91aac5aa0679a3c34318e8 |
| SHA256 | 4049b739e6322c7d7caa241ac41c8e0b1f2893957204a910c9708c7731a7a8b5 |
| SHA512 | f4b90435a3b250c1d3dc8df9bb4d331dfe9b1c0212eeb1768073afb81b3915fe61a7c4af151c8090565f778dbdf1f4fad7b5f545c9a21b7782cd7671be2ac96e |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\ui-strings.js
| MD5 | 1ea3b76135bb4a589027d6243075a936 |
| SHA1 | 2951fdafcb862ef53fcf213572368bd5e08094ad |
| SHA256 | c960c819e997c1c9d080235a5e24e65059b63cf66b95ff3da9a44773ebf81c1b |
| SHA512 | 3c10075e71d2e44535e19c8660bee7071a110d07dbef67ccc4cc94c45f93afd72f8ce6b24be31e6193549823b7db204e20950e5c1a075ae159c39682db295d27 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]
| MD5 | 6cbbe3240a203b0ff387d9bbdadd49ef |
| SHA1 | 2c65f6ea9acd8d164ece87edf2f142942d8cdb42 |
| SHA256 | 7b3bae54e7a2931a1957c1ca23189cdf913f567e92af15089f033b99e33351f1 |
| SHA512 | cdd8e32fdf610a0c00f7e8093c98d421f6c60bb75be67fe0a22ca1b5144351526a2b56ffd955f350039e4dca823e45a3f1f4595c3f9f209b3de28cab972cd140 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\line_2x.png
| MD5 | b513ae819f7d8d10fa4f6cbfdf055b22 |
| SHA1 | b4228971cceadd4a698f3c206d8f4bc24a37f991 |
| SHA256 | 25778f162c4243167f8eaa876f1b0619e67afc158de7805600471a563ec5e8b7 |
| SHA512 | c11266406d79494f7d74f8f8a5f955e2bad14b8924877e882fb3e7cc7442998cf6e7a9be3aa7f1a945af8bb2add9dfcdec0ef54239f6ee80748d77444dafe6fe |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js
| MD5 | b17a6a8826832fc2e1098d0286242861 |
| SHA1 | 8ce2bb5944d61be2b628fc80ebabc769768e0b48 |
| SHA256 | 82a1cc52037ccd1ee4a73cc41b86ef4c9b45db28025d56105566bbc9f06bc41f |
| SHA512 | 688757cebb6aaf1a9948ce1dd30318ac2b7afb7a47938e6eecf1bbbc1be058ba78744c208d71a9747ae514242b09322489ad314119cf612a7e4a717907521962 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main-selector.css
| MD5 | 651bcf535ed50ffa7724c8751bec1a66 |
| SHA1 | 5758c4862740517ba28026c298d1b3a61f43716d |
| SHA256 | 359f38eef400e2fa3924a3258652e74ee19cd46cb92e47bce91f1194fce25e9e |
| SHA512 | 492b73f1622e8a1a064141a2edbac9fb29e5f604b629b063fc7251289d237e50721e1295b4f3450322fe72f01b57561a79f0ad4b3a20290cf3214ccf0204d372 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png
| MD5 | bec4473fc43b77e28e60f89da4e29c00 |
| SHA1 | d5dbc7c6642a8a23da14f952a0f64fe874e8191b |
| SHA256 | 5e06bfa9ebccfa3d8759270620b6860f0b92be9d69ef7d7802b78ee5b5f07f96 |
| SHA512 | ff2c101c1172e64481be5e98b2216d5eba93b81210a1a67adecfe05bcf37c3d965c06b368ddc1ffb7e4187cda0373720f6a27476f036a41517762d5cb3729aea |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\ui-strings.js
| MD5 | a3f07671642038caece41ff2a52d8673 |
| SHA1 | 53442624b01b79a3729a23d4f12efc8dae4b1002 |
| SHA256 | 088d391d696ec15140e7b4dbe6fe17e95296af9d09c7eeff17a0a9c241925b89 |
| SHA512 | 5d1ab4b072eec924d13d760da6aa958cc81fa58cfec3de8ff239d131d37b31cdd547eac0fa5ab34c060f0f28a2295e071a1a9573815541c5b92cf0c63f11bdb7 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png
| MD5 | 39e7048d412b94bb2dad145a2daa5875 |
| SHA1 | 08778bbd84d9411f2e531867dffe45fee5d60d24 |
| SHA256 | 4985216f1f370fff03c45d4a711c18b3f49165f8278e6cfc231bb38b920095a7 |
| SHA512 | 65803d69def3517f0021a291748b55cb5bb2e8437732e6cb9b99b1f778f766fbff2c484b664d16ccbedcd51c14f89e99cd5f977cf97d680eca78a9d4f8b87fb0 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js
| MD5 | df3b4d35decc08d05ef8ee0644ab7274 |
| SHA1 | 6b0381b9ee40dc8470a63218e5cc5feb579f7334 |
| SHA256 | e27e5eb93a24a2d866e30bf027e4f0c3da9fae8968cf5eb69446e7f668356164 |
| SHA512 | 257c770416a94f5b79ed837fa0f5e7926cede3ce06c1a9b819c1ca77c645f37bd366564cb028b0ba6afc5444aa5ac774c3af36cd7c108164d1000254cf85c94a |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\ui-strings.js
| MD5 | 74ca2c01b07af0dda4bb39ac330fc49c |
| SHA1 | 7cc7781cca7798ce0940fe9be999e85f8b5064e1 |
| SHA256 | ab9ac8d62fd064748c921e6bd4c123f5cc8910a384d1804bec33ffe27da27c4c |
| SHA512 | cd71201d364c7cfc9d317f091a9dc318d77bdc7340ec4abceee2fa23e3f58cfb1a8f45b5216f5ebb40b3738fef28eeb37717b2508aa1369316da6b7c82c510fa |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.js
| MD5 | d3e4c2fefeea6e6c467df305f7a8f3af |
| SHA1 | a4468bf4d5abcb4d720b0fefb396dce5864e4717 |
| SHA256 | e9288289beec2fe3b6ac24c1311451c8d079786a09515b95cbf2eda7f87f0b22 |
| SHA512 | b81a9d38a4a6cd54c2081289192ce7aee3e34d71f834c9b94eac8cd79a5cb90a0dbd3ee0da89be68e4fb69a82903c658addc272a9d70d8f8f8f8cff5c2c18f10 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\ui-strings.js
| MD5 | 92f1f77de0ce17e9486d53787f69618e |
| SHA1 | 41198fdd6a18321c15c3d4647962e687fc036af6 |
| SHA256 | 4ecb5e390829b5b11dd02db2f22ac1349e32a24e5bd3a8489f6fb5fb0f07eeb6 |
| SHA512 | b389c8364936fbb96a407fb1a848254fd8b7bcbde05637ac1acfb48ba0b30e887dd44b2447e1e3eb75a902241d67571584a819927cc8d0a91d325f5df79f12ce |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js
| MD5 | 72542b122d453927f3d6c59552165606 |
| SHA1 | 6e2b7f049b60f10edcdec06f357114448c0896f8 |
| SHA256 | 3b17f8b83bec3e72acd0d014f58e7de206106a7644bf3293f93c7456ced47419 |
| SHA512 | 25eade5c88cc35325978ba2e103050608fed4330a1677280eb2e0445946a3367d26796ca1233aa6d7ec4c87f04faf7706d82c72b3f3485d80c18e088813f7a1f |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\dd_arrow_small.png
| MD5 | 3d55e1e012d3824e53e84d404a6e2f2e |
| SHA1 | 9983296698d4e2736faf1c529e8d27f8071d7939 |
| SHA256 | 6559f403524ea6ef9bf2e1d0bb66d1af8152920fb002ec2c4ced993083124a88 |
| SHA512 | ec75d4dea30bf7567b2f6e30ffed408815c57680a38659f6055d770c85393d8a5678d38a066ceb7fd0ff9c5ef49cf9fd73d7e8eae5a9a83360a41ca74343f576 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js
| MD5 | 7d8302df4582de342a31d0335e979ae7 |
| SHA1 | 7a3e918e23dc8002dfbe1695f8e8fd52db995d1f |
| SHA256 | 899ad5e0b3501d7e00d2f3bd3c7729b4223839e8629c61328db0f818ba0870c9 |
| SHA512 | cbc23b3285f6d8d72221d0fc05ff59336402005e7d3f50d66249ef6076648ec2e22d33ed64f5436767c123f59d37dae45270a259153ed98b885f9c43ec9bc2aa |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js
| MD5 | 421cd12b43e660f10da31bee36e85f4b |
| SHA1 | b568bb931d5bf4b5805d20fc339b06f9b3763c9d |
| SHA256 | ce7c16adff608d624a412164fdc692305fb461f4b14f9167e6efa78dbbad12ba |
| SHA512 | f56bf5a7a713cbf018203c24a7f9dd426a2cf018cb3ddf9e27f3a7765be3571339421fa5a2cc68f677eb4929a2a2835238a723db4de07bb0634e3f151878ac86 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\ui-strings.js
| MD5 | 0900039f6502c5c4418f5b712f0dc94e |
| SHA1 | cb39e28be0988298003a966ac208c54f83a6ae27 |
| SHA256 | 7037318dbcb8809fd3d03ab0293d58666df18363f0144ef65b738ca3fbe028f0 |
| SHA512 | be9fc36c81963737569c65e4f295f347585bcec88b4fa6ef9da1478f4e0f947b64b8ccaaffb816a74216f713060ae0a56f58c3bea1d12b16bb8488a7663db391 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\ui-strings.js
| MD5 | 35d5c7b80ed270a94872c0e56a6c59c6 |
| SHA1 | bbc4ed04ea6c922213d7cc19c62c3c4cd23b7113 |
| SHA256 | 5c03e31975b96b3d151d9e034b884cab9c6fb29576d2b5653c375fc5661b6dd1 |
| SHA512 | 57ec341f6ff49f24516e117d5c0b119ba4c62dc0537cfcaa15bbba248729c06d29ca224462bb331c44ff1b3abd724df86d0b2ec473ae9f5d54e31ae2002e8bdd |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\ui-strings.js
| MD5 | 29dbb24810bdd7f802c1165f8bc3a714 |
| SHA1 | 9ed5ed2ea58cb6d9196e8d88fccdd8f0d522ea47 |
| SHA256 | c9fdf06266cf9e6d61f7989471abe569239a93cc2c0f65a7c596a81af8d6a67f |
| SHA512 | 3802320bcf7b20a6656460456d5b03ac4f85e4572d7530518dcf99f28162964adc211c5adcfb7ace603b6734271581cea26c9e85821b88b1915e13780a19ec24 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js
| MD5 | 7a232b079f30771ada44ab6a1843ec14 |
| SHA1 | 72349db2853443af021d538be9417fe32369d2ab |
| SHA256 | e33edcde1654c47b3f834797623932ff5dd99a4331b255b60452d69d61ccfb4c |
| SHA512 | 431073f497196ad03ba92a8087aa6c50717ae137b05aba341cd8f7ec1705b46f2878b30455c10d7339f89ef16022ca5d054b0f96e5956ef0590121ad8e1a6638 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\ui-strings.js
| MD5 | 3b8883ab58438b245c89bc76ee848752 |
| SHA1 | 7b01b457344fcf92362d14247f2c389ed0c89b6c |
| SHA256 | b3b87c3ad568de5a1f07702392e3bfc76f41a47b2fa1d710198406c3c5172697 |
| SHA512 | 200a52dd5e9334f2c768fb2d152a82cfd551c0991eada79ee92ae41e8beb82a1eac2d90fdac2d9741afe0b7edcbe046cb92a6cf339d25709b53d51f5feb55b1c |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js
| MD5 | b54b9c5d611b062aea9d8ec0d192335d |
| SHA1 | a6a96602b80181ef494a0da49dacae1c44f7c739 |
| SHA256 | d70a13e9b9e9f4026679200872160d667979bd0ae57e6527d44090e49bbc2c83 |
| SHA512 | e56e4a0dba26c3bd824bcd397d495249466a3732bbe1466f9ed1c23ec3a25d79e44e360fb5ee5a229fb24d6961ac32a2a57d0a29fe669e767bd33b956f57ebf5 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js
| MD5 | edbd91ead174c60fdacb765349ea4fcf |
| SHA1 | e55660206658be80e2033a93abd8854653246eea |
| SHA256 | dfd68e26d32c27e8c7d096cd558b12da3228019525baaa2d4b32030339fb0b6a |
| SHA512 | 9c664370c6c102a0e6992f2fe711e7fe7f6ac732a8562bcc1839a0d99d828e4ab0b3dc70f33f3cba444d04161d0df13b70e72b9079c5aabc7a85543168d58854 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png
| MD5 | 45ad813c887294a1c5c88358f6e6fd12 |
| SHA1 | 45266d0bda31888b67b10c601d303caca8786d30 |
| SHA256 | 91ed5badd0d99f45c65c0ccdec04fc59fffb1f6d055a4d2722dccde82a6bb73b |
| SHA512 | b06ab5889fdf50735ff0c3cfcac3e526b9f32d694ac631e7c2a06eceff357f17e92540df5f84426f8e8f75726c1e7df3592f1620728b70a4b5290c9e49e377f8 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_thumbnailview_18.svg
| MD5 | 9b4c8a5e36d3be7e2c4b1d75ded8c8a1 |
| SHA1 | 1f884298931bc1126e693e30955855f19447d508 |
| SHA256 | ad47fd9e87159d651a53b3dfba3ef200684a9ed88c2528b62e18f3881fe203b0 |
| SHA512 | e1acc0b10c92c2895fc916fc8feead869e04315e5e6e279f8e61b344545103b4c9ff808c9ca2121d1b013879071364f677da128caeba89bf918ec2791e5ed094 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js
| MD5 | 5af99e838bada8e34b660d7fcecae2bf |
| SHA1 | ead4e402f4696ede69adb3e4cd694e7d52925844 |
| SHA256 | e3f604ce27fb93d417b9e8a4a5f10f6fd17b59a76aad9754ea0cc5c56b31687a |
| SHA512 | e69f6f12a51382491b4bec6f19260df249dc6dd9a33fc590a90a055baa5f6dcc80894e2c65ecc7dd0d10040c90740dcfcd2f98dbd1f2fbd94c34941897f6ecd9 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js
| MD5 | ffaab524b0c94fd06a44c1b5b683e0dc |
| SHA1 | 17dcce5e4d3b9f718c902863652cb67e060e2f3e |
| SHA256 | d0a34414103960973357a239952bb0fab5f988ccda1b67ff8e6864afcd806272 |
| SHA512 | a7ecbd3e9656cb0fc1304b4b86980e97680c73b673c4284bbca08c4a3f3ade0699a7de61f0905aee9d521da4beaed61d3ec943090ecc44833118f1f5a29318ab |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png
| MD5 | 6018a4862e3cc6b434d517a47858a2bf |
| SHA1 | 23769e9ae485bb2c35630db9a6ecc8a40c2207cf |
| SHA256 | fde09d85ac7ec84dc0b5f2bf1c1f935b80a3e45dd9257af499d412302602f310 |
| SHA512 | 4fae17ef027649315cbc73ea47a2fbdd8c8c05b9d818af5b41439e9e5fd81d62ce13f6ad125a2817d0bb4b24a831358803c53003628520cb9c2a8376ac8e1aa3 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png
| MD5 | 5991993dd41d6d2b062d58bb70971e0c |
| SHA1 | 1a75ce12ef1c4cb6a85225d0bf4f68d4a3edfce5 |
| SHA256 | bd66e8f62d34f70917102405af895c0b07b79c13fd2d1ea65ebfba3bd4853aeb |
| SHA512 | 75511589b1937aca668348061728734718d02065ae76446b61e3292834709e3b66f2a453717fd593a8fa1db92ad7b97af03f7d2e7f5538716582ae7d8c11e09b |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png
| MD5 | 4eefd60f439096ed98b6d8a585da12ef |
| SHA1 | 75cb70498807b0c823cac760e00652842c1a63c3 |
| SHA256 | e743d6195ff2f42282e101f9471874e8df79dc05a69ca20abf22015d48d28c6c |
| SHA512 | 78241e2336f4ee826719d5adc70543db0f0767a1660f723ddfce72c170322a13c0f3c547eaea6b6cfc47cdf6d8e5edcaff4bd003cbf3eb9d3435bec5158fb8d2 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png
| MD5 | f2f1d5a683617b2bdb6cb0b1eae67135 |
| SHA1 | 3e0dda160b0f8b963dde8036b45aabab5d86504f |
| SHA256 | 96497e49c11ebeb0f73bc01b033b7f45cd9f8eee478176e11b1c7342efa63569 |
| SHA512 | cc9688ee19a6391296abbae9fb1422a6d72d87b7abe8552e860eeb092f8cf7e6864a7f06dae6a60784b77353c38103abd3632492f8b33b7b3d900531cdb673b2 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png
| MD5 | a7a19c86ac01e03111c30032ba417b55 |
| SHA1 | fd7f42ef37d82cf1704b65762a8bc6b4a868234d |
| SHA256 | 494032a3293df271c7cc5d26a5753acffc5f6df811d024e9b573f2fa380f3591 |
| SHA512 | 728d4755dd7d21c5ca285906d5f043728fd089de42d2fd04beb514563224104f7672e5f5144e4ed68770b933dd1069d76b26d140eb692d83d907176330f3f6dd |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png
| MD5 | 5c4cbc56377969e41dcf39d60690feeb |
| SHA1 | a20120d0d043af4d3b6a72db517ab8a623b3febc |
| SHA256 | c0601bc1bac97e69da3ef3e2898aafe64aec5ae4f3ccbdb7649471f76da4ca0e |
| SHA512 | 4accc91aeb47949f1137ac69a0740a25c957853f59ff8d18077e64b1a3262488b71fc4bd45714075a0652328e1a49a602c7950b86edabbbd7e5abbd9000b705f |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\ui-strings.js
| MD5 | cf69901e6d4609009dff8be5b3045c96 |
| SHA1 | 712afbf4bdf24b6fa059f0fcd837449d75432800 |
| SHA256 | 16d0edc8b7ad7705b23a14058f366ff1c0dfa16a0ad14f741924c308754cf8d1 |
| SHA512 | 84b63e071f56e8e406fe361473dfd6eb17daec1809eed425b1b977f0135d6a78a3375c9bd1a65daf1ac7977f712b63ed735eac8ebc91e55c1a3f366e288a9ed6 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_checkbox_unselected_18.svg
| MD5 | 8c8fd1cfdc60f513bf20132a1d5aeea2 |
| SHA1 | 40167e542ddfd848fd138e2914dbb7f116a8f99f |
| SHA256 | f438a4e713df6a982afbe2eec993cd582edc37a876fee88e1ddabb478f2b5ee0 |
| SHA512 | e5a985404619bebfb615d4b5378942b56089b40170e4072c61eb9ddf722639941e820f039437b59cd3859944b3e06ed72ee49e879522e81fd9d49b56c8e40d35 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close2x.png
| MD5 | 5e0d423694dc87169e1124f26d755117 |
| SHA1 | 340b47ffc7ffe45c30ce927f1c839d01600f6161 |
| SHA256 | 68df674391ddb32170020e5b55b8df9ac1bb5274419dbf8748ce53efb18584cf |
| SHA512 | 17ace592b7b00dd530d923711160c39417b6c6412c3528cecb002fc065a16dc439555f61e4f6de7ac86291cd9cac5f5ea8411bec8ffe043faba887026fd2ec77 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js
| MD5 | 8ab4b211dc3d2947d2466033f6d524f7 |
| SHA1 | 7c457aa6cb3b704da3c977bbcf3953c3c1a7a7bb |
| SHA256 | 5bc633d52bc4345c9cc4ea7cf49422a85a9fe401faf3239ef72b53aa0dd667ee |
| SHA512 | 0b7e9cda1a82a15fc9492a35808bd1ea43966cf5e55d84b9831f79d64f36a66583a14f0ba95eb12098bf9df6a95eef0bec6606aba1cf56bdee0e046aa60f8d5f |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\close.svg
| MD5 | 2518c2304a390e60d20b53b101fc0056 |
| SHA1 | aae24d58011859ff6986508882dd7eecaaa7f604 |
| SHA256 | 03e98670a1d9049b8e1f02c4fdd449d098465f7578ee0eebfaf3f138a78301ae |
| SHA512 | b7457acf824d68e7728088668cd8d44e06566dc71d156db7e9480b957305f2268778907a8e93e4e2d1937b3c3cbfeeb327399cd7f33a60274d91efab2ec3f534 |
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe.manifest
| MD5 | 69016e6a597d194701476b8e04d4e028 |
| SHA1 | 71a24ddb0c5bbd321d3f09d7b322c3655fb5e129 |
| SHA256 | 4740d289d0a31bc1fc00e255845b3d8ba7cec2d6d0ee92177d23aa293f9fca3a |
| SHA512 | a9399ea57f65c6569e2a9e9ebe9fa2da7184ec92a555549f39cbbe9dff15530ad526107a2a2304d822be37580a965c6ea4e88a46adebd8ff3af402d2c25321ae |
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\msedgewebview2.exe.sig
| MD5 | d8d0face111912e6dcc93f665bfa10ad |
| SHA1 | e171cc8b4abd73e2e6f9e0145e8e3d46e333133b |
| SHA256 | 5efe288bf88e3a66ead387ee327d7f2ae6637fa507e14271cd1c30024279945e |
| SHA512 | 2bedc86a79225d3c23067a042a219976a670ee164222cbde077edc2bf5618181eb5e26edf86946e2797016c5a87f3534e47dc4ac76d40487354a701ef77aa51a |
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Trust Protection Lists\Sigma\Fingerprinting
| MD5 | 0b91f1d54f932dc6382dc69f197900cf |
| SHA1 | 3173532552077d0d796c3628ac35c76343dc3a04 |
| SHA256 | eb142b0cae0baa72a767ebc0823d1be94e14c5bfc52d8e417fc4302fceb6240c |
| SHA512 | f5c17634c4abc78cd6dce4b04d0e24bb8b7d5cf2d3a7702776b2b221b99ab0d760d119c2d2a7b95d5663a415435d3fabfe492ffefd7388c8f47d9e160329b18f |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\90.0.818.66.manifest
| MD5 | 3e586cd8128ba5d03ccbc121909e7421 |
| SHA1 | 140dc52658e2eeee3fdc4d471cce84fec7253fe3 |
| SHA256 | 1207fbf437a6d60bad608c9c4a7397194c4f3768142a32c7e5f3a1415452a992 |
| SHA512 | f1759159e90975a7baf3c666e402f9063909bb11f47371c9472ae40315ba13454f0ff4aa418c7d0079eebc09909268b5d2d39ef871f0e5850544b1442f9d6f1d |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Extensions\external_extensions.json
| MD5 | fa8715078d45101200a6e2bf7321aa04 |
| SHA1 | d991c16949bd5e85e768385440e18d493ce3aa46 |
| SHA256 | 4b298058e1d5fd3f2fa20ead21773912a5dc38da3c0da0bbc7de1adfb6011f1c |
| SHA512 | 6edf7ff286dc9038e790e27b600abadeccf74542ce91196b8ee6c4ac9308529cbd7dc65c82f82021f01863e2c08f846621e1930768e6f3590b2315c72298fba1 |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\identity_proxy\beta.identity_helper.exe.manifest
| MD5 | 97ece9455ee886dcad0b5ba56b1d8e8f |
| SHA1 | 0917cf1ecab906ffe543cd38f958a728b82d64f6 |
| SHA256 | ee2c0671bfe6befd9a3575be6511608057b044a870a40244feb39b121db5818a |
| SHA512 | a8780fa48c3e6f44ae5fa77dd418ab0571ccda0a1b8191c58357103ca4993a57c877bcad0884d16bdccaa1196a511f440df16063affb9a89dd4476deb55b27f4 |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\identity_proxy\resources.pri
| MD5 | 5ae5020da641f8482e42b57ee0459fd6 |
| SHA1 | e4042c0fc726bc9e4023d92e630ad4d544189cfc |
| SHA256 | efaa43be4eeea4c13e862aca4e133e7f5b8fee4287aad2442db0ef6b51c066aa |
| SHA512 | a951f33be06ac02ed3ee1d508d0ee68408d4c711c2edac66267cdf8b712370bb083f944d61799601259d373d8072869297a8fd4bdf3644fc6471560b37e9558b |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\MEIPreload\manifest.json
| MD5 | f4332cb4ea9179c3b4d5f039fe518947 |
| SHA1 | 12b445e0dbf65060bfc3dd1a0958f2524d48d324 |
| SHA256 | fb678f67aea5293efa9930a41b828fdfb475dc2b427628588640e080884f0e45 |
| SHA512 | d442a078daf7a151d437edb8a8e2b0dc3eba06818a318a38c6f0d926112496870802fb171cfffaba6f884c8fd5cc4ca615d1762e22e2d052151db9ac2740c512 |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\MLModels\autofill_labeling_features.txt
| MD5 | c3c3bd5dc14d68ecf9cac6bf2787c7f1 |
| SHA1 | ba4853db691254ff25485fb4255c6bc344d95727 |
| SHA256 | 8439adf14fbb0a33fa9b4bcfea247ea29c440d9c5bb7ea87f6cd8c2d3bdf2614 |
| SHA512 | ab56bd96e36adb4b7eebfff91ed00be8f3313c542050011eb2cf96990d346d595575177925e77c9078b66cf637d040b4f28d121d8f129c0fce11a7ebbe196a9c |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\MLModels\autofill_labeling_features_email.txt.DATA
| MD5 | 522fd2beaf59af03008c9ef646a5c5b0 |
| SHA1 | b5fe6e71b0b0455a0a046f6048ea64b3eb1d1ab7 |
| SHA256 | 24a415968bc1f7080f9966e338ad2f0072e7a36c8f9814d9c1ae875c740c7f31 |
| SHA512 | 51e4b3569d942345db6af772ad46634408ba1b74516dfd13e2fdb260b99c00b9d147486e87ba7c97259daa9118ad4e2c3e6f78611a0899bfcb0efef018f12836 |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Trust Protection Lists\manifest.json.DATA
| MD5 | e7633aa6a479bbbe82dbe794126bbeca |
| SHA1 | 1df5935d4cd349ac78102af001ced100f31449b1 |
| SHA256 | 115bad14f1c9f2c027a84de21b107015722cb76be8d0abf3760ad8e00d6c24a5 |
| SHA512 | a191f83247bb1ffc8f4fac4531427cc5546ef7b9991b65bd361be41382708cacbd56c15cec16495909419f9b2026c6e7048be9256d9c755f5f5ca97484f794a0 |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Trust Protection Lists\Mu\CompatExceptions.DATA
| MD5 | f0aac468ca67aacc4af622247350e466 |
| SHA1 | e59788395d918654bf8359fa992e9f0b23b25933 |
| SHA256 | 213e3a2ae54f25b06fa2c6712c23310e8cea297ecc0d77c984cf1372e8c115f3 |
| SHA512 | aac26ac350e25eb754a8f96247201b827785f20f4f88b99dfcbd487e90f7e98fece696a996b7fdd73e5427c9e9408dc6184d7cf0d2ccc117c13c57b6d3ac7ae5 |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Trust Protection Lists\Mu\Social.DATA
| MD5 | a9d5728f9b0e997753288b3a140c5335 |
| SHA1 | a44e9168f2e351f3ad4ee2f7c0e0037d64f65066 |
| SHA256 | 84ba348aafb41879cfa434256c8657baff00a9bf41d5ebe041b0ef87e7419f28 |
| SHA512 | 13380300950d351ffb3256e3b65f6dcfda8c52dcedf6627e10ef231925e45b178d173e7a24406bdef42949f9919326e7abf8a9101e2fee0127c578a46a1df294 |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Trust Protection Lists\Sigma\LICENSE.DATA
| MD5 | 402535c9f22ff836ea91dd12e8b8847b |
| SHA1 | 707efc314ec536abed535cdb1b2414aba4713577 |
| SHA256 | efbb03b7a7f6fd3c29391d4d0281e1830a85caadd831c3f04716faca4107a42e |
| SHA512 | 6c0e9557cf0fadf4db740e203df3d499f7247a472d9132b7e474420b142ae83e6cab592f93aa096d51c04f732098fa7355622e955b459f1c6d87bae8abc73264 |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Trust Protection Lists\Sigma\Staging.DATA
| MD5 | cea67ffae620e6410ed0590dc6ec9b92 |
| SHA1 | de0e7c9e496fdd650fd8ab826e84b256eeb85812 |
| SHA256 | 2dfba633817046c7f559ed4b93076048435f7e1a90f14eb8035c04b9ebae2537 |
| SHA512 | ba21e55aa88dc8b12e13ebff9e67570177db6aacfb606658650397e6423937d882b1e1c93ed62d12de0dfd59791d78c6a73d68e55f343cfa1f85235daf3b89ec |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Trust Protection Lists\Mu\Fingerprinting
| MD5 | 4d67c975f3a405928a4c0b86a7027fa3 |
| SHA1 | fa881e85d888a9919dd78dd77965030e3f22c2ec |
| SHA256 | 23f660d6f63bf5447c1a4fbe0ce383f7ea916c030b2ddfb1b10d7b01cd3e7240 |
| SHA512 | 3aa264680263e7d179d435fa9788bae1334f2f8ba58a0bfcb0849107e1ada64c3566520018faf4268aad0771748613208fafceb04fb172f4e70c3fb2a1d18c2d |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Trust Protection Lists\Mu\Cryptomining
| MD5 | 64bc13a1e8beb951a6c890a812434054 |
| SHA1 | 904114a3fec55820899bb5bb278f2e97ed0c48e1 |
| SHA256 | 45eb891154164864eaa29c5e99f304dfd3fff33db977755c5a7add6526b577a9 |
| SHA512 | 121c0b474d3831d004dec8fc472784cc9f9b49d4639fc6a43a7c5f74b2a0256fc01374128501ba4233dc93e5c091cc1278900ca497de108929654d84e58b3f95 |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Trust Protection Lists\Sigma\Advertising
| MD5 | 2b62a30906a2b8bf3b68abd2ef9d105b |
| SHA1 | 9898d25a214dba04ebd7e3030ac9e2e90ea7a369 |
| SHA256 | 075561eff2cd3ad586776fa904f0040282c5f6a261f6a8fd6a0a524d14cd2d2c |
| SHA512 | 6db5955477a9bb5386c1af03df526496f9e64533e6c3071c8e5c44062541e91e9bb39096da947a91bdfa5e7de53c1e047dcf427c1dfde94554d7458f8f0862ea |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Trust Protection Lists\Sigma\Analytics
| MD5 | f3a534d52e3fe0c7a85b30ca00ca7424 |
| SHA1 | d576c908b43ed0023cd12557d5831f20b24e42ab |
| SHA256 | 762b023699a0e48aa95763f0cf7c0467f1d6e9880308c78ebbc1c423de7072d3 |
| SHA512 | 4a2732d16513e4945e3bf846710a4d0f983f5856ad5469eafa569811204eb8bed2057e4af73e744ea2ecb1016912558db129e5fc979a71e077b0e7f460ffdbca |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Trust Protection Lists\Mu\TransparentAdvertisers
| MD5 | d28c293e10139d5d8f6e4592aeaffc1b |
| SHA1 | 3b575420ceea4203152041be00dc80519d1532b5 |
| SHA256 | 61126de1b795b976f3ac878f48e88fa77a87d7308ba57c7642b9e1068403a496 |
| SHA512 | b7c0d359932e2cc0e85b731a285a66d57972b16893e0426d1605fa727ab698a25c54abdfb06436885af68dc5e2c85c0bfa997818ec3258068deee038470e249d |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Trust Protection Lists\Sigma\Cryptomining
| MD5 | 70bc8f4b72a86921468bf8e8441dce51 |
| SHA1 | de8a847bff8c343d69b853a215e6ee775ef2ef96 |
| SHA256 | 66687aadf862bd776c8fc18b8e9f8e20089714856ee233b3902a591d0d5f2925 |
| SHA512 | 5046adc1dba838867b2bbbfdd0c3423e58b57970b5267a90f57960924a87f1960a6a85eaa642dac835424b5d7c8d637c00408c7a73da672b7f498521420b6dd3 |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Trust Protection Lists\Sigma\Content
| MD5 | 81684c2e68ade2cd4bf9f2e8a67dd4fe |
| SHA1 | 8696cf0f4655636cc93c566c1be2dad311da646c |
| SHA256 | 6db65fd59fd356f6729140571b5bcd6bb3b83492a16e1bf0a3884442fc3c8a0e |
| SHA512 | 85531d8882578fcf9bcd90c2a24c5ca2fd6a49966f0d4a9b47e2017b21aca0d2c2b66905bd56c7dd40a0014f44997698ed06f03ea247be353fb1d12ec22cb658 |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Trust Protection Lists\Sigma\Entities
| MD5 | c1f4483271dd550a418a1b55bf3c3ae0 |
| SHA1 | d3be6577bfd30397b19529468eb2f0674b6848a6 |
| SHA256 | 9600fa91f88abf02543f1141589d72b35f3dab28ddadda98b5101b53e123b622 |
| SHA512 | dfd08744466c8edf22ebd6acea9e2f22076f289bbac5a7c16ebf20a428e7e9525de2e8206651f275d88e4f3995f50e15202ee3e3c9aecb3cb3b7011d2fddfc8c |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Trust Protection Lists\Sigma\Social
| MD5 | c54104d7894a1941ca710981da437f9f |
| SHA1 | 690cd5cb8923ae1a4c6dd01447fd874008cda49e |
| SHA256 | 0d5535e13cc9708d0ff0289af2fae27e564b6bcbcd9242f5140d96957744a517 |
| SHA512 | 0543cf83e7b8bfb8e8e28515f02b4cfa8f07be1283a125b06824d4aa9acaf828f84e802ca41f7961fbfabbba892f1fc19ce94ae1939caf906c173347d4bf6396 |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\identity_proxy\dev.identity_helper.exe.manifest
| MD5 | 8c2f9ea9337e630b2b4bac5f92ffc4fa |
| SHA1 | a0c4ecfaa2fe7805d869f06e14b0cfd75fe422b2 |
| SHA256 | a036842f845435a083749b3732f6956929ad0a253e3829bfa0564abeafa5e010 |
| SHA512 | 5a4827332d2cc8bf31d3fc1f1ae41d4f795edee35be0b2b51ca831671f341190dc5ae99a5cc915f2acb325bcbe5a69334ffe9badd8150e50d7243ce7171fd020 |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\identity_proxy\internal.identity_helper.exe.manifest
| MD5 | 9f2a664f76b8a4ccb6b27d1cc38bc066 |
| SHA1 | f2970074313cfdf7ad4b1b497a197700631ae06a |
| SHA256 | 68d63c6adfaa76b9608a3dd3c1708ef4b82ce3ac0021bbcdabd605c1a608b3fe |
| SHA512 | 55b0c68ab7a4655f10951acf8f9c471360a55665235f0e6b9ab21d5aba14b75d2164b1297b9635e897faeab72c24fa05c12e9da4183dcb61b5f4284cbc85ed37 |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\Installer\msedge_7z.data
| MD5 | bb0f62a2dfbf26a6d751982c57a9aea1 |
| SHA1 | 11860db0c8c140b98330f30f9d8a1d5309e1eab9 |
| SHA256 | 408c46f08f5fa0f924de60c284e5f59459d9be5ba5da929af5cbd8afc532beef |
| SHA512 | 066a567d1a36fac02ef0bfbafdc47e3596ae048e4e6e94ee13e9b09ed4e7a4458b823a196aba48ed3c5958c4fa625cb181ffe5abcc7f6b532fb8dea94182f87f |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedge.EtwManifest.man
| MD5 | 94c852e38c017e51cc806a6f0cca17dc |
| SHA1 | 16d8711a39b05c6b1cc8c3917c607c52191dfa8c |
| SHA256 | 9070cc0192e9ab38f5fe43e189470d0af2d3b409326c322669fa7aabad67282c |
| SHA512 | b4945a974364e2e7b28444ece9e5c75c272dc14f2acbaeabcc8cd0471d5a5a17459a1b58fd3309813a3bcd17b35d71a039d87fd9c9597fee83be517c0b25b65d |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\show_third_party_software_licenses.bat
| MD5 | 8b12b848f1cc13d4eb4c4cb4e59dfd46 |
| SHA1 | 4a979f82080face1bb915884c0d8873553e95108 |
| SHA256 | 6287e17fe5efcb191aec8a2578e685d0a1040a0ab53bd1f02c7f49cc6c8fced7 |
| SHA512 | 468e0f3a43de5ce2ae9eb7b942b632097417c404e97020c0b04a187a25074e26f387d86d20fa99745ecb54e8196c3b54d6188cde92a7b286ba4446d880b8ba98 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-Eco3PTelDefault.json
| MD5 | ab9d8ef2ffa9145d6c325cefa41d5d4e |
| SHA1 | 0f2bf6d5e1a0209d19f8f6e7d08b3e2d9cf4c5ab |
| SHA256 | 65a16cb7861335d5ace3c60718b5052e44660726da4cd13bb745381b235a1785 |
| SHA512 | 904f1892ec5c43c557199325fda79cacaee2e8f1b4a1d41b85c893d967c3209f0c58081c0c9a6083f85fd4866611dfeb490c11f3163c12f4f0579adda2c68100 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\0a8c1492-65ca-6a01-de25-0e183559d10d.xml
| MD5 | 234c58fcbf2775edbfda910d2e0cb945 |
| SHA1 | 16314a6f5604aab01e76d5e7f7794b40c23a4785 |
| SHA256 | 68193f3f98611b2aa42be4d2995b0b9a2465277c7520231324a08460639a41a5 |
| SHA512 | fddd87a902c108de1d986dc6e4fa7347e3908076d1ec3f64b19602d3a2318ad5ee0a1d46599ba860dec61843c2954d3cc9e91aac9718a82d1043e32b3dfb6bdd |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\8e383e90-b2f9-7bf2-1d5b-4e47dcb2014e.xml
| MD5 | af98b62b3f9d6e70c082f05969c0d2b3 |
| SHA1 | 2a78fe6ace36668a1505ce949dd5415cf172590b |
| SHA256 | 77544451f210250b90637e7ecfebfc0ce00398ef964a2d46f1b92adf4d6f97a2 |
| SHA512 | 6a8d54bbaa9d6f04de832a60fed8f471eaf38bce9f95942d2fa84dba035739b65cc4fbe58904a7d2220af89d735b96be1bb6aa43aedecb83afba6c4d3be20850 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
| MD5 | 8b550761ab80413c9c09f7fb472dbfaf |
| SHA1 | 67122822562203c17dd3f762194e470f90ddfa97 |
| SHA256 | f5ea79165516de2e7e1efb53d016983f5d18c3184413f044a4002f4b751c918b |
| SHA512 | 9546013cf4d45a2c4c609524b7ed4adecc7dc2fecded7c3b7085415a1bcd1c25db5d88bb591ac05fa5a6313763a8e8d5d8fc6ee6610b454cf7696b647e7781fe |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm
| MD5 | 8776c367699ad807af292f1f5d085d4c |
| SHA1 | 9209e352bf9d3999f94881a75d6f7d39bc6d7f77 |
| SHA256 | 18b602cdbb7656129a359046fc68faf1b990da88c6c3b3e6b20c1df399cc0645 |
| SHA512 | 83a17d98d175a122fe98cf89c476826769d8fae0d74dc93c8fe48d12089e26bfd501a586db3783a03e1bfe07864ebec2a6b5a48415554c61cd565131ed40a9e1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\CURRENT
| MD5 | 4ae71336e44bf9bf79d2752e234818a5 |
| SHA1 | e129f27c5103bc5cc44bcdf0a15e160d445066ff |
| SHA256 | 374708fff7719dd5979ec875d56cd2286f6d3cf7ec317a3b25632aab28ec37bb |
| SHA512 | 0b6cbac838dfe7f47ea1bd0df00ec282fdf45510c92161072ccfb84035390c4da743d9c3b954eaa1b0f86fc9861b23cc6c8667ab232c11c686432ebb5c8c3f27 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old
| MD5 | 2dcea950234175e3edf672936843ab5f |
| SHA1 | 4ca6dfb9ed642bbfc0002cd47abaa2dc895ce0d4 |
| SHA256 | 74ca16b1138459ef2afb19324097332626ee7c897687c5adc5488f93bf0c11ff |
| SHA512 | 483866f3ee1d730f1052b0ce34832e0e42145296df490a68901b95e616f2dfdc39fb13e2ed80bd259c43475830f6a74257a5fc8d163e7f1dd17d39556501dfa4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.2_0\dasherSettingSchema.json
| MD5 | 310614b10980392ebdb5a5a8b90b527c |
| SHA1 | 8c8fb36e7c2a1574cde7fdea30e8e5f14fad7691 |
| SHA256 | 445c811c35e2fbd4aa59389ec805492c7b2db50d65f5d161417ce8302b103fbe |
| SHA512 | 416650adf9a61cbbb6eff7af635264e5bdde903477465cce05b63773927b8afb35e75fb68497882bce7778f524b9c7f3f2befcfe3840e99bff90ccd305bac66e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.2_0\_locales\hr\messages.json
| MD5 | 798b4a7c5a9f20d24f36ba8daf7b8f70 |
| SHA1 | 0f007b82783ddea5da7374c96925b77a7fe9f57f |
| SHA256 | e5cbc8e3a6e843009fc9a9de7a83df9d05532e08d48da06c66f907f58d0c745e |
| SHA512 | e3faa4376d03dad6cd714dee6349733abe29d0c2118456f80bcc4c758015b12a06b4ec6532a6e98d512f5c6dec7a7ade5c1d2a418db0f739ed17f18c0cd6b54b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001
| MD5 | f5cfd73023c1eedb6b9569736073f1dd |
| SHA1 | 669b1c85ecbafe23c999100f55a23e06bf59ead7 |
| SHA256 | 9e1736c43d19118e6ce4302118af337109491ecc52757dfb949bad6a7940b0c2 |
| SHA512 | 5d8c1aa556fc17d6dc28d618f521aee37fc0e1826fdbcf8d106e456fc3bcd3c76e712d23fef3378bd2be17b80eb5bfd884ccd89b67490b63c7bd118eaac471d8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG
| MD5 | fc91658bb81ea407fd37a59d65f0d86e |
| SHA1 | 6cb269ab1a592dfd2039dc8c50c00b86af94d3e6 |
| SHA256 | 4bafbcbc4cbbda94d0a315a09176de0ce6872cf1d85113539a7b04ff2360efa1 |
| SHA512 | c5b8832097ab5e74a0c31cc243c98c6a2b9734da4eb6e25cfc28070529ff4b6d77de1e97388f188f00148cd8db32f3ea62dc86aa841d47e25da8d8dd2267061e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser
| MD5 | f536fbf78e26387affb82ee89943b870 |
| SHA1 | 3ac8e44a9491c16bcd86dab6781acc4f7e1f76a7 |
| SHA256 | 34dbd6bf55d0d075d666181d9278b8387482a8b5804e44e1ddaafe6876dadc15 |
| SHA512 | d9ad640884f40495b4255bd221f0902ff64f84e3136053d03abee7ca417d32a1d72f24a75cb67bc50629e102bdb2f81c0bb087e0eb5cb82fa3d67c4fa5d92450 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b203621a65475445e6fcdca717c667b5 |
| SHA1 | c17fd92682ca5b304ac71074b558dda9e8eb4d66 |
| SHA256 | 17b0761f87b081d5cf10757ccc89f12be355c70e2e29df288b65b30710dcbcd1 |
| SHA512 | ed68f5f49945dcd0d81dfebe2f2fd1fcfe016807d5c64ee0377d046efeb0a7fd9b4b9589b3df8a14194d51dcffbd89c8aaa072cea2ad4e7976bdf53528ea90cc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
| MD5 | 9ee38aeba19f4d46fcd9eda4661325d2 |
| SHA1 | d458ade2d50d219b089b0985ef765a80843602ad |
| SHA256 | d99258f5d81067df4e95825381104fe6c90d04d01bdd2915954dd06f75d07c10 |
| SHA512 | f352805d5ebb6b3351dee65dd1f66ae5493ea36dc342c31d8e714fd11095739f755a50d865b9bcfc40c60616c9bcee4cbbcabb6c18566fdb73e778cd41112738 |
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin
| MD5 | 1595ed4372d33dbecabbfd411c6c8f46 |
| SHA1 | 8b8ba962b765110f762f873edbc3193adef48b33 |
| SHA256 | 8f6abb9e202dd8027ac9abbd475a24e62659a0b2683613f219c21d1238816ed7 |
| SHA512 | e0017291c0d0685ede7a6492c2683a90b37482d21037840ab3e2cef4ed381bbffa8c31ef3c8d06db0a800eff69ba4505012886f88a911997657b3f26284142f1 |
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin
| MD5 | 97d6d52a254a9cbd2bad939ce1926af8 |
| SHA1 | 15a64b0f07658da802cb0bdd43c9c6f2df2f0af9 |
| SHA256 | bbfa41253ad301a1cd9c7f6321bff365068178f26cd84e8afb127fb4001bc4be |
| SHA512 | 98e76665962acd459228cb9635d95bb37c6e538eca7ae50107c665c93be334b907178f87749b3a4f33db34152b9d9035163fe2429306eb3ac45ee539e242c3da |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini
| MD5 | 897208d5df122e307ab837d982b2c085 |
| SHA1 | cf4ca14a7adcbc197cd84c1997efdd076911d608 |
| SHA256 | eaae98aa73fe0b561c8b02607a524fb4853bbe81c6de8c3d8a9b7449366809d4 |
| SHA512 | b0aa03063c42515de12fbf6d89924a3ae7d8bdd64d7c9bae94c75d571c939655253f3e87368fcd96f5784b2aee8fedac8f66200b8672ab47cc8b37c57a9ad334 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk
| MD5 | 61d2c715839bcfa06ce4d23dd84e7457 |
| SHA1 | cdb61e6100ac4882ba4863875f63e38b8b804ddc |
| SHA256 | 1f9ec15f6ff239e14a3a243a98f19ae7db16d425a63b2da0908cc0ffcb1258e7 |
| SHA512 | cb6577068e0b746a0ff0148238fd5be9e02e4ff6218fc21d78194a06ebd3f54aa12a1a9b80a4cc9a9f66f72f49eb875eb367b344f674807af11373770f75d952 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\safebrowsing\ads-track-digest256.sbstore
| MD5 | 017813103ef615c6e4e41c106f0d8540 |
| SHA1 | a7bb21ac882f35d671d5f0597f8962f9e04e371c |
| SHA256 | f18f13c653940384b01c154887477150b1c0669d5620d263f72bfcfa57daee09 |
| SHA512 | 0a615cbbde1ce71e1e3623454e2dc355f5ff2e2480520ec0598de70a9cdbb287959bf7958435ed05457957e3ae09d2db2884ffd743806191b773d91a5c882fda |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png
| MD5 | 535ee7f4b7959a29e1d1be5a67e00334 |
| SHA1 | c8b3bcb1c1fbf79c59a847510d884da10dc62f19 |
| SHA256 | 46dcb7a9e7bde1f57e5ed2eef9257d2d0ad622c1b3da32700f6d9e2ec4a0e287 |
| SHA512 | b0f9d39cb8200c35c564053454dc9fc67e68140861255f77dbe63679375ff3f892426109e95633fcf6e285b9547d890d1281d8ae4ef97cfb78433608961934b4 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | e66d4ab75e9862302da5825bbf066c5e |
| SHA1 | fd5c26be1c56ae0af5e626741ca5896858e43073 |
| SHA256 | 4925b9b6329f24346bce043f2cdabb940199fd87188f3ae77c9559bf7cfa9f43 |
| SHA512 | ed179e34d1d6f2ddc85fa6cd8b866f192c1c4ff2e2b715d9ddd95bff6e8f45318dad7d4da607960268e1cdfd78d48f04b4ea1a9b01ae70fc1c7da856a178d8c8 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\QK2RQID8_1\6HY48V20_2\T4W33ZOW3T_36
| MD5 | bf4c026772c225615ea757cd61bad28d |
| SHA1 | ae66a8cf49937e8b65e84aed12475372dd32ba5c |
| SHA256 | 55412db7b9ee40d211e18273cec4eff01ae9d47e16aaa327ec2b1b34de6447c2 |
| SHA512 | a29bc1a3885d35fd617adbfeb6879d36fd625821043bab5171edeb0f726d7a2d3500aa61ff1eb708412d5b114cd3afad0cd9472c42d002c049f16635f42d5fd8 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\QK2RQID8_1\6HY48V20_2\TIC4PX9F7K_5
| MD5 | 92c4e1d4dc466fe795ad3790b1a5d402 |
| SHA1 | 44590f177018f533d5f100dc4b0c742e5a828ce7 |
| SHA256 | a4afa958696bd1da6e58af272863623a86c14f7f261e5147adbffe2055b06589 |
| SHA512 | 41181c19737fe46e840bd29477b4ce128d24a90836712f541833a7173bac4d6de6e8b1164361bef5a25fcd9751038f5a28c9e9d1d63033ade8302e70f5bf9bf2 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{51c7c2f9-d58f-4147-81f0-12b1023e933f}\0.2.filtertrie.intermediate.txt
| MD5 | ca9c491ac66b2c62500882e93f3719a8 |
| SHA1 | a10909c2cdcaf5adb7e6b092a4faba558b62bd96 |
| SHA256 | 8855508aade16ec573d21e6a485dfd0a7624085c1a14b5ecdd6485de0c6839a4 |
| SHA512 | 65faa9d920e0e9cff43fc3f30ab02ba2e8cf6f4643b58f7c1e64583fbec8a268e677b0ec4d54406e748becb53fda210f5d4f39cf2a5014b1ca496b0805182649 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
| MD5 | a50b718c3518b630251fb54b92bde360 |
| SHA1 | a9582222b6f4df2b4e3e4ee5fe91d25ff086b943 |
| SHA256 | 9d2ce1c032646d2a3381b68bc9201e3dcd53b764e83a0d356d67cc4926ece015 |
| SHA512 | 95e0676e3177262d29c4105edd4ce1fa1c2a2da5cd3289ab0f873fba782a0185e4bbede5d64fae1f6c4cea5ca3ae0697d7113e6ee63f229431bfaf3f8990c517 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F
| MD5 | 4f00b32a70c5d829f8199614fe56af64 |
| SHA1 | ff2afa238f88ce8cdb4430fe578c58823cd6d752 |
| SHA256 | e3833793f7412667cdbe15693f5dc4994934d1a6695392f8bebb74f985658256 |
| SHA512 | 6ca12db615454c1b842040e5047ab24906d372b15b547653553d39ebd18cf4f90a360c5032e415d00ba313cb27def27aa8eb7e94ae3d86fefcd856b693f0c6aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD
| MD5 | 80be6efdf5a776659777bf07d4aff891 |
| SHA1 | 1f98e7ba8de8c6b39f4b202739ca71fa2629fd6d |
| SHA256 | 9ebc694d4895efc802ea27714a71986f293edf4b63e9918c27d65871b06f43a9 |
| SHA512 | 03a5434f25209a74a0abc6045c66a45e098d487227cab71004363c8c823840b49596857e8f757f42b8953f9bc2066209b1e8f52104d1837705828cb2676119cc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\previous.jsonlz4
| MD5 | c7d0f659eca42d5276b00fc3380e9d63 |
| SHA1 | 0c480f776e199fc81cbb8787da57279d32c30c82 |
| SHA256 | 72b8c37f7304d1c9e5fc5c8cce3e1f602ddb4227ce922548f87f561ea80ef3e2 |
| SHA512 | 9b6fce4532747ce50b4145d9c3681df707d0cedcf3253ddc8386105a0eec876c8f421323f4c836e05bd121b2647b65a8e216a1bef2b309c7f77987e51b614cfc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\storage\permanent\chrome\.metadata-v2
| MD5 | c183857770364b05c2011bdebb914ed3 |
| SHA1 | 040e5ac904de86328cca053a15596e118fc5da24 |
| SHA256 | 094c4931fdb2f2af417c9e0322a9716006e8211fe9017f671ac6e3251300acca |
| SHA512 | 8ac7790c0687f86d2d0ca82cfc9921c8cd6e6f5392594317d5ee6f3661500de58ebd5ef6300a412c23ed1cd2748c5eadeeb9719f32758590bd4168a0259bbd70 |
C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk
| MD5 | 7a4228aa2003a72a296e741bfa8246f7 |
| SHA1 | e94ca8cb43d671cdc3ed759980bfbaf73cf4c6f8 |
| SHA256 | 462fa5c6568794276673c9159500918afddf8f170e580fd1f3d483c48934b050 |
| SHA512 | ed66dc35762f661f760eaf0feb82e22c823f11e552c9f938748a8b158ecf0828f40d48afc4d5cc07122f41a13e7b322950b9f156808b125bc7a1ae19e066d304 |
C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Mail Recipient.MAPIMail
| MD5 | f1d3ff8443297732862df21dc4e57262 |
| SHA1 | 9069ca78e7450a285173431b3e52c5c25299e473 |
| SHA256 | df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 |
| SHA512 | ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3 |
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini
| MD5 | 7ba69f4ec41007c035beb73aa29d6b32 |
| SHA1 | de53c85a814d9addb1160cea893c73cf98c4dccf |
| SHA256 | d07bdfd8af965e4283a5f77274fc59bee1379af9f221358b81099df31f696345 |
| SHA512 | 2e209dba34b3daa898c15f5ce479e40a71424e9e52c5b818badb04630206fb73aacb96910484b3369a11030bf0286e018ef9f59f32cff27ac0525573fd7619c8 |
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk
| MD5 | 35705a33e80294bdc078f5582784f4fa |
| SHA1 | 3b8d2bc3650098d604e3363fdc41e9bfc2f4609e |
| SHA256 | d0e438519a8e2075e13430b66debeb7204e5e8ab41fb24eaab20db0bdb66d835 |
| SHA512 | e560c350940f15a8d5c5187ed833190cdef9e4862e8f06dde9b0204ad1a0decb9adaadd27c4b7015ea5e7fabe7d7a63538ba72def9997e56300cc8ddc4249061 |
C:\info.hta
| MD5 | d91c44f3ed874a73a0930fe6fb921eb3 |
| SHA1 | f3c4b0ff0c8189536001a274ac36e1c67ce67edb |
| SHA256 | f2e0099caae479bca87ab6f2dbd870ab2a8355c5ea9f9c83f5c539e938889b6c |
| SHA512 | 65a751e1251097de68577a9f664f5996dbdf9e8d324045d34dd89bda38169ff7f89f2946bb8c90d78724532214af4d765ea9aae405c83bbcf035e00214a4bae5 |
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win10-20240404-en
Max time kernel
316s
Max time network
1588s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
"C:\Users\Admin\AppData\Local\Temp\49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.239.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.143.123.92.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win7-20240221-en
Max time kernel
1558s
Max time network
1559s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2364 wrote to memory of 2088 | N/A | C:\Users\Admin\AppData\Local\Temp\0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2364 wrote to memory of 2088 | N/A | C:\Users\Admin\AppData\Local\Temp\0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2364 wrote to memory of 2088 | N/A | C:\Users\Admin\AppData\Local\Temp\0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2364 wrote to memory of 2088 | N/A | C:\Users\Admin\AppData\Local\Temp\0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
"C:\Users\Admin\AppData\Local\Temp\0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 668
Network
Files
memory/2364-0-0x00000000744DE000-0x00000000744DF000-memory.dmp
memory/2364-1-0x0000000000180000-0x0000000000300000-memory.dmp
memory/2364-4-0x00000000744D0000-0x0000000074BBE000-memory.dmp
\Users\Admin\AppData\Local\Temp\0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
| MD5 | 07563c3b4988c221314fdab4b0500d2f |
| SHA1 | a5f53c9b0f7956790248607e4122db18ba2b8bd9 |
| SHA256 | 0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224 |
| SHA512 | e0264bf772ba43377d1dcdc95dccdacc16ccafee28e8d91a9d532cf2383b0d1ad43625cd0b09555018583db796a59603ad12d568e2aea154594b5d02248d0ecb |
memory/2364-88-0x00000000744DE000-0x00000000744DF000-memory.dmp
memory/2364-89-0x00000000744D0000-0x0000000074BBE000-memory.dmp
memory/2364-90-0x00000000744D0000-0x0000000074BBE000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win11-20240426-en
Max time kernel
1487s
Max time network
1499s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe," | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Deletes shadow copies
Renames multiple (96) files with added filename extension
Disables Task Manager via registry modification
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Drops desktop.ini file(s)
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellExperience = "\"ShellExperience.exe\"" | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Desktop\Wallpaper = "C:\\Program Files\\Temp\\AESRT\\AESRTback.png" | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Temp\AESRT\refresh.bat | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
| File opened for modification | C:\Program Files\Temp\AESRT\AESRTback.png | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
"C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\Temp\AESRT\refresh.bat" "
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
Network
| Country | Destination | Domain | Proto |
| NL | 52.111.243.30:443 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/3628-0-0x000000007450E000-0x000000007450F000-memory.dmp
memory/3628-1-0x00000000007F0000-0x0000000000958000-memory.dmp
memory/3628-4-0x00000000059B0000-0x0000000005F56000-memory.dmp
memory/3628-5-0x00000000054A0000-0x0000000005532000-memory.dmp
memory/3628-10-0x0000000074500000-0x0000000074CB1000-memory.dmp
memory/3628-199-0x0000000004EA0000-0x0000000004EAA000-memory.dmp
memory/3628-200-0x0000000074500000-0x0000000074CB1000-memory.dmp
C:\Program Files\Temp\AESRT\refresh.bat
| MD5 | 0c7022bc17761ecace63d45343c9d2fd |
| SHA1 | 7fdf53bc92830e4e5935f61d745a055edd3fc9e3 |
| SHA256 | 98ba9ab619027be3265fd7827270e1ec59fbe39b79f98c65c17712f667c7fe8a |
| SHA512 | ea434972b6fbffdf6c59e083cc1ed55557b4aa9113413f387b20c5eaf212a86ce995d4c8a93251cc22b9fd8b7ae4fc4125bbc85f5caca2dad8d81f4bb05dba5a |
memory/3628-204-0x000000007450E000-0x000000007450F000-memory.dmp
memory/3628-205-0x0000000074500000-0x0000000074CB1000-memory.dmp
memory/3628-206-0x0000000074500000-0x0000000074CB1000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win7-20240221-en
Max time kernel
1561s
Max time network
1562s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
"C:\Users\Admin\AppData\Local\Temp\20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe"
Network
| Country | Destination | Domain | Proto |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 198.252.108.34:3012 | tcp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:18
Platform
win10v2004-20240226-en
Max time kernel
1793s
Max time network
1803s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
"C:\Users\Admin\AppData\Local\Temp\20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4152 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 198.252.108.34:3012 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 198.252.108.34:3012 | tcp | |
| US | 8.8.8.8:53 | 144.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 198.252.108.34:3012 | tcp | |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.200.42:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win10v2004-20240508-en
Max time kernel
1800s
Max time network
1801s
Command Line
Signatures
Phobos
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Renames multiple (509) files with added filename extension
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66 = "C:\\Users\\Admin\\AppData\\Local\\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe" | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66 = "C:\\Users\\Admin\\AppData\\Local\\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe" | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
Drops desktop.ini file(s)
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Design.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\fi.pak.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_EyeLookingUp.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\SuggestionsService\PushpinLight.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\main-selector.css.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\eu-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\ui-strings.js.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\AppStore_icon.svg | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Security.Principal.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\powerpnt.exe.manifest | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-250.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses.svg.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\file_icons.png.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.VisualC.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClientSideProviders.resources.dll.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-100.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\uk-ua\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStoreTasksWrapper.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\wpfgfx_cor3.dll.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyReport.dotx.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\TableTextService\TableTextServiceTigrinya.txt | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-150.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Controls.Ribbon.resources.dll.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\LICENSE | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupWideTile.scale-150.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Input.Manipulations.resources.dll.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-200_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\ui-strings.js.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUB.TTF | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ExcelServices.dll.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-64_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\8080_36x36x32.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSAN.TTF | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSmallTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionSmallTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\RECOVR32.CNV.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-48_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.Native.winmd | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\example_icons.png.id[815286C0-2378].[[email protected]].Barak | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSmallTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-40_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\theme-2x.png | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
"C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe"
C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
"C:\Users\Admin\AppData\Local\Temp\2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 45.89.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.17.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.251.17.2.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
Files
C:\Program Files\7-Zip\7z.dll.id[815286C0-2378].[[email protected]].Barak
| MD5 | ade50838b5768408f48bc1f4e73cb4d7 |
| SHA1 | e58d4247d2491e2d187fd45ad9f49ec247dedf21 |
| SHA256 | a34fb1d24efffff45f2f6d5c58e80fa3d7ca5f560c583dff87ae80576fa2f83e |
| SHA512 | 48ef0fb2cd78cbf9d7e06f1a5b641331a39c269b50d64270cb9e063f21c6e434e92048420c1ea0a04b05ab5d85a87fbdc812e4862ed24822742573329b06627e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db
| MD5 | 1681ffc6e046c7af98c9e6c232a3fe0a |
| SHA1 | d3399b7262fb56cb9ed053d68db9291c410839c4 |
| SHA256 | 9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0 |
| SHA512 | 11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5 |
C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md
| MD5 | ddc4cb14453391bcb5f4d645b2916a6c |
| SHA1 | c4738d174c90c285e17bf51a9218256f45f96ea7 |
| SHA256 | 0c19ba9eeecab3cbbdf38da08c3fa0266f10ce8166e056715931efc543335eeb |
| SHA512 | 34a32b92ffb2945608439653b5ecacba49fd3312ba5487ba14796c75b07655f0d8f735453dac117d46d204d3f810126f8a189f82c015fa8bb6ea37d9b8e0e30f |
C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif
| MD5 | d13b5ffdeb538f15ee1d30f2788601d5 |
| SHA1 | 8dc4da8e4efca07472b08b618bc059dcbfd03efa |
| SHA256 | f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876 |
| SHA512 | 58e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46 |
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
| MD5 | c5b7a97bda04c48435a145f2d1f9bb42 |
| SHA1 | bd94219a79987af3e4d4ce45b07edc2230aaf655 |
| SHA256 | 07ec9bf950252d0254d4d778698c2e4173f36dbc3f57f51f34d1b85a07c2eab0 |
| SHA512 | 7eb1a26cf8ef725ba6d1934ca4802f70cc22539017334c1d7a6873afeea6236bcd643b52630f7fa9d8a9e692f718ba42cc704ed5f8df17757028be63c3efad80 |
C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml
| MD5 | 809457c05fe696f5d34ac5ac8768cdd4 |
| SHA1 | a2c3e4966415100c7d24f7f3dc7e27d2a60d20c9 |
| SHA256 | 1b66520d471367f736d50c070a2e2bba8ad88ac58743394a764b888e9cb6f6be |
| SHA512 | cf38e01d3e174ff4b8070fb88ead7e787143ce7cf60b91365fafd01cacc1420337654083a14dfb2caa900141a578717f5d24fa3cadd17c1a992d09280fd8dc44 |
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK
| MD5 | b9205d5c0a413e022f6c36d4bdfa0750 |
| SHA1 | f16acd929b52b77b7dad02dbceff25992f4ba95e |
| SHA256 | 951b1c95584b91fd8776e1d26b25d745ad5d508f6337686b9f7131d7c2f7096a |
| SHA512 | 0e67910bcf0f9ccde5464c63b9c850a12a759227d16b040d98986d54253f9f34322318e56b8feb86c5fb2270ed87f31252f7f68493ee759743909bd75e4bb544 |
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK
| MD5 | 301657e2669b4c76979a15f801cc2adf |
| SHA1 | f7430efc590e79b847ab97b6e429cd07ef886726 |
| SHA256 | 802bbf1167e97e336bc7e1d1574466db744c7021efe0f0ff01ff7e352c44f56b |
| SHA512 | e94480d20b6665599c4ed1bc3fc6949c9be332fd91a14cef14b3e263ab1000666e706b51869bc93b4f479bb6389351674e707e79562020510c1b6dfe4b90cc51 |
C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html
| MD5 | 3be680b6a8edfdeed37bf5068a37dccd |
| SHA1 | 75bc261fc558634731e683e431e4a31c5b463107 |
| SHA256 | 1777e4f7955cb5900c97d92081efc4b11704ee3b265717a7d7152972b49a36c4 |
| SHA512 | a3c8a91689105a14c49b020826944d32540353c56fb9e9a011639ff5107d25e1d3466f0fc487ef953c6bbf0c006abc5204e3a8f0093e1c633013a547f8ecab21 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions.png
| MD5 | eedd2d13e3671d589714446755b78b38 |
| SHA1 | 2fdd23507187a259f5a7edb01611a37b6b09f4da |
| SHA256 | 467082e15a8ddefd51088e12a6189f9923dadfdf363ac1b0448ec43dc483cb3d |
| SHA512 | ef47a62ce6ffb0c5b34b2c6d72f5874dbad4109b98aaa21f56b8b2d83471f5ebf983f6dfd889399abe4fead6296cf2ca3f409a4aa4badad8cc3c48f688323837 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\remove.svg
| MD5 | b651e9101be833e87337050028831efd |
| SHA1 | ee594ba38a6324369ffc7b4dc89407d3436e34d9 |
| SHA256 | 4717e5fb82c0ee85a7c97d022f410990a62efa2492070e42385cfeab67afd619 |
| SHA512 | 3552858c2a688c95a76c0bb8a6a76b119b744b2e8ae7e7f30135ccd8a145318762faa52c1783a639fb179056317caeaed20c15f211db1d45bc957bc3ce591aef |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg
| MD5 | 1bf37c0336c12ccaa1c62386acacc858 |
| SHA1 | f1e187c79588e4e9fce931997443d7e5cafd1db6 |
| SHA256 | a9044f3c6877f4fa6789bd90f11813a22696bda53e0be17bf52229b70fa87673 |
| SHA512 | f75100874b1dd43c49f54a9aa4621e8bd1efa84359ce44ece2444b639c7bcbddf6564f6c4be089f5d656550c7293b9f5ec4a4b20880939fbeb5ebc21e30866b1 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-default_32.svg
| MD5 | 81cfb9735fea15ca8791a3c34a78d992 |
| SHA1 | 9b4962166a47f5edc62e5fe3c4f8772446db9296 |
| SHA256 | 3d89171c24a889bce28f04adb60f08a141584b7c345b158536a72a8070c252b8 |
| SHA512 | f6ac853f4012ddcb29e5079ec00bf058343af1a6d6cedbc9613056db0575c77e964b0864c9693a6e02a525d5e13ccc54e0e7fd938ea39c3d2c6005db959b346a |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-hover_32.svg
| MD5 | 55215e8f92d35f26cca06fa9d5d221e9 |
| SHA1 | 994838c8df5921e3828749a7703ebfa8383e43b6 |
| SHA256 | e94ac27227c8a25c3f8ede219fd80ace01e7176a12111125b31ae1dcddd487ae |
| SHA512 | 7972d3fb8c305a1b41f3ec4a618c9904c1e655fc757f1dc83f9d9041433f3c30e6708ed3d4fb3166cc41d9773df3f159aa44333f76fdde28f317676046bc9c67 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder-default.svg
| MD5 | 2807924fc18c958c38a7004a5dbd4091 |
| SHA1 | 85534040543c3306284e6a475999c46249a35e4b |
| SHA256 | 0345bffb28f80f4d0ded1a2af09a337b18ab3a80c68205bc8321a6ad4d409500 |
| SHA512 | 264d29c6b920b3005ebda1fdb0e0ee6e17059c69d63969c61ea4b5c5464022166ccc04b2c1f69b91052c3e3dd551a087e8e5379d2a62c452184a12b278a8ac3a |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg
| MD5 | cd5d2472a2bf9ac7eb4e15146b30bd2f |
| SHA1 | bca600423f99b87df44fde9d96ff874017037afe |
| SHA256 | 038589c0f8f0b9fbed7fe7835de0237de4a28ea404078955a78c0b8145fa323c |
| SHA512 | dde83047b85cf0afd4ac77c9f4e850ebba48a1e1d581ed78c30733f58a9d5e2e22d34a2b2e57e4527f3c314f84922c3aecd6366052d46e0d6157990ed888a27e |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reminders_18.svg
| MD5 | 3f16cc51cf788a50e6cc1ae60897bbf7 |
| SHA1 | e5a8c8f5227ca6da79589192892e81b6a3f43686 |
| SHA256 | 30f1d12f90b61f22130b22667f722aeca0aadd59ba3e19d866d72a99a3f0ce3d |
| SHA512 | 17686bb9e01aa108b9b62b33bb70bb8aa35e4d88199281aaacbc8d8da7d54f1f353bf31a109dc22a4e404780ece4cb3d23f0ec81f80e9553ef060011e568134c |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_hover_18.svg
| MD5 | 0498cfb8aae1383c049e8ccdd85f3abf |
| SHA1 | c5fbfcc70b441e91a5ecd23295c745aaf076aa4d |
| SHA256 | ad125b854735c81b5782a65b5b006c7c991e28688b6dd8e5998f432976b9223c |
| SHA512 | 113f19bf726f79473ae2b4406a76676ec0bc4709a26f374aaa3bbd9d0b5790ee4fdd8ebe1a3ab68995973923ae33df7c1c6798e93bf060643c14acfabd4e9302 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_hover_18.svg
| MD5 | 30c9bd1aee3794fd46bc99fc2a359212 |
| SHA1 | 9817640da0b98babc461d277a39b323dc9a76cd3 |
| SHA256 | 4b10fc416763ad7b65a6d6fb3c0016505ec5aaa7a117021a26e4dd6d11fe7d1d |
| SHA512 | bae367b7555f5f7f677abbad1dd548225c2580ffe21bcae5022f8eecf8c97cfe8f7813fd86c31a7f9052c174610ae9d2ae21ac22b381701975492e2386f67f94 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right-pressed.gif
| MD5 | e3c4dd21a9171fd39d208efa09bf7883 |
| SHA1 | 9438e360f578e12c0e0e8ed28e2c125c1cefee16 |
| SHA256 | d4817aa5497628e7c77e6b606107042bbba3130888c5f47a375e6179be789fbb |
| SHA512 | 2146aa8ab60c48acff43ae8c33c5da4c2586f20a39f8f1308aefb6f833b758ad7158bd5e9a386e45feba446f33855d393857b557fe8ba6fe52364e7a7af3be9b |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\ui-strings.js
| MD5 | 0d3a12fd3f68decc694da04b57e61d8c |
| SHA1 | f73d4d591f6ef0b2b04fc90d2e840329f7590743 |
| SHA256 | ee0352f75df1009fa6f5eaf323a1ed55c127cc679ac6b9de70b1b3f8dc9ece76 |
| SHA512 | 2c58a879d4022b441056c85c301ce26401da5f7bc9619debd35fa3bd98b5f1cab8f21e2ae5a177865c64e741dae18f39f99fac1cf00c468ba0e281037d5e883c |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ui-strings.js
| MD5 | 68b6f0644d50595a97c9fd60b8d8e697 |
| SHA1 | a4d0edf9264ce1922dc419c7f3b3cedb2814bea7 |
| SHA256 | bf9b3f1f9a3a163d41b1b20a2c410355e6ee72ae97725a7bad97ad23993b0b5f |
| SHA512 | d1a26cc27c302f06419abf97507c0a4d06729aeadab615acaaac0c3fcec6d7715e10642121a4d773ad3d5f613030728e49fb3d07303fad05f7a342352ebad003 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png
| MD5 | 65c9f3fb24b80d8c470d518f901b9c60 |
| SHA1 | b9521c39944357d4b55b91f9f3739575d1f3bef1 |
| SHA256 | 8de76ee7eb6b32c307d4a46a43ac55bc15b917e2a24d36c3d001878a97fd39d6 |
| SHA512 | 6572d65abd587055a69980558b2568266ff76555faadf3ddc93fa65bdd7a009a2fbca10f37f44c27ae889d3de99a3673c2b9ba6e6456242e951703fa32d9c636 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\ui-strings.js
| MD5 | a778c47dd8521d6a12093b3e97ed8474 |
| SHA1 | 2099d940cc672373884e1c622bbb606e9e9438b9 |
| SHA256 | d5343776747d802d64faedd9954d2a4bf555a6cd85396c55c39a8fce4c5353a6 |
| SHA512 | 7c9c9b406c1b79b3298e975abb3f64927b6beb9e8784b75927e19ba649936c19f04d958d07499a5d5c52049cf2d3600e32f6f437c98b2946a977ca82c71e7224 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\ui-strings.js
| MD5 | dd24e91615f1963a5c64bc9878a0a8d5 |
| SHA1 | 407ece3322d57d16a448b5522d4f29229f80b8b1 |
| SHA256 | 4cf9816ed1062189ff0c8d427fba5e912cc68fc9af76cf7f08fd255977de3b33 |
| SHA512 | a88d5e6fcfd998b0abe79b5b314f3f83f424be9447dca01e1a64a3e7313eb247baa894c10c5758c6788cad27582c09207d00d2e7bc41515e7f1751e05aa812ba |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png
| MD5 | 3f7323acc829bc8b3799148d439b3d47 |
| SHA1 | 3d3c540c4080462a8013d6db9383ad69606779e8 |
| SHA256 | d9de646d51650572b66a6cf8a52ad1efd46b7a47830fa7972da0bc05baa2fad0 |
| SHA512 | 09e2a175dd874ac369331fbfd863be20c9ecc005bfd6c7eeadac071804653265e4f7195d70058f2f73951a6a6e202fc96930f2ce71c2d815b228edf01729b559 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js
| MD5 | fb4aa89fb89bf94d0590a3174d1193ff |
| SHA1 | c3812f2105099071c24141a994a9d5087199dbf7 |
| SHA256 | 655a3ef0465a9f30fddf25f4dde0c19a05c6f9069b83961800c1944165955273 |
| SHA512 | a494c0d9faf3defa9ff320421d0c00e4e39845f7e998c6a06c50b5e7edbb1ed7a948dda23ace06a3433843615553d2357f1cb04acb4ad1155ec43f1d07511524 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png
| MD5 | 7ab2ac51d33778dac850c5dd8b4ba45d |
| SHA1 | b3f47f20c438aa488fe835e0145c014853ee48aa |
| SHA256 | ca17d6cc1f7ab317c34a7cb767ad017163e71726ac648518679c6b1c59fa86dc |
| SHA512 | c14ac0ad209625e0acb2ca9e0afc5f6c98901b01f92b675d073b72929455f47ccf29cbfdaa248c602b02fc2bce484c56753b1a54e66f6ce9df2ea57bed88962b |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\ui-strings.js
| MD5 | 07bcf4e882ae521ec6ddfd0bb2a608db |
| SHA1 | 88e2ab25dec6ba9fedced9bbd21da03639da9409 |
| SHA256 | bc9df2774317cdca8e5a702f249a6994fa3b63852e7749124e82ef1f37b89aa6 |
| SHA512 | ceafee63fb03e94b418bd87c6af91a53c9bef53b86eddb51a7aee77d8ad5e6654045da12c3c28f3ab4486d2f6f135f7f834790991037708b0301085f62e22fa7 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\ui-strings.js
| MD5 | 0ec670fd70f5e89c3d2727df9f2a5398 |
| SHA1 | d19c88c8e11361d4f29719518b8543e0ecf5ff09 |
| SHA256 | 8267479623714339b61159b2f8235b15a38ccc1199eff859e5dc13359f8711c3 |
| SHA512 | a429234afdc29df1276238d3e329299a6fb5b1ef6044429c1acd8abb95c0b76a14836b47805c5d464cfc95978f5e3b10eceae6c26a2964e2c352fafe1d7dd6f8 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png
| MD5 | 2a78f84427d1d591409740722e60d793 |
| SHA1 | 304f17d9c56e79b95f6c337dab88709d4f9b61f0 |
| SHA256 | 4eae979bb805992739f77e351706e745076ed932d3ef54dd47ba119c4c2fb5c6 |
| SHA512 | d687c646bba8b801511a17b756f61a1209ea94938940fbe46d9e4893f14606f9e1e5ff468ba4a77474603f5cdbe0cb9df3d24767e5c9ac81a0b373dcf4a4f3ac |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png
| MD5 | c7fc95def1d53bd3e747248ecbd3cd5e |
| SHA1 | 1b251f02465f9c7dce91aac5aa0679a3c34318e8 |
| SHA256 | 4049b739e6322c7d7caa241ac41c8e0b1f2893957204a910c9708c7731a7a8b5 |
| SHA512 | f4b90435a3b250c1d3dc8df9bb4d331dfe9b1c0212eeb1768073afb81b3915fe61a7c4af151c8090565f778dbdf1f4fad7b5f545c9a21b7782cd7671be2ac96e |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\ui-strings.js
| MD5 | 1ea3b76135bb4a589027d6243075a936 |
| SHA1 | 2951fdafcb862ef53fcf213572368bd5e08094ad |
| SHA256 | c960c819e997c1c9d080235a5e24e65059b63cf66b95ff3da9a44773ebf81c1b |
| SHA512 | 3c10075e71d2e44535e19c8660bee7071a110d07dbef67ccc4cc94c45f93afd72f8ce6b24be31e6193549823b7db204e20950e5c1a075ae159c39682db295d27 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]
| MD5 | 6cbbe3240a203b0ff387d9bbdadd49ef |
| SHA1 | 2c65f6ea9acd8d164ece87edf2f142942d8cdb42 |
| SHA256 | 7b3bae54e7a2931a1957c1ca23189cdf913f567e92af15089f033b99e33351f1 |
| SHA512 | cdd8e32fdf610a0c00f7e8093c98d421f6c60bb75be67fe0a22ca1b5144351526a2b56ffd955f350039e4dca823e45a3f1f4595c3f9f209b3de28cab972cd140 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\line_2x.png
| MD5 | b513ae819f7d8d10fa4f6cbfdf055b22 |
| SHA1 | b4228971cceadd4a698f3c206d8f4bc24a37f991 |
| SHA256 | 25778f162c4243167f8eaa876f1b0619e67afc158de7805600471a563ec5e8b7 |
| SHA512 | c11266406d79494f7d74f8f8a5f955e2bad14b8924877e882fb3e7cc7442998cf6e7a9be3aa7f1a945af8bb2add9dfcdec0ef54239f6ee80748d77444dafe6fe |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js
| MD5 | b17a6a8826832fc2e1098d0286242861 |
| SHA1 | 8ce2bb5944d61be2b628fc80ebabc769768e0b48 |
| SHA256 | 82a1cc52037ccd1ee4a73cc41b86ef4c9b45db28025d56105566bbc9f06bc41f |
| SHA512 | 688757cebb6aaf1a9948ce1dd30318ac2b7afb7a47938e6eecf1bbbc1be058ba78744c208d71a9747ae514242b09322489ad314119cf612a7e4a717907521962 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main-selector.css
| MD5 | 651bcf535ed50ffa7724c8751bec1a66 |
| SHA1 | 5758c4862740517ba28026c298d1b3a61f43716d |
| SHA256 | 359f38eef400e2fa3924a3258652e74ee19cd46cb92e47bce91f1194fce25e9e |
| SHA512 | 492b73f1622e8a1a064141a2edbac9fb29e5f604b629b063fc7251289d237e50721e1295b4f3450322fe72f01b57561a79f0ad4b3a20290cf3214ccf0204d372 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png
| MD5 | bec4473fc43b77e28e60f89da4e29c00 |
| SHA1 | d5dbc7c6642a8a23da14f952a0f64fe874e8191b |
| SHA256 | 5e06bfa9ebccfa3d8759270620b6860f0b92be9d69ef7d7802b78ee5b5f07f96 |
| SHA512 | ff2c101c1172e64481be5e98b2216d5eba93b81210a1a67adecfe05bcf37c3d965c06b368ddc1ffb7e4187cda0373720f6a27476f036a41517762d5cb3729aea |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.js
| MD5 | d3e4c2fefeea6e6c467df305f7a8f3af |
| SHA1 | a4468bf4d5abcb4d720b0fefb396dce5864e4717 |
| SHA256 | e9288289beec2fe3b6ac24c1311451c8d079786a09515b95cbf2eda7f87f0b22 |
| SHA512 | b81a9d38a4a6cd54c2081289192ce7aee3e34d71f834c9b94eac8cd79a5cb90a0dbd3ee0da89be68e4fb69a82903c658addc272a9d70d8f8f8f8cff5c2c18f10 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\ui-strings.js
| MD5 | a3f07671642038caece41ff2a52d8673 |
| SHA1 | 53442624b01b79a3729a23d4f12efc8dae4b1002 |
| SHA256 | 088d391d696ec15140e7b4dbe6fe17e95296af9d09c7eeff17a0a9c241925b89 |
| SHA512 | 5d1ab4b072eec924d13d760da6aa958cc81fa58cfec3de8ff239d131d37b31cdd547eac0fa5ab34c060f0f28a2295e071a1a9573815541c5b92cf0c63f11bdb7 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js
| MD5 | df3b4d35decc08d05ef8ee0644ab7274 |
| SHA1 | 6b0381b9ee40dc8470a63218e5cc5feb579f7334 |
| SHA256 | e27e5eb93a24a2d866e30bf027e4f0c3da9fae8968cf5eb69446e7f668356164 |
| SHA512 | 257c770416a94f5b79ed837fa0f5e7926cede3ce06c1a9b819c1ca77c645f37bd366564cb028b0ba6afc5444aa5ac774c3af36cd7c108164d1000254cf85c94a |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\ui-strings.js
| MD5 | 74ca2c01b07af0dda4bb39ac330fc49c |
| SHA1 | 7cc7781cca7798ce0940fe9be999e85f8b5064e1 |
| SHA256 | ab9ac8d62fd064748c921e6bd4c123f5cc8910a384d1804bec33ffe27da27c4c |
| SHA512 | cd71201d364c7cfc9d317f091a9dc318d77bdc7340ec4abceee2fa23e3f58cfb1a8f45b5216f5ebb40b3738fef28eeb37717b2508aa1369316da6b7c82c510fa |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png
| MD5 | 39e7048d412b94bb2dad145a2daa5875 |
| SHA1 | 08778bbd84d9411f2e531867dffe45fee5d60d24 |
| SHA256 | 4985216f1f370fff03c45d4a711c18b3f49165f8278e6cfc231bb38b920095a7 |
| SHA512 | 65803d69def3517f0021a291748b55cb5bb2e8437732e6cb9b99b1f778f766fbff2c484b664d16ccbedcd51c14f89e99cd5f977cf97d680eca78a9d4f8b87fb0 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\ui-strings.js
| MD5 | 92f1f77de0ce17e9486d53787f69618e |
| SHA1 | 41198fdd6a18321c15c3d4647962e687fc036af6 |
| SHA256 | 4ecb5e390829b5b11dd02db2f22ac1349e32a24e5bd3a8489f6fb5fb0f07eeb6 |
| SHA512 | b389c8364936fbb96a407fb1a848254fd8b7bcbde05637ac1acfb48ba0b30e887dd44b2447e1e3eb75a902241d67571584a819927cc8d0a91d325f5df79f12ce |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js
| MD5 | 72542b122d453927f3d6c59552165606 |
| SHA1 | 6e2b7f049b60f10edcdec06f357114448c0896f8 |
| SHA256 | 3b17f8b83bec3e72acd0d014f58e7de206106a7644bf3293f93c7456ced47419 |
| SHA512 | 25eade5c88cc35325978ba2e103050608fed4330a1677280eb2e0445946a3367d26796ca1233aa6d7ec4c87f04faf7706d82c72b3f3485d80c18e088813f7a1f |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\dd_arrow_small.png
| MD5 | 3d55e1e012d3824e53e84d404a6e2f2e |
| SHA1 | 9983296698d4e2736faf1c529e8d27f8071d7939 |
| SHA256 | 6559f403524ea6ef9bf2e1d0bb66d1af8152920fb002ec2c4ced993083124a88 |
| SHA512 | ec75d4dea30bf7567b2f6e30ffed408815c57680a38659f6055d770c85393d8a5678d38a066ceb7fd0ff9c5ef49cf9fd73d7e8eae5a9a83360a41ca74343f576 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js
| MD5 | 7d8302df4582de342a31d0335e979ae7 |
| SHA1 | 7a3e918e23dc8002dfbe1695f8e8fd52db995d1f |
| SHA256 | 899ad5e0b3501d7e00d2f3bd3c7729b4223839e8629c61328db0f818ba0870c9 |
| SHA512 | cbc23b3285f6d8d72221d0fc05ff59336402005e7d3f50d66249ef6076648ec2e22d33ed64f5436767c123f59d37dae45270a259153ed98b885f9c43ec9bc2aa |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js
| MD5 | 421cd12b43e660f10da31bee36e85f4b |
| SHA1 | b568bb931d5bf4b5805d20fc339b06f9b3763c9d |
| SHA256 | ce7c16adff608d624a412164fdc692305fb461f4b14f9167e6efa78dbbad12ba |
| SHA512 | f56bf5a7a713cbf018203c24a7f9dd426a2cf018cb3ddf9e27f3a7765be3571339421fa5a2cc68f677eb4929a2a2835238a723db4de07bb0634e3f151878ac86 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\ui-strings.js
| MD5 | 0900039f6502c5c4418f5b712f0dc94e |
| SHA1 | cb39e28be0988298003a966ac208c54f83a6ae27 |
| SHA256 | 7037318dbcb8809fd3d03ab0293d58666df18363f0144ef65b738ca3fbe028f0 |
| SHA512 | be9fc36c81963737569c65e4f295f347585bcec88b4fa6ef9da1478f4e0f947b64b8ccaaffb816a74216f713060ae0a56f58c3bea1d12b16bb8488a7663db391 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\ui-strings.js
| MD5 | 35d5c7b80ed270a94872c0e56a6c59c6 |
| SHA1 | bbc4ed04ea6c922213d7cc19c62c3c4cd23b7113 |
| SHA256 | 5c03e31975b96b3d151d9e034b884cab9c6fb29576d2b5653c375fc5661b6dd1 |
| SHA512 | 57ec341f6ff49f24516e117d5c0b119ba4c62dc0537cfcaa15bbba248729c06d29ca224462bb331c44ff1b3abd724df86d0b2ec473ae9f5d54e31ae2002e8bdd |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\ui-strings.js
| MD5 | 29dbb24810bdd7f802c1165f8bc3a714 |
| SHA1 | 9ed5ed2ea58cb6d9196e8d88fccdd8f0d522ea47 |
| SHA256 | c9fdf06266cf9e6d61f7989471abe569239a93cc2c0f65a7c596a81af8d6a67f |
| SHA512 | 3802320bcf7b20a6656460456d5b03ac4f85e4572d7530518dcf99f28162964adc211c5adcfb7ace603b6734271581cea26c9e85821b88b1915e13780a19ec24 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js
| MD5 | b54b9c5d611b062aea9d8ec0d192335d |
| SHA1 | a6a96602b80181ef494a0da49dacae1c44f7c739 |
| SHA256 | d70a13e9b9e9f4026679200872160d667979bd0ae57e6527d44090e49bbc2c83 |
| SHA512 | e56e4a0dba26c3bd824bcd397d495249466a3732bbe1466f9ed1c23ec3a25d79e44e360fb5ee5a229fb24d6961ac32a2a57d0a29fe669e767bd33b956f57ebf5 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js
| MD5 | 7a232b079f30771ada44ab6a1843ec14 |
| SHA1 | 72349db2853443af021d538be9417fe32369d2ab |
| SHA256 | e33edcde1654c47b3f834797623932ff5dd99a4331b255b60452d69d61ccfb4c |
| SHA512 | 431073f497196ad03ba92a8087aa6c50717ae137b05aba341cd8f7ec1705b46f2878b30455c10d7339f89ef16022ca5d054b0f96e5956ef0590121ad8e1a6638 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\ui-strings.js
| MD5 | 3b8883ab58438b245c89bc76ee848752 |
| SHA1 | 7b01b457344fcf92362d14247f2c389ed0c89b6c |
| SHA256 | b3b87c3ad568de5a1f07702392e3bfc76f41a47b2fa1d710198406c3c5172697 |
| SHA512 | 200a52dd5e9334f2c768fb2d152a82cfd551c0991eada79ee92ae41e8beb82a1eac2d90fdac2d9741afe0b7edcbe046cb92a6cf339d25709b53d51f5feb55b1c |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js
| MD5 | edbd91ead174c60fdacb765349ea4fcf |
| SHA1 | e55660206658be80e2033a93abd8854653246eea |
| SHA256 | dfd68e26d32c27e8c7d096cd558b12da3228019525baaa2d4b32030339fb0b6a |
| SHA512 | 9c664370c6c102a0e6992f2fe711e7fe7f6ac732a8562bcc1839a0d99d828e4ab0b3dc70f33f3cba444d04161d0df13b70e72b9079c5aabc7a85543168d58854 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js
| MD5 | ffaab524b0c94fd06a44c1b5b683e0dc |
| SHA1 | 17dcce5e4d3b9f718c902863652cb67e060e2f3e |
| SHA256 | d0a34414103960973357a239952bb0fab5f988ccda1b67ff8e6864afcd806272 |
| SHA512 | a7ecbd3e9656cb0fc1304b4b86980e97680c73b673c4284bbca08c4a3f3ade0699a7de61f0905aee9d521da4beaed61d3ec943090ecc44833118f1f5a29318ab |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js
| MD5 | 5af99e838bada8e34b660d7fcecae2bf |
| SHA1 | ead4e402f4696ede69adb3e4cd694e7d52925844 |
| SHA256 | e3f604ce27fb93d417b9e8a4a5f10f6fd17b59a76aad9754ea0cc5c56b31687a |
| SHA512 | e69f6f12a51382491b4bec6f19260df249dc6dd9a33fc590a90a055baa5f6dcc80894e2c65ecc7dd0d10040c90740dcfcd2f98dbd1f2fbd94c34941897f6ecd9 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png
| MD5 | 45ad813c887294a1c5c88358f6e6fd12 |
| SHA1 | 45266d0bda31888b67b10c601d303caca8786d30 |
| SHA256 | 91ed5badd0d99f45c65c0ccdec04fc59fffb1f6d055a4d2722dccde82a6bb73b |
| SHA512 | b06ab5889fdf50735ff0c3cfcac3e526b9f32d694ac631e7c2a06eceff357f17e92540df5f84426f8e8f75726c1e7df3592f1620728b70a4b5290c9e49e377f8 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_thumbnailview_18.svg
| MD5 | 9b4c8a5e36d3be7e2c4b1d75ded8c8a1 |
| SHA1 | 1f884298931bc1126e693e30955855f19447d508 |
| SHA256 | ad47fd9e87159d651a53b3dfba3ef200684a9ed88c2528b62e18f3881fe203b0 |
| SHA512 | e1acc0b10c92c2895fc916fc8feead869e04315e5e6e279f8e61b344545103b4c9ff808c9ca2121d1b013879071364f677da128caeba89bf918ec2791e5ed094 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png
| MD5 | 5c4cbc56377969e41dcf39d60690feeb |
| SHA1 | a20120d0d043af4d3b6a72db517ab8a623b3febc |
| SHA256 | c0601bc1bac97e69da3ef3e2898aafe64aec5ae4f3ccbdb7649471f76da4ca0e |
| SHA512 | 4accc91aeb47949f1137ac69a0740a25c957853f59ff8d18077e64b1a3262488b71fc4bd45714075a0652328e1a49a602c7950b86edabbbd7e5abbd9000b705f |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png
| MD5 | f2f1d5a683617b2bdb6cb0b1eae67135 |
| SHA1 | 3e0dda160b0f8b963dde8036b45aabab5d86504f |
| SHA256 | 96497e49c11ebeb0f73bc01b033b7f45cd9f8eee478176e11b1c7342efa63569 |
| SHA512 | cc9688ee19a6391296abbae9fb1422a6d72d87b7abe8552e860eeb092f8cf7e6864a7f06dae6a60784b77353c38103abd3632492f8b33b7b3d900531cdb673b2 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png
| MD5 | a7a19c86ac01e03111c30032ba417b55 |
| SHA1 | fd7f42ef37d82cf1704b65762a8bc6b4a868234d |
| SHA256 | 494032a3293df271c7cc5d26a5753acffc5f6df811d024e9b573f2fa380f3591 |
| SHA512 | 728d4755dd7d21c5ca285906d5f043728fd089de42d2fd04beb514563224104f7672e5f5144e4ed68770b933dd1069d76b26d140eb692d83d907176330f3f6dd |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png
| MD5 | 4eefd60f439096ed98b6d8a585da12ef |
| SHA1 | 75cb70498807b0c823cac760e00652842c1a63c3 |
| SHA256 | e743d6195ff2f42282e101f9471874e8df79dc05a69ca20abf22015d48d28c6c |
| SHA512 | 78241e2336f4ee826719d5adc70543db0f0767a1660f723ddfce72c170322a13c0f3c547eaea6b6cfc47cdf6d8e5edcaff4bd003cbf3eb9d3435bec5158fb8d2 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png
| MD5 | 5991993dd41d6d2b062d58bb70971e0c |
| SHA1 | 1a75ce12ef1c4cb6a85225d0bf4f68d4a3edfce5 |
| SHA256 | bd66e8f62d34f70917102405af895c0b07b79c13fd2d1ea65ebfba3bd4853aeb |
| SHA512 | 75511589b1937aca668348061728734718d02065ae76446b61e3292834709e3b66f2a453717fd593a8fa1db92ad7b97af03f7d2e7f5538716582ae7d8c11e09b |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png
| MD5 | 6018a4862e3cc6b434d517a47858a2bf |
| SHA1 | 23769e9ae485bb2c35630db9a6ecc8a40c2207cf |
| SHA256 | fde09d85ac7ec84dc0b5f2bf1c1f935b80a3e45dd9257af499d412302602f310 |
| SHA512 | 4fae17ef027649315cbc73ea47a2fbdd8c8c05b9d818af5b41439e9e5fd81d62ce13f6ad125a2817d0bb4b24a831358803c53003628520cb9c2a8376ac8e1aa3 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\ui-strings.js
| MD5 | cf69901e6d4609009dff8be5b3045c96 |
| SHA1 | 712afbf4bdf24b6fa059f0fcd837449d75432800 |
| SHA256 | 16d0edc8b7ad7705b23a14058f366ff1c0dfa16a0ad14f741924c308754cf8d1 |
| SHA512 | 84b63e071f56e8e406fe361473dfd6eb17daec1809eed425b1b977f0135d6a78a3375c9bd1a65daf1ac7977f712b63ed735eac8ebc91e55c1a3f366e288a9ed6 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close2x.png
| MD5 | 5e0d423694dc87169e1124f26d755117 |
| SHA1 | 340b47ffc7ffe45c30ce927f1c839d01600f6161 |
| SHA256 | 68df674391ddb32170020e5b55b8df9ac1bb5274419dbf8748ce53efb18584cf |
| SHA512 | 17ace592b7b00dd530d923711160c39417b6c6412c3528cecb002fc065a16dc439555f61e4f6de7ac86291cd9cac5f5ea8411bec8ffe043faba887026fd2ec77 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_checkbox_unselected_18.svg
| MD5 | 8c8fd1cfdc60f513bf20132a1d5aeea2 |
| SHA1 | 40167e542ddfd848fd138e2914dbb7f116a8f99f |
| SHA256 | f438a4e713df6a982afbe2eec993cd582edc37a876fee88e1ddabb478f2b5ee0 |
| SHA512 | e5a985404619bebfb615d4b5378942b56089b40170e4072c61eb9ddf722639941e820f039437b59cd3859944b3e06ed72ee49e879522e81fd9d49b56c8e40d35 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js
| MD5 | 8ab4b211dc3d2947d2466033f6d524f7 |
| SHA1 | 7c457aa6cb3b704da3c977bbcf3953c3c1a7a7bb |
| SHA256 | 5bc633d52bc4345c9cc4ea7cf49422a85a9fe401faf3239ef72b53aa0dd667ee |
| SHA512 | 0b7e9cda1a82a15fc9492a35808bd1ea43966cf5e55d84b9831f79d64f36a66583a14f0ba95eb12098bf9df6a95eef0bec6606aba1cf56bdee0e046aa60f8d5f |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\close.svg
| MD5 | 2518c2304a390e60d20b53b101fc0056 |
| SHA1 | aae24d58011859ff6986508882dd7eecaaa7f604 |
| SHA256 | 03e98670a1d9049b8e1f02c4fdd449d098465f7578ee0eebfaf3f138a78301ae |
| SHA512 | b7457acf824d68e7728088668cd8d44e06566dc71d156db7e9480b957305f2268778907a8e93e4e2d1937b3c3cbfeeb327399cd7f33a60274d91efab2ec3f534 |
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe.manifest
| MD5 | 69016e6a597d194701476b8e04d4e028 |
| SHA1 | 71a24ddb0c5bbd321d3f09d7b322c3655fb5e129 |
| SHA256 | 4740d289d0a31bc1fc00e255845b3d8ba7cec2d6d0ee92177d23aa293f9fca3a |
| SHA512 | a9399ea57f65c6569e2a9e9ebe9fa2da7184ec92a555549f39cbbe9dff15530ad526107a2a2304d822be37580a965c6ea4e88a46adebd8ff3af402d2c25321ae |
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe.sig
| MD5 | d8d0face111912e6dcc93f665bfa10ad |
| SHA1 | e171cc8b4abd73e2e6f9e0145e8e3d46e333133b |
| SHA256 | 5efe288bf88e3a66ead387ee327d7f2ae6637fa507e14271cd1c30024279945e |
| SHA512 | 2bedc86a79225d3c23067a042a219976a670ee164222cbde077edc2bf5618181eb5e26edf86946e2797016c5a87f3534e47dc4ac76d40487354a701ef77aa51a |
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Staging
| MD5 | 27418f9aeb0fae483bcf13272efe6310 |
| SHA1 | 9a28ce8233f1be05276f787e06f872f7dd49f8ed |
| SHA256 | e3c2af35d1dfc500e16f826a071cc311bf55003a3de77de7ea3376c6b6fa2857 |
| SHA512 | 35386ad7cb2b39b8d9dc94599e08bd68cc60e3a192090b511f1a2c99b3824b7f74949ed57494ea0e4ba32d25b2c6bdc30117687a5352ec96ca41b1a927ffa7f4 |
C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\PackageManagementDscUtilities.strings.psd1
| MD5 | 5f3c20c13de3ac54a574e3dfec50a560 |
| SHA1 | ff983979d46433ed43e738f5c34c5340083cca11 |
| SHA256 | a6f6e59f677587238a2b472d2f214b1c95d61d86a7973cdd89a61e2c05ca7594 |
| SHA512 | 4caa9867ce2b6bb9abe419a9306d1e417a2da05d5af5624bd92f433872338f39d5b88cbb4d94efc34ff29ced991cb38ac531ff6b6bcd9f899bc7061c906f228a |
C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\MSFT_PackageManagement.schema.mfl
| MD5 | 125863dbbbb069fd535aaf5f8b17bfbe |
| SHA1 | ba601b96a414c6e3dddc42e6a0608ecf099e6310 |
| SHA256 | 424c38504d88d0f7b3691471d18b1a21141b9e31b1cee5dad278963613252480 |
| SHA512 | 18e068cfb976f972322e12fe755aa37a3f44fe79e2da094042f22f1a3b0a6328033e05a625f4faa2a373c654751ed1094f9c04d9411e86888448e367ded915d6 |
C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\MSFT_PackageManagement.strings.psd1
| MD5 | 9cb17fa9b59645c7f574893b4565d2ab |
| SHA1 | 274e027aa39e24845fd11fcbf265523de44e69e9 |
| SHA256 | e2e70c766bc6c37a41a221b53a0e62ef616c8fbcf7a244c4863f6a74c06b8e64 |
| SHA512 | d28e543a9355274fecea9be5b1120fefea5e4652835e477cc9886527c0a67556582368618ef1ad98fc95a406541cb7541dc30451033a77b8c0f2011874b1a774 |
C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\MSFT_PackageManagementSource.schema.mfl
| MD5 | 1fb20e4a02ba1ad84aca9d99fb1921cc |
| SHA1 | 169ea6ad71a5c4f4d8312668259ffb793e6cac0d |
| SHA256 | 1c55f2acd075736d1fccd0e7bca9292072d933e2811b8e042c172e9e7f112f39 |
| SHA512 | 3516ca18f6f5b64fdb2de80c950d114b2c5d979c24764cad4328411eca14c47c4758816bce45c3a691adaef50fdeeef64ca51a7ce603aa5ac11bd308a9166621 |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\B53A34F1-FF5D-4EF4-BFFA-089E897035BB\en-us.16\s641033.hash
| MD5 | f536fbf78e26387affb82ee89943b870 |
| SHA1 | 3ac8e44a9491c16bcd86dab6781acc4f7e1f76a7 |
| SHA256 | 34dbd6bf55d0d075d666181d9278b8387482a8b5804e44e1ddaafe6876dadc15 |
| SHA512 | d9ad640884f40495b4255bd221f0902ff64f84e3136053d03abee7ca417d32a1d72f24a75cb67bc50629e102bdb2f81c0bb087e0eb5cb82fa3d67c4fa5d92450 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-Eco3PTelDefault.json
| MD5 | ab9d8ef2ffa9145d6c325cefa41d5d4e |
| SHA1 | 0f2bf6d5e1a0209d19f8f6e7d08b3e2d9cf4c5ab |
| SHA256 | 65a16cb7861335d5ace3c60718b5052e44660726da4cd13bb745381b235a1785 |
| SHA512 | 904f1892ec5c43c557199325fda79cacaee2e8f1b4a1d41b85c893d967c3209f0c58081c0c9a6083f85fd4866611dfeb490c11f3163c12f4f0579adda2c68100 |
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-d5a8f02229be41efb047bd8f883ba799-59258264-451c-4459-8c09-75d7d721219a-7112.json
| MD5 | 709c6a80af0276b170c521117ede47c6 |
| SHA1 | 8e6d9001ca20e76482e1ab88d54d47c65c8c7836 |
| SHA256 | d8129de4286dc4fd245c7776b51d76aaa727956e8fc88ff928eb69ff7fc17e0b |
| SHA512 | bef13fa741340cb7c1174406f76f9c65445c76ec091e47daa8537b5f769ad2231347c61144ce8f6e4cb16fd5cd27bb169930c3f8c3b5b9e24e6609491fbbd4e3 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\0a8c1492-65ca-6a01-de25-0e183559d10d.xml
| MD5 | 234c58fcbf2775edbfda910d2e0cb945 |
| SHA1 | 16314a6f5604aab01e76d5e7f7794b40c23a4785 |
| SHA256 | 68193f3f98611b2aa42be4d2995b0b9a2465277c7520231324a08460639a41a5 |
| SHA512 | fddd87a902c108de1d986dc6e4fa7347e3908076d1ec3f64b19602d3a2318ad5ee0a1d46599ba860dec61843c2954d3cc9e91aac9718a82d1043e32b3dfb6bdd |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\3ebdb897-991b-934f-ee13-2ca21ed81938.xml
| MD5 | 703493f4417c30ed1e1856d3628945a4 |
| SHA1 | c8da0fdf2d0580a739f0d11a4322131581b67f77 |
| SHA256 | 7c23b4ec3b42f260dfffadaf7d59a0efcc8f6547149b45907b1fc5242a4e6c2e |
| SHA512 | 2876029ed71708e31bce2871dc62820c6684a16be26802560341a07dac9394095d7b672ccdfb65bcae8177539c4f20cf4e8b8b8e892fd117f21cebd3632275a4 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
| MD5 | 8b550761ab80413c9c09f7fb472dbfaf |
| SHA1 | 67122822562203c17dd3f762194e470f90ddfa97 |
| SHA256 | f5ea79165516de2e7e1efb53d016983f5d18c3184413f044a4002f4b751c918b |
| SHA512 | 9546013cf4d45a2c4c609524b7ed4adecc7dc2fecded7c3b7085415a1bcd1c25db5d88bb591ac05fa5a6313763a8e8d5d8fc6ee6610b454cf7696b647e7781fe |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm
| MD5 | 8776c367699ad807af292f1f5d085d4c |
| SHA1 | 9209e352bf9d3999f94881a75d6f7d39bc6d7f77 |
| SHA256 | 18b602cdbb7656129a359046fc68faf1b990da88c6c3b3e6b20c1df399cc0645 |
| SHA512 | 83a17d98d175a122fe98cf89c476826769d8fae0d74dc93c8fe48d12089e26bfd501a586db3783a03e1bfe07864ebec2a6b5a48415554c61cd565131ed40a9e1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\CURRENT
| MD5 | 4ae71336e44bf9bf79d2752e234818a5 |
| SHA1 | e129f27c5103bc5cc44bcdf0a15e160d445066ff |
| SHA256 | 374708fff7719dd5979ec875d56cd2286f6d3cf7ec317a3b25632aab28ec37bb |
| SHA512 | 0b6cbac838dfe7f47ea1bd0df00ec282fdf45510c92161072ccfb84035390c4da743d9c3b954eaa1b0f86fc9861b23cc6c8667ab232c11c686432ebb5c8c3f27 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.2_0\dasherSettingSchema.json
| MD5 | 310614b10980392ebdb5a5a8b90b527c |
| SHA1 | 8c8fb36e7c2a1574cde7fdea30e8e5f14fad7691 |
| SHA256 | 445c811c35e2fbd4aa59389ec805492c7b2db50d65f5d161417ce8302b103fbe |
| SHA512 | 416650adf9a61cbbb6eff7af635264e5bdde903477465cce05b63773927b8afb35e75fb68497882bce7778f524b9c7f3f2befcfe3840e99bff90ccd305bac66e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.2_0\_locales\hr\messages.json
| MD5 | 798b4a7c5a9f20d24f36ba8daf7b8f70 |
| SHA1 | 0f007b82783ddea5da7374c96925b77a7fe9f57f |
| SHA256 | e5cbc8e3a6e843009fc9a9de7a83df9d05532e08d48da06c66f907f58d0c745e |
| SHA512 | e3faa4376d03dad6cd714dee6349733abe29d0c2118456f80bcc4c758015b12a06b4ec6532a6e98d512f5c6dec7a7ade5c1d2a418db0f739ed17f18c0cd6b54b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001
| MD5 | f5cfd73023c1eedb6b9569736073f1dd |
| SHA1 | 669b1c85ecbafe23c999100f55a23e06bf59ead7 |
| SHA256 | 9e1736c43d19118e6ce4302118af337109491ecc52757dfb949bad6a7940b0c2 |
| SHA512 | 5d8c1aa556fc17d6dc28d618f521aee37fc0e1826fdbcf8d106e456fc3bcd3c76e712d23fef3378bd2be17b80eb5bfd884ccd89b67490b63c7bd118eaac471d8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13359644845453867
| MD5 | af98b62b3f9d6e70c082f05969c0d2b3 |
| SHA1 | 2a78fe6ace36668a1505ce949dd5415cf172590b |
| SHA256 | 77544451f210250b90637e7ecfebfc0ce00398ef964a2d46f1b92adf4d6f97a2 |
| SHA512 | 6a8d54bbaa9d6f04de832a60fed8f471eaf38bce9f95942d2fa84dba035739b65cc4fbe58904a7d2220af89d735b96be1bb6aa43aedecb83afba6c4d3be20850 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old
| MD5 | 7d3165882b27dc69918cc2de97baab96 |
| SHA1 | 4970307efcbff0c15053a742d6db65c4528d4308 |
| SHA256 | 5cdcd733b8b630509bac08589db291ddbde33d79f64664cb9582e66589555257 |
| SHA512 | 2be106c204c36cdd721247bf95eff0f8137b67b3509598719fff28a54dab7cee596796bd356e0a31492cd3bf4ed87b5b555ec82da8a11c0f967a4c15766de28e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b203621a65475445e6fcdca717c667b5 |
| SHA1 | c17fd92682ca5b304ac71074b558dda9e8eb4d66 |
| SHA256 | 17b0761f87b081d5cf10757ccc89f12be355c70e2e29df288b65b30710dcbcd1 |
| SHA512 | ed68f5f49945dcd0d81dfebe2f2fd1fcfe016807d5c64ee0377d046efeb0a7fd9b4b9589b3df8a14194d51dcffbd89c8aaa072cea2ad4e7976bdf53528ea90cc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG
| MD5 | 2dcea950234175e3edf672936843ab5f |
| SHA1 | 4ca6dfb9ed642bbfc0002cd47abaa2dc895ce0d4 |
| SHA256 | 74ca16b1138459ef2afb19324097332626ee7c897687c5adc5488f93bf0c11ff |
| SHA512 | 483866f3ee1d730f1052b0ce34832e0e42145296df490a68901b95e616f2dfdc39fb13e2ed80bd259c43475830f6a74257a5fc8d163e7f1dd17d39556501dfa4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
| MD5 | 9ee38aeba19f4d46fcd9eda4661325d2 |
| SHA1 | d458ade2d50d219b089b0985ef765a80843602ad |
| SHA256 | d99258f5d81067df4e95825381104fe6c90d04d01bdd2915954dd06f75d07c10 |
| SHA512 | f352805d5ebb6b3351dee65dd1f66ae5493ea36dc342c31d8e714fd11095739f755a50d865b9bcfc40c60616c9bcee4cbbcabb6c18566fdb73e778cd41112738 |
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin
| MD5 | 1595ed4372d33dbecabbfd411c6c8f46 |
| SHA1 | 8b8ba962b765110f762f873edbc3193adef48b33 |
| SHA256 | 8f6abb9e202dd8027ac9abbd475a24e62659a0b2683613f219c21d1238816ed7 |
| SHA512 | e0017291c0d0685ede7a6492c2683a90b37482d21037840ab3e2cef4ed381bbffa8c31ef3c8d06db0a800eff69ba4505012886f88a911997657b3f26284142f1 |
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin
| MD5 | 97d6d52a254a9cbd2bad939ce1926af8 |
| SHA1 | 15a64b0f07658da802cb0bdd43c9c6f2df2f0af9 |
| SHA256 | bbfa41253ad301a1cd9c7f6321bff365068178f26cd84e8afb127fb4001bc4be |
| SHA512 | 98e76665962acd459228cb9635d95bb37c6e538eca7ae50107c665c93be334b907178f87749b3a4f33db34152b9d9035163fe2429306eb3ac45ee539e242c3da |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini
| MD5 | 897208d5df122e307ab837d982b2c085 |
| SHA1 | cf4ca14a7adcbc197cd84c1997efdd076911d608 |
| SHA256 | eaae98aa73fe0b561c8b02607a524fb4853bbe81c6de8c3d8a9b7449366809d4 |
| SHA512 | b0aa03063c42515de12fbf6d89924a3ae7d8bdd64d7c9bae94c75d571c939655253f3e87368fcd96f5784b2aee8fedac8f66200b8672ab47cc8b37c57a9ad334 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\D5DFSS0T\Windows[1].json
| MD5 | 01b53ab60d1307f1db2f793377d3af08 |
| SHA1 | aead0b1b398828d1bb81e91a52f28e504d717e1c |
| SHA256 | b5afda9531d50eca02d7e10dd6a5e5a9346ef452f1aea17049b4acf84be62641 |
| SHA512 | ee7663533aae47cae26d9605f045b9165ed9ba387789a09db6e4bd0d76ca08aaee685d5299a8ec40ee086123f4e3ab766a793d9199c639d18d56d87c37cc8f6d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk
| MD5 | 61d2c715839bcfa06ce4d23dd84e7457 |
| SHA1 | cdb61e6100ac4882ba4863875f63e38b8b804ddc |
| SHA256 | 1f9ec15f6ff239e14a3a243a98f19ae7db16d425a63b2da0908cc0ffcb1258e7 |
| SHA512 | cb6577068e0b746a0ff0148238fd5be9e02e4ff6218fc21d78194a06ebd3f54aa12a1a9b80a4cc9a9f66f72f49eb875eb367b344f674807af11373770f75d952 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\safebrowsing\ads-track-digest256.sbstore
| MD5 | 017813103ef615c6e4e41c106f0d8540 |
| SHA1 | a7bb21ac882f35d671d5f0597f8962f9e04e371c |
| SHA256 | f18f13c653940384b01c154887477150b1c0669d5620d263f72bfcfa57daee09 |
| SHA512 | 0a615cbbde1ce71e1e3623454e2dc355f5ff2e2480520ec0598de70a9cdbb287959bf7958435ed05457957e3ae09d2db2884ffd743806191b773d91a5c882fda |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png
| MD5 | 535ee7f4b7959a29e1d1be5a67e00334 |
| SHA1 | c8b3bcb1c1fbf79c59a847510d884da10dc62f19 |
| SHA256 | 46dcb7a9e7bde1f57e5ed2eef9257d2d0ad622c1b3da32700f6d9e2ec4a0e287 |
| SHA512 | b0f9d39cb8200c35c564053454dc9fc67e68140861255f77dbe63679375ff3f892426109e95633fcf6e285b9547d890d1281d8ae4ef97cfb78433608961934b4 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
| MD5 | a50b718c3518b630251fb54b92bde360 |
| SHA1 | a9582222b6f4df2b4e3e4ee5fe91d25ff086b943 |
| SHA256 | 9d2ce1c032646d2a3381b68bc9201e3dcd53b764e83a0d356d67cc4926ece015 |
| SHA512 | 95e0676e3177262d29c4105edd4ce1fa1c2a2da5cd3289ab0f873fba782a0185e4bbede5d64fae1f6c4cea5ca3ae0697d7113e6ee63f229431bfaf3f8990c517 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
| MD5 | 80be6efdf5a776659777bf07d4aff891 |
| SHA1 | 1f98e7ba8de8c6b39f4b202739ca71fa2629fd6d |
| SHA256 | 9ebc694d4895efc802ea27714a71986f293edf4b63e9918c27d65871b06f43a9 |
| SHA512 | 03a5434f25209a74a0abc6045c66a45e098d487227cab71004363c8c823840b49596857e8f757f42b8953f9bc2066209b1e8f52104d1837705828cb2676119cc |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{10b516d4-aff8-4248-af33-503db2382fa4}\0.2.filtertrie.intermediate.txt
| MD5 | ca9c491ac66b2c62500882e93f3719a8 |
| SHA1 | a10909c2cdcaf5adb7e6b092a4faba558b62bd96 |
| SHA256 | 8855508aade16ec573d21e6a485dfd0a7624085c1a14b5ecdd6485de0c6839a4 |
| SHA512 | 65faa9d920e0e9cff43fc3f30ab02ba2e8cf6f4643b58f7c1e64583fbec8a268e677b0ec4d54406e748becb53fda210f5d4f39cf2a5014b1ca496b0805182649 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F
| MD5 | 4f00b32a70c5d829f8199614fe56af64 |
| SHA1 | ff2afa238f88ce8cdb4430fe578c58823cd6d752 |
| SHA256 | e3833793f7412667cdbe15693f5dc4994934d1a6695392f8bebb74f985658256 |
| SHA512 | 6ca12db615454c1b842040e5047ab24906d372b15b547653553d39ebd18cf4f90a360c5032e415d00ba313cb27def27aa8eb7e94ae3d86fefcd856b693f0c6aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 8c1d71b2bf2d4d1eea6a825412dd4544 |
| SHA1 | 7160c20079f39f98532f42db23209435edeaacd7 |
| SHA256 | 0441772f66559a1c71f4559dc4405438fc9b8383ce1229139257a7fe6d7b8de9 |
| SHA512 | 5d70cd72a6f162cb39167337001b791347abc07b9edc095516489de9e9427cb824bc79596362b41f78e73144d3e224dad14f3dbf48cdd0fa08f4b5073ab702ec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_5C1009244D39FCE23AF8F277537F2613
| MD5 | a75d7d422fd00bf31208b013e74d8394 |
| SHA1 | 3d59f8de55a42cc13fb2ebda6de3a5193f2ee561 |
| SHA256 | 7a12e561363385e9dfeeab326368731c030ed4b374e7f5897ac819159d2884c5 |
| SHA512 | af3a1e15594a0bf08ae34a5948037ef492e71ee33d5d4ac9f24b18adf99a34563ab40ba8f47f2adff5d928f18d8a8cd60fc78e654e4d6cf962292d2f606def66 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini
| MD5 | fc91658bb81ea407fd37a59d65f0d86e |
| SHA1 | 6cb269ab1a592dfd2039dc8c50c00b86af94d3e6 |
| SHA256 | 4bafbcbc4cbbda94d0a315a09176de0ce6872cf1d85113539a7b04ff2360efa1 |
| SHA512 | c5b8832097ab5e74a0c31cc243c98c6a2b9734da4eb6e25cfc28070529ff4b6d77de1e97388f188f00148cd8db32f3ea62dc86aa841d47e25da8d8dd2267061e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\storage\permanent\chrome\.metadata-v2
| MD5 | c183857770364b05c2011bdebb914ed3 |
| SHA1 | 040e5ac904de86328cca053a15596e118fc5da24 |
| SHA256 | 094c4931fdb2f2af417c9e0322a9716006e8211fe9017f671ac6e3251300acca |
| SHA512 | 8ac7790c0687f86d2d0ca82cfc9921c8cd6e6f5392594317d5ee6f3661500de58ebd5ef6300a412c23ed1cd2748c5eadeeb9719f32758590bd4168a0259bbd70 |
C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk
| MD5 | 7a4228aa2003a72a296e741bfa8246f7 |
| SHA1 | e94ca8cb43d671cdc3ed759980bfbaf73cf4c6f8 |
| SHA256 | 462fa5c6568794276673c9159500918afddf8f170e580fd1f3d483c48934b050 |
| SHA512 | ed66dc35762f661f760eaf0feb82e22c823f11e552c9f938748a8b158ecf0828f40d48afc4d5cc07122f41a13e7b322950b9f156808b125bc7a1ae19e066d304 |
C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini
| MD5 | 6e36ba0fe61f7c6334305d61299c04cf |
| SHA1 | 646aaf623a9b65f3054571ba8680342cf02b6225 |
| SHA256 | 367467f43d580c3c07040a78c7890ae4262dad4778878f9a49d5f652c81689a5 |
| SHA512 | ee5d694d66bb3ee0d55129c96c83116e7af28b6838854d110cafe9dcb530fc05ef8b97469d7fe0c864481298fba5008c97eb2b503e90b58b1e33f8856cb132d2 |
C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\06 - SystemAbout.lnk
| MD5 | 45de417378735f7d0d1d3c3148dc6d00 |
| SHA1 | 3295b1605ccb0910148b618c52b4d0c17fbf0a9f |
| SHA256 | 43782c4d9b63da7cfe64f6a9a06a6cf8007d2a793b8a5f94c9b962bb5cb25b0d |
| SHA512 | 23ee803d8a1619d5d5a3dcbdea08175b3a6dca7a29a9d37f37342bad73ad4ee383b68ebd237099cab565699150f90cfd9014aa35e2fa09a6cabc0fa6fcae9c04 |
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk
| MD5 | 35705a33e80294bdc078f5582784f4fa |
| SHA1 | 3b8d2bc3650098d604e3363fdc41e9bfc2f4609e |
| SHA256 | d0e438519a8e2075e13430b66debeb7204e5e8ab41fb24eaab20db0bdb66d835 |
| SHA512 | e560c350940f15a8d5c5187ed833190cdef9e4862e8f06dde9b0204ad1a0decb9adaadd27c4b7015ea5e7fabe7d7a63538ba72def9997e56300cc8ddc4249061 |
C:\Users\Public\Libraries\RecordedTV.library-ms
| MD5 | a9d5728f9b0e997753288b3a140c5335 |
| SHA1 | a44e9168f2e351f3ad4ee2f7c0e0037d64f65066 |
| SHA256 | 84ba348aafb41879cfa434256c8657baff00a9bf41d5ebe041b0ef87e7419f28 |
| SHA512 | 13380300950d351ffb3256e3b65f6dcfda8c52dcedf6627e10ef231925e45b178d173e7a24406bdef42949f9919326e7abf8a9101e2fee0127c578a46a1df294 |
C:\info.hta
| MD5 | 1b3bd1ce8530e42e6a422973b702e6c4 |
| SHA1 | 9decc9cac4abf63c854c8c6fdcdefa6a40511814 |
| SHA256 | 1ee24d66ffb7c69ac3f66b1fc1bebe3b2e358243a47a8e7d582e74a558592182 |
| SHA512 | 95dac378efcced73f20ed56ac548ea2321b0f44177baaebc8dbbbd54fa5e80b714250f3667e0241a114bc2e10d5ee3909b58ff83667c6b2249a4d82f14bcb3ac |
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win7-20240508-en
Max time kernel
1562s
Max time network
1564s
Command Line
Signatures
Quantum Ransomware
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Public\Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Saved Games\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Desktop\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\94JSLQ0Q\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RI1YAXDZ\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Contacts\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\4BMSK8RG\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Libraries\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Documents\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Downloads\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\Sample Music\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Videos\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Documents\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Music\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Searches\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Recorded TV\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Links\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\Sample Videos\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Downloads\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\D4RBNUS7\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Desktop\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\f: | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Program Files\README_TO_DECRYPT.html | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | \??\c:\Program Files (x86)\README_TO_DECRYPT.html | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | \??\c:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\README_TO_DECRYPT.html | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a096d8ee3aa9da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000040adcaca798bc5419d4f2cdcc2c701650000000002000000000010660000000100002000000096c8013c694a2fa2fb3be4a4281bbc024fb6c1bd2466a36af67bf6c2a85b41eb000000000e8000000002000020000000e958d7fc052d1488fba8878312843f71710865cf55f2bae4ba4697431de063b79000000002541eab1fdd4f99ec82a20434e831722709cd2d57b89a3e57b43322aa67cd85363b82d38ec77163a9f1ed3f3c4ad211b932104f83b583365de2b7fa589e3f954084485293a28809620a06a0bbcbb6f525517e1c0be3ef210912312fbce51c7f6569738f46384854332b77cae7a89a230ec0b36b57f4d7d89a0e93fad512c5b9bbd38d553558aafa4cb08d878b810fc540000000758003feed1cf92954b5ffde9c512570b61b9c7b514528c027a45df4b3fc1b40f77a3a46338789fb3ceff6f0b43b1c1bb56e582f116f5d137c8697f6fcaf1af9 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000040adcaca798bc5419d4f2cdcc2c70165000000000200000000001066000000010000200000003901c92e7d82beab0f4e608711f116a518b52b7a990b27d67def51be2f5ab4c7000000000e8000000002000020000000c79501bd9001454fd65d2d40f5b2be0bd84c41869128467a52947eb7799b62f9200000003360c4a3728661cc501d4367b2d223ffb1f3e05b587f8d33a58be5bd81aadb514000000048f8c4e5c130f4232e7797b59a3913817f0475b5dba1ddc59a7836a319c6bf26aec4eff924e56160ab5fd980f3bd9aa93d0b7f9b9f476e97f090e4760674bf68 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422209190" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1A65D171-152E-11EF-A18A-FED6C5E8D4AB} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.quantum\shell\Open\command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.quantum | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.quantum\shell | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.quantum\shell\Open | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#1
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F76422E.bat" "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll""
C:\Windows\SysWOW64\attrib.exe
attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:924 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2228-0-0x00000000002E0000-0x00000000003B1000-memory.dmp
memory/2228-1-0x00000000002E0000-0x00000000003B1000-memory.dmp
memory/2228-16-0x00000000002E0000-0x00000000003B1000-memory.dmp
memory/2228-14-0x00000000002E0000-0x00000000003B1000-memory.dmp
memory/2228-24-0x00000000002E0000-0x00000000003B1000-memory.dmp
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\README_TO_DECRYPT.html
| MD5 | 620625e0cb79821d9b7cc0a85158040c |
| SHA1 | 6452e37091706336207405ac05ff20fe7eaa9b56 |
| SHA256 | 0ea9471ede3b6796552b902b778279ba63feec0ca3fa4252041cc9e848bbac7e |
| SHA512 | 49f03f8cd52e841528732b5e1f98d96482f7e7cceb334f269e9d2d362dc67d676532d4eb15e0394ba4ab0245a764c5d447b158fb648b0d48a033a0121897b71e |
memory/2228-12-0x00000000002E0000-0x00000000003B1000-memory.dmp
memory/2228-10-0x00000000002E0000-0x00000000003B1000-memory.dmp
memory/2228-8-0x00000000002E0000-0x00000000003B1000-memory.dmp
memory/2228-6-0x00000000002E0000-0x00000000003B1000-memory.dmp
memory/2228-4-0x00000000002E0000-0x00000000003B1000-memory.dmp
memory/2228-3-0x00000000002E0000-0x00000000003B1000-memory.dmp
memory/2228-521-0x00000000002E0000-0x00000000003B1000-memory.dmp
memory/2228-540-0x00000000002E0000-0x00000000003B1000-memory.dmp
memory/2228-541-0x00000000002E0000-0x00000000003B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0F76422E.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
memory/2228-550-0x00000000002E0000-0x00000000003B1000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\TarF712.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dc8ca58811f9aea3014c0067c1eb81b8 |
| SHA1 | 1398aaeb33c24319f023eacc90ef43940bc107ac |
| SHA256 | d9228edd5a6ab186260ce400d03d2057f73e0d45d37d5318776b36bc7487b689 |
| SHA512 | bcaa74cbe8c930553da62d8cb7129a736801bd505fa69abb5794a388c93a774c6320316d32a6cfa57901f5032cc895d7a4d4cbc80bc8b01e8fbfd5e6b61d2746 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | eccab0cde231b66ce8d9ca2db3348dc9 |
| SHA1 | db6ffa5ad61f708e81169a6f14a3821faeec7158 |
| SHA256 | 12eead3d6e6b5a3b82599d2dfe894db5d17ba727dc4fb727641de45c1d5034d3 |
| SHA512 | 4d9dee172829ff03dbfd799a43c7c19ee7390a13ad43d556ad91674b8c7ead2bc8870aee2b0a897e228f124b61e0f8d4e6cffcbec65bb46b34b428f8464a2779 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d04af38667371a0826cfbb502ce6ffd7 |
| SHA1 | 8520c41b0b771b678bd7ddfd813b3ff29cb9adf5 |
| SHA256 | 5a6db173197b6317a68d84f65612428ed22bcded2937d5b001bfb0c31e116730 |
| SHA512 | 2188cbb4448dba90a0ad72182f9fd0df75dd162dae451db5695fd522ea35b91749d405c922635472926d9ae891fc71192ac6cd4442caf56e0b21d04dbc3f4a58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d18a5c4373b6323798ca11242cbefcc |
| SHA1 | 4720bbf654358dd2abb321182719d4b06335ff82 |
| SHA256 | 2d3b459883a948ca05144073aaf8d9330c2cbd9f1d2b35dcc9d5a2eaea0f6955 |
| SHA512 | dc416aa7ec72bfab51b7718c59e88f45462d1cf596de7ad2fbdf45572784d8df562acbbe685b0f2db9abb0cbc7f522ad983f41fe92371b06de59937a2bc1c421 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9354fc1c5f8aeefb0484e3e0e73621f0 |
| SHA1 | b0d019dc61d8debd64727a2137f341f58eb25f12 |
| SHA256 | 8818bef03de45c8c7b480c63a796e9385cf1c53c4ca736e8a3b535ccbbb47ee6 |
| SHA512 | 380ef47c9ea9f1492acb6a799c712b19cfc5a543374db9da46c6fa72cd4f69dd25fad0b856cbede47860238487dca9f6b19624064e906fdc08728b0949ba606e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cbb296ddb5b4d856c165ed95a762028c |
| SHA1 | b7d6511920ff508ba5c0ba004aae06d0d36fa05f |
| SHA256 | 0d8c3899eac70c33824b8e99cacfcd287dc09ae45807dd3faa7c6677d143cbdf |
| SHA512 | 1e54cfd8981e5564ea75f5599ff11cad66e53004b0e0a4ce85994d631212804718b82d0b35857767ea7e7647dcb60f7be6cba28467b23656e02acef6077dd067 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f5f60c4e6c02bb4848f0886a04119afd |
| SHA1 | 22cf312be77a35fe3a0f36e48f86c3f17a18b150 |
| SHA256 | 7bdc020c874ac5b20da1c485a67a4119efc6ce1ae6a00aeb695f7f95621195c9 |
| SHA512 | 0f8f578041059b5a8dfef83f11dd9e9eec7fbe138606a6c8fcca2b15f06e24d7cd2d368da22cc65809be7df9bf7ac64d511c20c1eaa7ce3ee1e0ccfe24a40e45 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d56cfacc8d5ab1861f2e59c61b1e86c0 |
| SHA1 | dda403a75b8d4a696fcafb775ab52f11084064e3 |
| SHA256 | f89cec43dc1e80e95fcc548154986e187272a86e89e256d66c23de16f29201cc |
| SHA512 | 7b6319558768d2a2cebc8f24958e1447a9a21bc55082f6db192d0dc0605e0dc24c0b01f34a77700a16fb744c583524a97f71fd7b6bf317d4d84fa43040527c94 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 19fe22d2277e69a1d2348191377b3413 |
| SHA1 | 5039e17b220bf1367deab09a139d03e6b076931c |
| SHA256 | 3385b429632dd3e6fa89340b8f3b61ca47552fdbeed8e36e34ffdf60926ae537 |
| SHA512 | 67628d0bfefba11ce2b22951eb279685c0867ba1c9b8853d78cb776db8e0da2b5b76503e680d54dd0e4a2e3edcdf4c0b960c30b07c70b06b48f5632ed8477eed |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 0d88c7593e7ee1ed4cb8855a382f0b97 |
| SHA1 | e4c008aaf4c7f75aa876974ff88111d8281ab7ef |
| SHA256 | 20b196f667986edcbff20296d8adbd25853dd509a9a26343afce3a6b187aeff8 |
| SHA512 | 78de5bc0708e6cfe56e4f5be0f2fcbdadcea304b5d5c47ee877fe85b671965eb95becca119b78516df220019200b4d7e566a4eb9111e7cb3a55f9b27ee9fce65 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6278266f8fb9d5966c161971d87156da |
| SHA1 | 7d555a7dca05cc7e8716eb87a1f4f833e605abd3 |
| SHA256 | 14a97fb8fa7d107a1bd82fb1132a891ef60a927781465bba027b94c51ae21374 |
| SHA512 | e2a803ded318c1848681a69e6e2d8d7eca40f96e99592caec7d4fc59ae240f7410cfc047f84ea039d83e0ae9da81d4e99cf4bfba32fa7beefbabe34b184dfd2c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 17f252a616b0d201ce08e1336b0d8e25 |
| SHA1 | 17a09bf31d1373b8f4e30e4e5e18bbd5240c5c27 |
| SHA256 | 1c223986eebfb0c67192450dbd1be4fbe98244cc0720b14449f617f4e1c3e6e3 |
| SHA512 | 1c4f94c9b86dcd033c7e714a35f09584c3a803fff2972a4bee393adb05a3e2e42aadeb824ccd278d0e64e237c288c1da92e65802014e643a71241836e82f84ff |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8d9993b0c583ee7b8312ed233ccfe92e |
| SHA1 | 4b227d221aabc85094574fb0fa43b1ecc7ce6118 |
| SHA256 | 7fd7475b87ad0413b31fcce8de511f98a6689ecee111cf78332efe68bccfaab5 |
| SHA512 | f36173f8c4f60681420fabc4a2215780c198b1cc7264bebc7c5e620baef9c9bb3f7fc83d819ca8d22633fb77eee4a2b54b7357299d17d4c1d35d8868ccc62ecb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 651860e32ef191458015a39961d94a0c |
| SHA1 | 84b33e6e3e727bc1afd0946a2bca5acfb504b6e6 |
| SHA256 | 089d82866093bf4a1bbde6be0747be695ba3f0fa752c964782ec0e7a3b1dfbc6 |
| SHA512 | fd48e6935731ac159438532cec8013fe8fc7296fa8fd42a56926f4c5e677eabb8c2ebc3badcc114144fbfb6ff324147b0a62c17f1a0ade72477347d7ca47efb3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 97258f954caab577cb14baa4f87f345b |
| SHA1 | cfd661766548d03d988697c8322e110b3cebf39d |
| SHA256 | 0986a8d27b1063095158286e58a755969b532c87dc78bac7df408bbf0cead1c0 |
| SHA512 | d58b7bb5365060e09755f1331aeeac5c22c8a53c9c78aa734f1c26062a4903315bbe78da70e8a7d723abc9be3bf83a5a9b26a51c2b7e43478a22dc3a0dd2f5a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4be62decc98ef21fcd02a00c5577861e |
| SHA1 | c70d0f03f75209f65df2b21e6985814b94eb6b65 |
| SHA256 | c58432b9011599a4fc42d0b5028b7e08ec45e162f1dc7289d22bd286306347ca |
| SHA512 | 076efda733e3a33e4c67f53dd33e5434a79ee438b3d0b3e830c3ed9a84bd96379242e728d510e0dcd97e161cba23ab82737a0ea50a81ab70d74a1cdc1054e425 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1648ff5d81885abce59ced464242f4bd |
| SHA1 | 9d0824ae1d17d15deed08c2cdc36e3da319e89c2 |
| SHA256 | afd857a0f46568dbb62b4f4b8c0a426a8a916f5443212c2b2639ae2933cd3019 |
| SHA512 | 2c50eab1f2d86aa90b241da921eafe59cb8da8f5fbc49f815141973a1bea341846b9dfa570fda2658fce1a1bf9ab8afd4d3ba71821eeda4a213b376b1bf14081 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1d6045780d68bd75ea76793305728c3d |
| SHA1 | 5dfb4a0fa3e237843f4b6a45fb5efda89dd28c12 |
| SHA256 | d457151cb61981ef8df48c9bb155ca9f392dd201c0add2e0141d36450a5e1529 |
| SHA512 | c2f091020b538c905d8906772acdd1d618f1ecdd814174a29f899f14a2a05f629655ca734b22f808a62d3ec8c56483c6115e594e6360c5874f7cbeac76c4bf98 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d6b3b3ab7bdd84d2ba0b9c5b37c262d8 |
| SHA1 | c8af200d7de8284d6f26dd21512fa72a4f983488 |
| SHA256 | d0df687a511caa2f23013bef0703b8cc4255e0dab7b9a1efc3719b281372c792 |
| SHA512 | e5f81d327b2465426ff0ee229b652e589724c682c882d292eb623c5e36fcd4e65d2c95470e245dd0d92dcd1afbb70769b3157a1762a88802a16b1fa0f1193763 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 674cafa224996fc20daa721c21f7c398 |
| SHA1 | 7d8c7e8a65c5c1231b3512378549277951b98219 |
| SHA256 | 3017aa950a1171f5994985195d83f90918defc7db439d0ea612918e6bf6d7990 |
| SHA512 | 18a19e2d96f79fd7f30c10d1621855d5835c535553f9f6d0f9eb89901515244c814b4824971a73debe294dff89a1538a90e88d95eca06745e24c95afda5b6e87 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 94a15fb70fb4f23f769ea54a5e14d646 |
| SHA1 | 4220a4523a2a2e6542cfaa0da1be55a0e31b4cfa |
| SHA256 | f98c4d28d2f0743067191724b5ba77a8c325ab80d93bb215426caec47313f977 |
| SHA512 | cd9dfe889b92466dd20ea8492c1fd86b927e81d206415e86e7a9902762d40e4a99d780d9586867167874df998dc20dbdbb5c933fdbc25b0e3129568bdf61499d |
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:17
Platform
win11-20240426-en
Max time kernel
1493s
Max time network
1499s
Command Line
Signatures
Quantum Ransomware
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\Contacts\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Searches\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Saved Games\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Desktop\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Libraries\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Links\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Music\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\OneDrive\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Videos\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Documents\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Downloads\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Desktop\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Documents\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Downloads\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\AccountPictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\f: | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Program Files\README_TO_DECRYPT.html | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | \??\c:\Program Files (x86)\README_TO_DECRYPT.html | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\.quantum\shell\Open\command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\.quantum | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\.quantum\shell | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\.quantum\shell\Open | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3808 wrote to memory of 4360 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3808 wrote to memory of 4360 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3808 wrote to memory of 4360 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4360 wrote to memory of 3412 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4360 wrote to memory of 3412 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4360 wrote to memory of 3412 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3412 wrote to memory of 2400 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\attrib.exe |
| PID 3412 wrote to memory of 2400 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\attrib.exe |
| PID 3412 wrote to memory of 2400 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\attrib.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E577D2F.bat" "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll""
C:\Windows\SysWOW64\attrib.exe
attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll"
Network
| Country | Destination | Domain | Proto |
| NL | 52.111.243.29:443 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
memory/4360-0-0x0000000002410000-0x00000000024E1000-memory.dmp
memory/4360-2-0x0000000002410000-0x00000000024E1000-memory.dmp
memory/4360-4-0x0000000002410000-0x00000000024E1000-memory.dmp
memory/4360-15-0x0000000002410000-0x00000000024E1000-memory.dmp
C:\README_TO_DECRYPT.html
| MD5 | 5ad33fc6eb4dabd77715a95ac400e555 |
| SHA1 | 9d1895169783943c3c35a87915bf4fb082fa77fd |
| SHA256 | 494f123c1c8a878207b26f5660f9be92a34b64d477fe814f05cbc4611d2517be |
| SHA512 | a6dc80747eff2048b70fc03c9889ec0ce7e7859434f30a065f4ec53239064d16e317a15b2e2f3d94dda704c33571986716c161efbb1354fc76bbd1d61b5f925c |
memory/4360-12-0x0000000002410000-0x00000000024E1000-memory.dmp
memory/4360-11-0x0000000002410000-0x00000000024E1000-memory.dmp
memory/4360-9-0x0000000002410000-0x00000000024E1000-memory.dmp
memory/4360-19-0x0000000002410000-0x00000000024E1000-memory.dmp
memory/4360-8-0x0000000002410000-0x00000000024E1000-memory.dmp
memory/4360-3-0x0000000002410000-0x00000000024E1000-memory.dmp
memory/4360-1-0x0000000002410000-0x00000000024E1000-memory.dmp
memory/4360-1125-0x0000000002410000-0x00000000024E1000-memory.dmp
memory/4360-1128-0x0000000002410000-0x00000000024E1000-memory.dmp
memory/4360-1134-0x0000000002410000-0x00000000024E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0E577D2F.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-18 15:47
Reported
2024-05-18 16:23
Platform
win11-20240426-en
Max time kernel
1485s
Max time network
1498s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
"C:\Users\Admin\AppData\Local\Temp\49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |