Malware Analysis Report

2024-09-11 01:44

Sample ID 240520-bsd7madb79
Target aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7
SHA256 aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7
Tags
neshta phobos defense_evasion evasion execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7

Threat Level: Known bad

The file aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7 was found to be: Known bad.

Malicious Activity Summary

neshta phobos defense_evasion evasion execution impact persistence ransomware spyware stealer

Phobos

Neshta family

Detect Neshta payload

Neshta

Renames multiple (516) files with added filename extension

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (310) files with added filename extension

Deletes backup catalog

Modifies Windows Firewall

Loads dropped DLL

Reads user/profile data of web browsers

Modifies system executable filetype association

Drops startup file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Interacts with shadow copies

Modifies Internet Explorer settings

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Windows Management Instrumentation
T1047
Command and Scripting Interpreter
T1059
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-20 01:24

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 01:24

Reported

2024-05-20 01:26

Platform

win7-20240215-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (310) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7 = "C:\\Users\\Admin\\AppData\\Local\\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7 = "C:\\Users\\Admin\\AppData\\Local\\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1MQ01HTG\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FA862KXF\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IF692Q5Y\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F5ZW0CRZ\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P1KETFJO\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P56GQFE8\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files\Mozilla Firefox\firefox.cfg.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105490.WMF.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107130.WMF.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14711_.GIF.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PS9CRNRH.POC.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\AddIns.store C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PAPERS.INI C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\de-DE\wab32res.dll.mui C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR21F.GIF C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files\Java\jre7\bin\javacpl.exe.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEW.ICO C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_bullets.gif.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115835.GIF C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02269_.WMF C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\chkrzm.exe.mui.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\PREVIEW.GIF.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR18F.GIF.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MSTHED98.POC.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Cordoba C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\AFTRNOON.INF.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\EDGE.INF C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\COIN.WAV.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\AUDIOSEARCHLTS.DLL.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Classic.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VC\msdia90.dll.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01064_.WMF.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sa.txt C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Regina C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01268_.GIF.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RCLRPT.CFG.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWSHM.POC C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\settings.html C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153518.WMF.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Elegant.dotx C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPML.ICO C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Galapagos.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wake.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099178.WMF C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01842_.GIF C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10301_.GIF.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGNL.ICO C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.DPV.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_pt_BR.properties C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mpjpeg_plugin.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR46F.GIF C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\mpvis.dll.mui C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansDemiBold.ttf.id[1671F2DE-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Conversion.v3.5.resources.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe
PID 2404 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe
PID 2404 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe
PID 2404 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe
PID 2204 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\system32\cmd.exe
PID 2836 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2836 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2836 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2864 wrote to memory of 1668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2864 wrote to memory of 1668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2864 wrote to memory of 1668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2836 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2836 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2836 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2864 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2864 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2864 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2864 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2864 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2864 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2864 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2864 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2864 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2864 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2864 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2864 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2204 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2204 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2204 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2204 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2204 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2204 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2204 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2204 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2204 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2204 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2204 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2204 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2204 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2204 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2204 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2204 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2204 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\system32\cmd.exe
PID 1664 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1664 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1664 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1664 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1664 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1664 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1664 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1664 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1664 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1664 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1664 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe

"C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe

MD5 c04308d1711d130ef4600da630e12028
SHA1 64d394337a374713edc6b089c993db708740d259
SHA256 cb9c2bccf573d6fe729544b89d0b4c16b6ce6ee657cbcebe0e14a3225ac648e3
SHA512 661cdae65d0e444823000f0be93cca2c5a06d237ec646ef1e41a785109718ec77f89a01aad8ba6beccfcf4c2a9351947677ba5b91ebb5ba705b3310744cb2ce4

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 dd88cd2e2873a04f1b44b81e2a40ba87
SHA1 ee29ca31f99fa067cde7d35cec7e64cbb9111650
SHA256 83cd4395b42a80615a1267bb2a2e71dd8953f253f3d50b1d2020c3bc975d0678
SHA512 580c8d2ef4a58ef64885455b4d92dea544e7e56181629cd0146433990f7d8e94008c1b7ab8c4f0dae5ed9b6f14208b5c70f48d0c2168b3258a50ade2ec094fe6

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.id[1671F2DE-3455].[[email protected]].Carver

MD5 61453a0bd10593d737f33b0c94bc374d
SHA1 ff0a03a54894a2f21b2c7803bfc158bcd3f48c79
SHA256 3139de0f9ace2459f3491f6ca67fd6f5173b099585c441567d5ec7712607ab60
SHA512 f94ed6090c9698a292754ba0bd743bad6e536984426db964b7e1c604dc72c35c00b2e6109fcc9c4a9a6717805b16552936acf15ae51c3fb956ff5b0cb77cd78e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 a8caf6e9fe85e20c76bcd41e23481d28
SHA1 bf0ace184cf72cd44abeafa80234290e8912dfe9
SHA256 30aa4e4097dd7f51fbdf7ee0a34d17e01a8feb0b677421ff704f85d8485b267b
SHA512 988228d5bfd7668eb744d102e2405ad1c9de8b9cec16fe75f97c1db1d158f0aafca94fa842b0a3420c2a1812a44f5739c5b2e4f1ac0a36c2d839bce4a56758e5

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

MD5 e424c3d92556770ad18fd5d047aaba0e
SHA1 c536cb16083623b0d88e30a8cedf31a9c68b537f
SHA256 ac327239db5f45a17110026b9eda0563208ce275a6312c6cf8085dcb7f8a3f00
SHA512 5dd51eae4039e98631352c1d8eedc7aa98be21b4256051011236c9d4e9f1779b1d711872366cb19a3ab67c17d5e5d43ea5a48aca891075f9795fdeaf69dd2b0c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 40c8e8c5758557477573172e1a41080f
SHA1 25f67b9dd8cb5c73de0e028ac8d8b7b526adb27d
SHA256 a90f989f5f6b4f932feb14477d2a042460a944a0ddc5e2dd5d5d733f20020935
SHA512 1c99a7837cb6fdbede180a7e4646dc1880de85927acf1afd127322faa19a53633888c070eb1d2d7f423d0784fae5ef1e6f447a847518fdb738302d0cc2a04133

memory/2404-1237-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos

MD5 db10fd32bfe67918ed177579d4be9d76
SHA1 44ecf4c5a6fbbd1ace84d0efe91f13d6ba6bb738
SHA256 c936ab1da7ef4314182c8edabaeae90f8d51ed45bc48848d35670adf5b470d31
SHA512 bb574ef876e7529d4f3c4c52cc54aa1814f2c02030b83a5bd7223d4b31c992668c00e4a7e68d4f1caaa6493db4ac84eb649fe59e98feceb9828119cac1e74b05

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao

MD5 2b62a30906a2b8bf3b68abd2ef9d105b
SHA1 9898d25a214dba04ebd7e3030ac9e2e90ea7a369
SHA256 075561eff2cd3ad586776fa904f0040282c5f6a261f6a8fd6a0a524d14cd2d2c
SHA512 6db5955477a9bb5386c1af03df526496f9e64533e6c3071c8e5c44062541e91e9bb39096da947a91bdfa5e7de53c1e047dcf427c1dfde94554d7458f8f0862ea

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil

MD5 1ef5e829303a139ce967440e0cdca10c
SHA1 f0fa45906bd0f4c3668fcd0d8f68d4b298b30e5b
SHA256 98ce42deef51d40269d542f5314bef2c7468d401ad5d85168bfab4c0108f75f7
SHA512 19dc6ae12de08b21b36c1ec7f353ce9e7cef73fa4d1354c436234167f0847bc9e2b85e2f36208f773ef324e2d79e6af1beca4470e44b8672b47d077efe33a1f8

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana

MD5 71c7e24524aea1022361143d0a876c84
SHA1 b141efff466f27664599dd2aa91f0b7c50736f1d
SHA256 07a692cc9bc920ef8caed75ba9af60ad2d6b144c83bfde3b91a77b5bcce277a3
SHA512 4cd51849de464e0139ce77de3003af1ab1b6c639862fb7d5e8362f33ef0a9828f8af9ebd6d4b4ce9dc5a67084bc5c1106fd3b3327fc428e25c75b780e98d37ff

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Karachi

MD5 d13b5ffdeb538f15ee1d30f2788601d5
SHA1 8dc4da8e4efca07472b08b618bc059dcbfd03efa
SHA256 f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876
SHA512 58e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk

MD5 985f599bb4b81c01d5b5d16ad241d5ed
SHA1 a90b24a33383273378fc6429b95fdf62c4c2e5d5
SHA256 36bce57f9ab26334f370d700cd0a853618cf2051afbe561ba09b0aae5dc371a4
SHA512 fd8f3414083a7b4c75e9a5dc043f38db062971dcac022194c274d5f5816867961736dbf0e17b7da19ca9c835f2e11864e0f305895e8c76eee3d0c5ecdf3e0239

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide

MD5 0a876dfacfdabc170818581a2e6e6d54
SHA1 376fd52e52867f959cb2076fbbc4d214778a7fc0
SHA256 e28b98a94e0077340a3aece749f2d400c3f06890cec9447f4c2567bd1e7a5839
SHA512 766fb737e92fbd233563887cf8335c9aa4e96d3a970c28b7ddebbd21ca764dc85ee4ebd805538f697ad8b2d59ed0c53bd46d9fb7077d54c136f9c22bedae9cba

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10

MD5 65435a5d117aa6b052a5f737d9946a7b
SHA1 b8b17ad613463c3c9a1fe928819fb30cb853e6b1
SHA256 ea49aa9f6f6cf2d53d454e628ba5a339cc000230c4651655d0237711d747f50b
SHA512 4f85061ef6c66bf0e030af017af8c7154ed3f7953594ae2cf6f663e8b95ba978a54c171b01f212880e2711c2fd745a12b959ed27e7f6b1847273f70a4010ccde

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Bougainville

MD5 eeb20c9bc165677800b6dc7621a50cc9
SHA1 def5026103297fa44a2185104f2ee400cb93329c
SHA256 6a3a9301bb8dd782bb5c170bedfa73e9e7c60235e6e1840f14bd14b812127ef2
SHA512 d4e72f43c75de83deb0526233423726503354d7112618b44c94e695d159a02b6da4823a2c9a2be8cf71d2c7e42108d0db7edbb54a640579f853e6d110e7599ed

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury

MD5 335a7c8e767a2dd0ecf3460eaabb0bbd
SHA1 111ffd83edcb095d251067456a3a60b754b4c717
SHA256 a0bf83b3948dce6afe987c170a5cd711a3d65fcd5c70e3b7bbfeeb1578544609
SHA512 bf0772423bdc11a4029439acef8922c6c541519ce98bce97681d1a1da32bbf3a73f506138d494d9cc860b6afb3584094565db7683f6b2a2cb30e3e94430d1933

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT

MD5 b8d5d64c3ef0b30644898a80682f5121
SHA1 bbc7b3902250307a2cdbb314abe98e34795032be
SHA256 2f329134686a44ee0362fd0c8b5d071e38bade32a5389e31282f64f565e76759
SHA512 f1f90923769648e585f3f38724d203e4bf6a10cab7c6708f7791a83dd6348b3b9948eaf481baa7bef31ff63d75b6fe1ec00cb888dc1acc8b65b90d96bff39638

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf

MD5 ab9d8ef2ffa9145d6c325cefa41d5d4e
SHA1 0f2bf6d5e1a0209d19f8f6e7d08b3e2d9cf4c5ab
SHA256 65a16cb7861335d5ace3c60718b5052e44660726da4cd13bb745381b235a1785
SHA512 904f1892ec5c43c557199325fda79cacaee2e8f1b4a1d41b85c893d967c3209f0c58081c0c9a6083f85fd4866611dfeb490c11f3163c12f4f0579adda2c68100

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

MD5 b85026155b964b6f3a883c9a8b62dfe3
SHA1 5c38290813cd155c68773c19b0dd5371b7b1c337
SHA256 57ffc9ca3beb6ee6226c28248ab9c77b2076ef6acffba839cec21fac28a8fd1f
SHA512 c6953aea1f31da67d3ac33171617e01252672932a6e6eae0382e68fa9048b0e78871b68467945c6b940f1ea6e815231e0c95fbe97090b53bf2181681ecf6c2dd

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png

MD5 a2bb242dc046bacdc58e7fbbe03cce85
SHA1 052ab788f1646b958e0ea2c0ef47d00141fc1004
SHA256 486a8212c0d6860840d883981ca52daaad3bf3b2ab5be56cdc47ed9b42daba22
SHA512 d9bb4c0658f79fbcf22697c24bc32f4ef27ddf934e8f41cf73a2990d18cdb38379f6b61e50edef8ebdf5a2f59a0f8fa40e000b24f1c55a06cfa161db658326ad

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml

MD5 118db038cff249fc1b96f7a8f2b27620
SHA1 6f804438c7a4af3c57191138510a644d24bde92b
SHA256 8d43407158818d7f3e03cc0a6ae6d789e9e393467ba847a998214eb4e292b989
SHA512 4ee3a5d2c49d50ecd97193828389d3339661f90d8b8d41bea5fc4ffedb26578c738016fc772217f3f5049adadcf744273f6b9f60ba379a8e39fc60188be5dde5

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml

MD5 ceb1e6764a28b208d51a7801052118d7
SHA1 2719eea8bde44ff35dd7b274df167c103483b895
SHA256 99d48b66d590c07b14f4cd68adac79e92616afcf00503a846b6bf4599bfeabc0
SHA512 f4a2df6229bca6c6ef9ef9f432847683238715eddcb1f89c291da5f5900c9a3461204d8495c3450c8bae1c1a661424089554d316468ba1b039a2c50d6e69bf29

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml

MD5 2c16868331f82ff43059dcb0ea178af3
SHA1 983589535e05c495ffeae4b0b31ddcfafe92a763
SHA256 be9ceb4464b22203feffd3700c5570b7d6d44c5d0d357148e1e6d5be5e694376
SHA512 184653d3e40df84cd0052e5d9477201f276ce0e8cbb5e4b7bfac86fc7da325eef476982910be24c20725a6db6617fffd88998d6053c1b694718bc7ab0bde9ea1

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml

MD5 f7c78514872f9cb5585f8d69532cd2d0
SHA1 ff9dfbb62a3b48c85b6434ee831fb33a8dba9526
SHA256 5f7bcd85900e62abb00ce739eaad53d80170a4a6152d951b6825110d2fc17965
SHA512 50ee6ae916ea0e806b73c2e5bb727f6ee4837a696c5bd8559ede78148b40a5d5cdd135e28c8b5153a8fef568fd21ef0708ca198ace89e7120ffb84fd9bc91c01

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar

MD5 8b550761ab80413c9c09f7fb472dbfaf
SHA1 67122822562203c17dd3f762194e470f90ddfa97
SHA256 f5ea79165516de2e7e1efb53d016983f5d18c3184413f044a4002f4b751c918b
SHA512 9546013cf4d45a2c4c609524b7ed4adecc7dc2fecded7c3b7085415a1bcd1c25db5d88bb591ac05fa5a6313763a8e8d5d8fc6ee6610b454cf7696b647e7781fe

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml

MD5 a75d7d422fd00bf31208b013e74d8394
SHA1 3d59f8de55a42cc13fb2ebda6de3a5193f2ee561
SHA256 7a12e561363385e9dfeeab326368731c030ed4b374e7f5897ac819159d2884c5
SHA512 af3a1e15594a0bf08ae34a5948037ef492e71ee33d5d4ac9f24b18adf99a34563ab40ba8f47f2adff5d928f18d8a8cd60fc78e654e4d6cf962292d2f606def66

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml

MD5 d7d2fed9b7c55fe72a6cda66725cb7e8
SHA1 2cb154a1c4a0553658801a088edf87b5816cbbd2
SHA256 a6df5cb2b51fa56609c7daf08d28f0e41801b96f9514a9d179992a63afd516b5
SHA512 0ba4d570d624cc5aa6af629260668ad805285fcedd61002999734fe04cae47016cf52022c327cf22935ded99b30c52d9f041ead60a3425365116bf1bf4cbcf5e

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml

MD5 437687da72730cf42ce36bd093b78b3e
SHA1 693e31dc362426bc4d7a6b2954f7c80267476d66
SHA256 d0d0b1face19fe4a88c6b51f6ced55ae0e00ac548b75809d88089ad431da5d3a
SHA512 7d05e270926dcb452ce405dac9dab6e9e1a0dd247bc93f0940826eb4abecf827acb6f42ef32d3b6f6ac4b46b28d522e0b25f6b8b679affb9a198db8ba4fe2daa

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml

MD5 48e296d8287ae11c252e4277ee885161
SHA1 8a75b573549c2791d38acb3a4d215fa2153b37eb
SHA256 c94a9a55369ccc4b41a71b9c18b04e1778a0913447ca6b5a630135f7a7ac0c1b
SHA512 b17a5a8a6009bfde681829bd7be3b550d8b8bf6bfee19bdd55567163890550980ac0633fd956f117006892638f408c63449d4520b0716e6866ab0858cc3f743b

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml

MD5 e7b188938a141c90dda76cc258c01f8b
SHA1 fdf0e86d2f90e51797779674e429b6f826107a5b
SHA256 77cf0aa8aa6d73f27ad7faa42f7c9a76a689a60d74483f96050dc1cc0adb88c0
SHA512 b106fa59882b0345ce6885d902317af39a3f538731d100e4a92920ee7895ceab8a62d563c4137f8e3e1c7bd61ad6c017ddb301adbc01c7463984b3b245b3da54

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml

MD5 bb95a9de280c528c32806d0d5231de6d
SHA1 bbffb8596f1bc68df5603a10a3672a02ebd3ea8b
SHA256 a7ca0125b93e1a5681d5a9c294ec3a4e5680cc58e44fd223d2dac04232b7367c
SHA512 ac4cad4f24495aa6b0d5ed8aa439554f479cc2fdba4d5dd256f1983fa43a4121c8fdf79ad7ec9d9a396a73fd480bf2f5141ab5303d50c8b6d2ce47d158010a80

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml

MD5 c9580e2bd3527b65bf5b812b477ffe30
SHA1 66e921f302739af54e7a991ce38a1d37ead7c7c2
SHA256 e77bb87374bd3a9b3ccdf932d260091a3ffeb1d1ad9d236b54f0f6797585ebd7
SHA512 e86e61aa09e93395f03b9976d6af4f775be3e017ca371a837e538d440e04b7813d2855c3b7c2444aaa357c9d7a3b5ccca7649c6c557bc3f520b953d96aa93577

C:\Program Files\Java\jre7\COPYRIGHT

MD5 2a79a18a4fce30f9d28abe3b0174812b
SHA1 fce91cb769cb486bd59d97a59943e69418c03e06
SHA256 46570844fde2506ac28543dcde5bd20877b0bb2522a0cb11671513722ddb842a
SHA512 4ed0cfe9d66106e365977378a53f7881d1bd795fda7e89bc8e879888b54bae79ce80746bde779c9aad058000f06d1b96d8e0c7bacb0b871d3fc075e684a0f2f9

C:\Program Files\Java\jre7\lib\management-agent.jar

MD5 4eefd60f439096ed98b6d8a585da12ef
SHA1 75cb70498807b0c823cac760e00652842c1a63c3
SHA256 e743d6195ff2f42282e101f9471874e8df79dc05a69ca20abf22015d48d28c6c
SHA512 78241e2336f4ee826719d5adc70543db0f0767a1660f723ddfce72c170322a13c0f3c547eaea6b6cfc47cdf6d8e5edcaff4bd003cbf3eb9d3435bec5158fb8d2

C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg

MD5 d1950d80f172e80f1c48685c51835807
SHA1 ae9fb8e72137c1729ffb559aa5f541bff78661c9
SHA256 523c41464ee47d61350e15bc091bc970d73ae2d00bfe7a88bc7fe00ae6202c75
SHA512 a6af7912278d814025fd2825a16943917461c881a8f2ff1972497a3a9f6998e349c5e375d69bc8697ae7197054083e0988198c4fc57cab3184f98f82a07a1a1d

C:\Program Files\Java\jre7\lib\zi\Africa\Nairobi

MD5 9e0573ecb4a0800788a3aa64ad731bbc
SHA1 fa205d2a65684c6245a2272facf45fb12ace4014
SHA256 136dd1a7d0a62859f2077a62b7673c5c712fb750604a15f5f6140ab2c5112327
SHA512 3c01530d43156962f4a2305472eb5dc77464ae3bd88f932a2f55e72355c4c1db1df050c94951a1375ed6f69bbc4102ef6ea45574f4ca293123685564a1334596

C:\Program Files\Java\jre7\lib\zi\Africa\Tunis

MD5 66663b7d29e1bcbcfabbf26496f44d28
SHA1 652e5ca160b40dbdb15b9a3b89ef967d6d44d455
SHA256 8474486baa45dc211adc58156a75954f3542dc65326d6e5b157288711ed74e75
SHA512 aae76395ca6c3fe5e58a64618fb00ba73cf1198450da008edff89366bb9fb5bb62ad91f06b65a3af57c45aec92a67b2d51075c9438b526f5edc0aa4d4f38e17f

C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Juan

MD5 128e5d8a837d1d9b540b96013e4c9f19
SHA1 641eb152f889f8027c1fecec8fd81df2540400c0
SHA256 58bd661ff1a892697366215a8938d1c616cb4523e1ede78b49d155b132430917
SHA512 2a64edb3c126e9d432f8c8592af3121423a93af9d266649bb33b73e3d65a5504db3f00e268a51fb59ddd3e279f03d2048b3b243e9f5602b2399584928ff2a316

C:\Program Files\Java\jre7\lib\zi\America\Blanc-Sablon

MD5 90c805bcb9fa376aacfb38d598ec7bb6
SHA1 c264d31acdf5c68a97ba444c7fd7e8af853122c4
SHA256 dbcfcc77f5774ed3333f3963eb84a324fd967de4d62c96631be6af1d6b3fe136
SHA512 bdd9bfe471648e8a116ab65d97e56f38b2d7516e0ba522de25b284c7b29d089dc039bb653f1b08e6ea0792150cad576adc48890dd6956a6aa29e5175cc5e2f0a

C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica

MD5 1135e286fb5224ef530f4ce0ec4a2835
SHA1 e1ef9d5aba553828ff9b4ff2cf9c1f25b085c6a8
SHA256 4a93894f08d98d707cd9a0274f4c9a51bcfa27e701359e12befcc78ffb488817
SHA512 f57b77dcd655d347fdcfc3a1beada329998824caa5db061553a7c784a163b4641076ba99677a4e648d0477671aa14da7f883b2df8b9ed6eed3985e7c2c8ca4e2

C:\Program Files\Java\jre7\lib\zi\America\Matamoros

MD5 93a2fdbfe3bd18cfa0620f2632efa4d4
SHA1 c0b705de8aa572a851737c34f1721c501473d31d
SHA256 3e84c247e11701fb5451865acb6262c8495d47c5f397a772a7bc01c9ce9f5b12
SHA512 1e5454026ba8100ebf7a32dbdda862c9c315b1f6a758242a7c451ade0ff87ef3757fd8caf58c96a0bd63e7bde72217b9664edfa2bb426f50a9ca9cbc2dde655a

C:\Program Files\Java\jre7\lib\zi\America\Nassau

MD5 4401d715587a3bcf3830b14dd764a25c
SHA1 33117586fe2f2cbfde2a7ff3b1fbf74927a65e42
SHA256 8b3827b7bae22f976e2a59e9957ba8b3b9cee57a4cf923a4da970a8f3c1e79c5
SHA512 7b63cc90c5cb65c3a54ab7249b67d9f12eb86237410eb51e961bd39777f517d65b62a08f018e8d8ce89745c2222b2302a9a007c88771968e81e97a60ce037def

C:\Program Files\Java\jre7\lib\zi\America\Noronha

MD5 527e3a39bc066f9dfcc85c57acc8d262
SHA1 aed5fa100750d77de0ce7e7c2e6d7a322131c910
SHA256 43c2ae1019ad57912662c9bd170d8d6986299bad4ec76811e70c98c4a1ffe3b6
SHA512 a1a0266e0c1b0e8b33e4dd242be63b258df4f2d1ae748583649dcb22ba82c7cd27c4ed12f632f7fd745f484621a303f8ace8c8f91646c74ffc71cf0ab12275a4

C:\Program Files\Java\jre7\lib\zi\America\Regina

MD5 05640f18f5c0807dd96697e31fc5d8ba
SHA1 659edaff37a05ac603d08c90d2b5d26d9c90c78b
SHA256 86fbc959c7ffdeba173fc2baa99a8a93d75ba5d6a83a3e3300bab1b0a46b1d42
SHA512 000113934c92690a06eb580a6128941aef65c5d9ac043811627175332a0a6aaa4f55bcae211aafed8c5a7cba9dae94a162785c749c08392cd42978cef1771b48

C:\Program Files\Java\jre7\lib\zi\America\Resolute

MD5 cb97b848abcb6376d491ac6bd9cbeadd
SHA1 3800020090c3bc180b0cf63fab7b39905680453c
SHA256 d6369598c0846422df1f6e1029041784e34d3b6fcc12a3ba0fc1613a0f80530a
SHA512 5c910d7062750c5f76f87e174eb0b1225453fbf36ba072d04ca025579af6a051c7af85c7772a4756876659ab6f8cc4429c11b3620c3f5298e0599ea4f8d5a644

C:\Program Files\Java\jre7\lib\zi\America\Scoresbysund

MD5 81ed540e1204e3237f63da49df05a7d5
SHA1 88176d30b1bf7d6f87f1ba92dac451b883dc1432
SHA256 256fb9c4796b15a7ec4b0d5319e9e493ca4cffda658310420bdfd31e1c59da79
SHA512 92b183b168ad7cf33673e688094d8199cff7c3063aa3e2b83891838f02ac1a79291e6a36e8216040c588306191634cf51484c79f56106492408dd09079e0f807

C:\Program Files\Java\jre7\lib\zi\America\Whitehorse

MD5 1036f4aae37bd39b2ecc451c487e33c1
SHA1 8d60a72a4873cf55fa7bac47dff692303d17d157
SHA256 b61465acf0031e6a4cc34a66d568bd1735668abf591a6badb1f5f5bc20bf9919
SHA512 3ac2c8d3259ecbc41b186c2861ea6be3e6f9cc6b673a2ef610d42c91b359f31e941aa7de1d6ae801191870acdd6590ec788839cf9c069a7fc658d84582103a62

C:\Program Files\Java\jre7\lib\zi\Asia\Amman

MD5 227fd460860a3ad1fd2b245793c07f95
SHA1 71d8da21d4bb33f4cc32b70b174815e40eda657e
SHA256 693195cf289838146418e1bd05fd1a482c36ff75a77874609d615247285d5b99
SHA512 ce035dbe02b8e15091f7fee997a823dc4a0ef12c14e4f7d8441b9d3d9878bd17036db61e24d4e67db2a6e1f8b50168f6f03311b19713c688691ce4298b1deb2c

C:\Program Files\Java\jre7\lib\zi\Asia\Colombo

MD5 5f54d1240735d46980b776af554f44d3
SHA1 acf7707c08973ddfdb27cd361442ccfba355c888
SHA256 2c80619d7e7c58257293cda3a878c13e5856f4e06f6f90601276f7b9179c9e07
SHA512 b1f542f68a48608ae53904fbe2105bd8f3e544941abb38ec9d24cb7a26f916ef94cfb431cce0c64077dc2934913130d78492914a5e9ffc52f311e68217caef15

C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka

MD5 709c6a80af0276b170c521117ede47c6
SHA1 8e6d9001ca20e76482e1ab88d54d47c65c8c7836
SHA256 d8129de4286dc4fd245c7776b51d76aaa727956e8fc88ff928eb69ff7fc17e0b
SHA512 bef13fa741340cb7c1174406f76f9c65445c76ec091e47daa8537b5f769ad2231347c61144ce8f6e4cb16fd5cd27bb169930c3f8c3b5b9e24e6609491fbbd4e3

C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe

MD5 0d4ec840c1db49efd9ea0f2dd0a7c66e
SHA1 df44812586d12298c713564804b42142fb68a8c9
SHA256 2091501cde52f2dd75b74ad947075b6381c5f503af97a66b592b7caebe9e36cf
SHA512 85585ff43a93051adce2aa4f7213bb5a8e4b4160bc1ba20eb061fe1b7d489cc07676b512e00c37ec63d76e08cc98598901ae6babaaf57a0c59eda9f621c1bbfd

C:\Program Files\Java\jre7\lib\zi\Asia\Jerusalem

MD5 433b6e531d44ca54bab63198a3f6b388
SHA1 f1dceea33541fd68c8e9caaacc76f062da393a90
SHA256 c00b114d3e1a4d978c0051e7e8503f7fd30dea142240d6b950164a37cce3edaf
SHA512 ca77aab2370179c0f5eeb6b8ed8b56eae5c3083860f51eda2031f7d5772e2018011ad5b004b1db1e1b5bc2e4c0f300735eac814cf913f54791fa26375d3eaa11

C:\Program Files\Java\jre7\lib\zi\Asia\Manila

MD5 38397588c4d02f8b95c263852e9aee7a
SHA1 80691ad30930c04fe1bb2f645f9c6c0548ece80d
SHA256 42d699d9e89e439804c0981f96b1a3fa7dbe42c6be1dbca6211c6faa4e0e2463
SHA512 e46b5c1865b53513bb10be9e3a2c2a54ee9e88f83e8802e85e728a2364ab649ecd4af605b41d7583688f8a78d1b49e36f1ef5b8824ab89885578eed8ebdbfd15

C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk

MD5 88a4ef65b666e053c28c9e023d8579f5
SHA1 4a9c1d641605648e7e0ff0f87d1ea6d21ff42a06
SHA256 88d5d20f83be8b19edd7cf53771fa94c1a67429f7bf9cec90822dc84a3a434a3
SHA512 9ef796e128b899f33feb0fba39017a0365e6289c3249ef6d2aae61c6c0283febf89626323bcee6e1e3fb9e80c4908c2ca09ddd53396ac41c78ba2e5c47500f0d

C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda

MD5 a1534d6e98a6b21386456a8f66c55260
SHA1 c7239c0fe3b7a00d812e548f4cb9d8d863e8c251
SHA256 4c555a3d8b83f80c2e0d0b647769e82148ebe7e27811d0a63277d6f61abafbbc
SHA512 af0302203a3ccb765aa4ce1b1ab524ffa500d62e179ffb527b76d2b62f5ba31b037902d8d46278378e7255a91251f06c0779fe4940d47a582415a201b0e401db

C:\Program Files\Java\jre7\lib\zi\Asia\Seoul

MD5 64321e9c7da09049fe84bd0613726226
SHA1 c2bed2099ce617f1cc035701de5186f0d43e3064
SHA256 e43fe96a7f7ec0a38984f78c064638b2daa75e261ab409bbbe2d3e590265ec7b
SHA512 4f56b895d0ab27f71ad4f5e54309538ab3052955c319ca5f718e6b8f8fbed1bd5f51f036eff7cd82d4403ad4b93395ddf75dc8621041ef5c5ca916c1113104c7

C:\Program Files\Java\jre7\lib\zi\CST6CDT

MD5 359a1339722ce22ffdafcf70fb387a3d
SHA1 a958f03b193b09efcd8d35934c33b524b4e0cd7b
SHA256 fbb4fa31c3fa0c14ccb3fe426e39dcad529b17e379309c0adbe27fcc93feba50
SHA512 4a90df2fa4bfee474f9e79570ae05a26b6752f0244ab755a49ac0d38f69f28ed97b134092f353ded2c968a3d9baf2d08a73eee2943e8116b65c4c8357bf2dc0b

C:\Program Files\Java\jre7\lib\zi\Europe\Oslo

MD5 677bb0dcac881a5a4638ede690ca721c
SHA1 ab8e52e9f345d8152a39110c9ebbc07bfe37b182
SHA256 97d364e2d3d35f030a038c41bbadc42d0c15fa8d79ba569987e19fddb2e80f9a
SHA512 6485b77c5bd7581ba0f80318493879df55d29606e30bd8a609f18a94da581c46e2284287869d3d1b7dd2857a5388fd97c87070279305b66e10d67430d5c96a06

C:\Program Files\Java\jre7\lib\zi\Europe\Vienna

MD5 fb4aa89fb89bf94d0590a3174d1193ff
SHA1 c3812f2105099071c24141a994a9d5087199dbf7
SHA256 655a3ef0465a9f30fddf25f4dde0c19a05c6f9069b83961800c1944165955273
SHA512 a494c0d9faf3defa9ff320421d0c00e4e39845f7e998c6a06c50b5e7edbb1ed7a948dda23ace06a3433843615553d2357f1cb04acb4ad1155ec43f1d07511524

C:\Program Files\Java\jre7\lib\zi\Europe\Vilnius

MD5 515d8db6175667b02ed715ba8aff0b2a
SHA1 44ca509396091b269d47da24e3d7e09fd8da7268
SHA256 d50e2d8474134908822ade46e27717d1a22aaa2d4ebd66ee14c988ecafc01461
SHA512 b0003c56ca6ca6789847ca2d75eb762a7da8870cde67cde39baa6d8a50c0a4c62fa1cf67bebb892ea50515ea7913209bdd0ae946b76ddbb1aef46a8f9cba5b8b

memory/2404-8332-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Program Files\Microsoft Games\Solitaire\desktop.ini

MD5 22577911e88af39f79409e6de8eed4d9
SHA1 93436ea60c5dcdd2e9893a025f560ab72422ae8c
SHA256 e08dd9962eedb16e12840ea2a977cc07bc5fa8d96259682edaa080573d525e4c
SHA512 2db5f3b0000212518614c74c73dca3205cda5751aa2504ad9bf9b98be46e98143c064980dce9a8a6372305840946717c38e244d9e1f2ecbdff683fc1f0a8fbb5

C:\Program Files\Mozilla Firefox\xul.dll.sig

MD5 69016e6a597d194701476b8e04d4e028
SHA1 71a24ddb0c5bbd321d3f09d7b322c3655fb5e129
SHA256 4740d289d0a31bc1fc00e255845b3d8ba7cec2d6d0ee92177d23aa293f9fca3a
SHA512 a9399ea57f65c6569e2a9e9ebe9fa2da7184ec92a555549f39cbbe9dff15530ad526107a2a2304d822be37580a965c6ea4e88a46adebd8ff3af402d2c25321ae

C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png

MD5 6294c74db1a4aac788765b4e0a0278b5
SHA1 81e9bbc06946e3c078d1c1aa150ca93e501ace6d
SHA256 ab3df617aaa3140f04dc53f65b5446f34a6b2bdbb1f7b78db8db4d067ba14db9
SHA512 a4a83643031063cab4226cef7e215765e6f997ce7719173632a66a45bfc0a710b3e6bc19a590108bda91576030e2e37f77e339a3f4e71478d96dafb0d46d2941

C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac

MD5 c3e4eefedd55eae4334456daa4aa0ad7
SHA1 ba9abe2d4d40bbd94530564b6eb178ec02a47204
SHA256 7081ba3d8887be22551f56b5f50da675bda7dd02f40e9fcb150ac84fccbe387f
SHA512 a302516427a81e59fe955f4316fd56b8e5207542b1abdd7eb3fc2e9dbc669849dce90d12d9160b59d45af233e63e2156f3a3f1e7807b7ae1b1225a94d472cea3

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe

MD5 4dc4b898f7b739c87c41a173d02803a8
SHA1 5d1812d2050aee3a27afb4f3e83ce2835596fe63
SHA256 091a39a153caf196b46dd2bb14953fdf8594cb3f09051d829ca97c39720c36b0
SHA512 8b8d21b9ff14b2d15944814edeea4a6826916ebeabd28ab8e3d85accb8b08fa984546277c2ef954313627554201fc7e8e6c88a4383772b6988c09ed9d171be37

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe

MD5 f4988d7ec7286976af1ebd5c7443be9b
SHA1 5c9d293127395d240112aca3191f6763e377ea69
SHA256 365151e60b6d5d3faa3b6bda819524b98e96b66913d74cd1911010389583a237
SHA512 9cb87e2c8d83a7f52700626d1b774264a164ce44d920c4a083754cb0105884e51345e422176fafca3f36262d978ddbedd01c9e7d934b66b42235287bddb7586a

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

MD5 c1c197ea35f355dd77226d0c9f97bb4c
SHA1 701421a95883d9ddcd2f57de5e65fde3d3c4a289
SHA256 1696f25ea7574d62ceb2e0d786a7edf9c98e74c1322927c3f32d3e25ef5814f2
SHA512 b414f7efd5d68a5a2640771566572576b7498d0a7c819cbcd4c8b4c982a416de2fae8ef881f88a2a9ede5f2475452c330266dd778f8d0441293f584b27712cb8

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe

MD5 c25803e4cdebd89f69eb4170d7478d60
SHA1 1b3033469baac64103a6b3f15bc96677c00e414a
SHA256 a7fff624c7ed65a25445b075d6c50e0b20d474521dcc65a19eff4a82822d40fc
SHA512 9a5230a5b65e77f38af36ac56e81aa85e330936d7208cefae1a789461ef795ebf21742a27d4926bdb5fc35027e858f4ad7450c77e1402a8e95d6369e539280da

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe

MD5 fb54e7953d62fa86aea496cffd7e6498
SHA1 b34a52b311a4c9420e244754e5d47d2bbdade2bd
SHA256 e390461689549b8570fb395e5f68c343c09e22619e402481ca5ff3069b884284
SHA512 44616503ef0c1b4359eed861ba87d912c75f006d50a27652e0bb0f4f69c0c44386b2eb419513fe29f0e11f0b223c31850acca348bc359a7daa7f5b901d3dc0b0

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe

MD5 9574e987abe9f8a2a545e60e2c4fd458
SHA1 321b59df4983b2be0ef9eb231146d3c03a155460
SHA256 0a22bb73c3f2e43d03b9d453e549b83483d0003561b8dbd2345e8be4610926f1
SHA512 1f17d19a312593829eb70ce1dacd5911b5c9b02b4f7eb38f1d23e1995c680017f6bda6e9401c3c6838219740ab602f4f95a8010c04fc04ce33c9c503d733232f

C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe

MD5 b639c57bbe4c959037646f075ccc8734
SHA1 5495bd2d5edc42590a24768e2086a0763501df65
SHA256 3dacb82dd5e01cf0d80fa98f8370c33d4b08b427ec5f0bbd678e6484d6ed7003
SHA512 3b099a6ef57e8c053a405e2ef28d91c7cc684001640547aaa12a0fd97443f69f16019045ed5348b08b2c9160c34592e2760e2af19f855ecdaea5318bc4af4946

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe

MD5 35863ef4d1f320b6b9e74371f27615a5
SHA1 236f55f4462859528225f6198ddb22b5a1e14cdb
SHA256 bb74b30efa0fcae915d0e09da93c53620e1ff68b07db81d1c6c4ff8ea1581ee8
SHA512 ce2d7c131b9c0fdeae007134139a4159b4bbf0788bab0acaae3d0ee91afbbabce1d5ad5a115ab0c7f376b131eaeff88096ab6e43bbe18fc609f71a43b60a562d

C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe

MD5 79d26b54df66afd43d08eac06ac2b5b7
SHA1 f8b356b47499bb15eef42c17b8ad63505dcf66d7
SHA256 7125a2b8501ae234cff2c09b9d51029bc9f457fea6c2549c3ceed8d6c30db42d
SHA512 130f8418532dbe80fed4613fa8e6501400b0b9f2790cee90560aaa0c122261efda222b4c74aab5c438a2f20f5ee8e653cd359755f44b85dda159e477c23381d5

C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE

MD5 a4b2b13f11b5eadf8d26974de80f661d
SHA1 64365080c646e2dd7291773ced561fe62a25da14
SHA256 9f263fa9e8f08a064419b07969cb4b1cffd523ddadaf9a94fc4238831f465e76
SHA512 d3b9312f1c3f101706cb4beede3f84920010d312acad06514b4bd5ae8a8d95bd9ac154c46d3c8e91133168e57a47df77ca00afb79418b0873382e6f212e32937

C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

MD5 aabda1120d4cb6cf7df6c74c3ebc7803
SHA1 cc00c59b8d770334eef07bbe4984532a0794483c
SHA256 7abb5ed592746e8bca6b3a0d69fea5560075376d57434648c62c469f2c16d8a0
SHA512 cc46ca780411d8eab2a795d6a4b27c11fbd2f1c7db312bfe34a34d89b9cacc7167e4f9c429a2ad05b3340b37ca199f5d1927a76a221bcd5ed723bb2265f84d8d

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE

MD5 dccbe73913319a954a16757a7fb32666
SHA1 19459aed373fde7454780528c95f028d01fad60b
SHA256 7a269b011185240d5b215e2537c6988d10987c528b1d4ca7d2c7ad88558930c9
SHA512 6ef2b55b3fc7721d00100bc6713e3641747421c96521267fe083379d606f740fb973c653e8313b323856ccca884481fc0f389ace2b39a1d91b91afd6087e4519

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE

MD5 2be931ab5ece54c0873ea6ee3ed9d87d
SHA1 3f5bb105b77992cefed28a022073ee604d9b237b
SHA256 64d6095b7577169b3d44d56856fce54b90b8ad429861ef2acd96f6003aaa9e38
SHA512 3e2bddafe57dcd441f500d923590118e4d844603fab2ab40012c958b9da4a01f473fa83686206e5fb174daf1a0e6a6649454d4ff6c3819c764af2ea8f67997ed

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE

MD5 0e6c2a11c52afc6dfcd1b0b3d9af334c
SHA1 66122e1eb4598c463fe5276f64046b242fa8528f
SHA256 fb92c7863c98282e27fe9c8cf707c2a4e4d26a2d0850d04df7e48a1272f0840b
SHA512 31e257b3b9271f888888b30b7a2d58aae8c8a74d569c88714a68240729dd2619b6c28cba81bfffcb971f975da1b4ff22864e13fabd69fecc996e1ad828289700

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE

MD5 31f86806bc6b3a572acd3026177423c9
SHA1 04120856da3311bba44f74d8b2ab5d3af61af700
SHA256 17636bb3ad6745beb6fcec16e8f30870a17493a04b0f32fa8be5fd6e4ca55d4e
SHA512 8229dc8c6bab17f7e195ef45f7838c13dd289648ece1ac01dfc09e08dd081af8a0117291d7c4405601ce4948896574ac4233d88e21b5c5a2c81f71161277f07c

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe

MD5 b546740b0db37565ae9d7a40975a759c
SHA1 8de20279c0f84703c203f85b09ada3729c638de7
SHA256 ec497740ded5f7f7a251fb183eca5253b98c63a0a318ad5d827db3b2b609c244
SHA512 f82f472527c45f786df840c5175ef3753409c98cff8ce04a1d2029c4a5364163f05442ccc25c5593e193e28f97566dcb9c6a8bc559f0cbb2bbdece9ddd1252a1

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML

MD5 05fc90d38e2468528ad10b5ce0bff46f
SHA1 3e50a6510e30a9183cbc4a727d4ee3a6e3786102
SHA256 4f969244f420a506355a2c1e81bdd9841f1263818b9189ac31c5c5e14ea41acc
SHA512 f6e585b7f0046e95b5c808133f17f131ac9c50ac41f0f9c09d7e17509f77891d5e3d9f71b7b0322fb4ed187d98425f2a45f6addf428a9436bec7af74fbe679fb

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe

MD5 84f34680ccb4ff318f43576873dcbf08
SHA1 70bb19e3fa15cd1f8039f00b7c9fe0bdebcd766c
SHA256 cb91bb0bbaa253078c2816038e14eef0129fee7ea9f3bd116fe1716746a65af4
SHA512 b57ef00a3a2987178f08679200cc130bf6a168c47e287dfb05b42776b8887c25bf059672ccb6bfe6c6a93b0a2e497d7e53b38ee7bf8be3b5a1d7a1685b2ad184

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe

MD5 6f09fc1d58a0336d3a4cc5b578154ada
SHA1 bed8438000c3d2aea1c8c0b2eacc83fa532f0fa8
SHA256 fd5ac631695faf91ffb192521f0dc38cd980ed7237985c22b4709036c71ea78c
SHA512 1f56dfdd60873162339c5e840c353e99649b038a7c5aa2c6ed5837c8640939c4e7f2ad66a92fbe8100a5a9cd746b6243d3630b42681147f9903f7991158a72e9

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\PublisherMUI.XML

MD5 950ebe96859f7ad2194cce45ba32bede
SHA1 ec77126b84fba5f858a84cde4373e1724c86d481
SHA256 1db92b26f408ddb6f3ac47574cd49cf4dc131efa8090477bf6d0a5feea4bdf1c
SHA512 4755508c6a9fb44d196c2fb4de3cd229b5526f48e1baf0057db858930d5e940c0e7c2c62cfc1e66e558987f2e93d11abeded72c709020df80c0b773607c33d8b

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe

MD5 7ac2c2990ca7e4b3d42a458f513c8cfe
SHA1 c4bca9fe863a2b488c9e5b4d61f81d2b4be241e3
SHA256 7ddda27f684239cf6e06baa249e1b86e3dc176be232cd06b8f33f127081bb1b2
SHA512 29588e74a782c47cde0bd47c26c32a3a55fba3522a2805bb10e270d2cfe1d738a61062b90f62b319a5788c6a3c416e85a9bdff4792b535589f487eecaf3eda28

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\PREVIEW.GIF

MD5 c42c94e7e22da680544d2ee9553f5327
SHA1 318f931facb45612173e8f845305001d1134d88c
SHA256 0ae208d8333b8d56b0871129f974ea63ad90303e5087fd1092d7cc7a66e85ed6
SHA512 23bf222aaecef148138b5b2cd55e46084913986a7ebab17ab82011890ee179d00403bc5573ba7a783f280ef829e6cd5598a3153aac24d8fe5b2992064c30ed15

memory/2404-12328-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.INF

MD5 decc47bad99272317818a41e7a522d85
SHA1 8d92c3a841aca4b24ae76a488c4e9985570c81d7
SHA256 153e9423e652627ab50fe46f33f0ee612adefaf54ad06bf70947650cdd32871e
SHA512 e8982763416ce78756050b0383398505979193e92a5cd7541758756a7e1c188405073329fa8f737861b4de5236c8a88f797cd0bf0083245349eee2905d906a7b

C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 726e7d645e2657dd9fe0ccaac4177a0c
SHA1 2405e0d02856b6d133d3c2389d16790d372c73c6
SHA256 d9df21997b3223df407e322cce1044bd705d776da0f38eae6de18c9ff0748a57
SHA512 e5fdbb7d201862bb9f03c6d3bb3bc0bbab06a05de86e4ba1870ffb04485145452ea6c59c2c89254d994ee45b138fb090c20e005fa3607b7916178607ec8c33a9

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe

MD5 5da33a7b7941c4e76208ee7cddec8e0b
SHA1 cdd2e7b9b0e4be68417d4618e20a8283887c489c
SHA256 531e735e4e8940dfe21e30be0d4179ceaecb57ce431cf63c5044e07048ac1751
SHA512 977aeecfbc693c9d5746fedf08b99e0b0f6fd7b0c7b41ac2b34a832e68a2e6f3c68f38af2e65c87075fcf00c1c6103e34324df45d7da9412cbbeea7e410794b6

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe

MD5 0437182120e01f487940075ba8ac2936
SHA1 e570c8085f9ba8f87b802b1d52a44e7732af01ce
SHA256 6052eea1ea969d55e9f5323503262f9c0462933d60fc2d5e688bf485d6732a5b
SHA512 753ae6383421540805cd5ad0fabdeec4bf273bf85bcf39d2e78a9d361fc02497df11a7cd04775a9100dbeaaea5bfccf54784d2bc193fcbc1b247b9930adc38d3

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe

MD5 6393e803f97c7fca713d899cb9886d18
SHA1 9172e7ae4f35a478cd416ece868cf308d303c3ab
SHA256 e7fe1ff96b2dcb1512bc530e2ac86ded63c495618d18aaf3c3db52e6ea3e2b0b
SHA512 de53203ad785d523124aeea4f5ede064dfa635d13b99db991728976bef4af2fa9afdc17f27a31c2b854a38cd2f37edd2343a2bc14581141217d09495dcac9970

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe

MD5 1b9cc7e46765f3a07113568a76fa2f1f
SHA1 6c7b7494d4cd17c8f2fa99313a0ddadd45bdd471
SHA256 ae5b8d19cc48f20ba8c466e0122ed37279e9ba335d751e9f7bf6e3f5aab608b8
SHA512 fcb61565b91f3d58a207a7893be8ce808bf6d6f582ee353e74de2d284ce81248904b7f7eabc179666764704c386219786599fae61651c071f063a6bd9b5c9746

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 5bfc589d17d6fd6077affdcff278ccb4
SHA1 6ab62ee661fbb8510a5c9dbf1650babace18528b
SHA256 58d5c00fb6c0b65b5b313b96a2fcd5cbf352ae6aa3c1d9d86fda4f73716f7d39
SHA512 85ad6035333de189b8014da3a611854e415e90ebac57d8038103eb429325f2e57d239a774c9bc2d7aa17981b49ac57d36db8a4df575015a9d2057602fd3aa525

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe

MD5 85bd227cce35af823b04887a113a0f3c
SHA1 be356b131c3061d5840e249c4d99dc6aca9d61e4
SHA256 951faed1264f3f2ecfb91334347895c55e06a5752aa562dfea600faa4ca0a3f8
SHA512 c127445719721b9ae8abf940139bc03b9a360c2047ca67b4c0559b3fba4398a0c86b82524eab2721e0545781d6d2820a7d53ff5ae5ecbfc15d1cfb3158dc9b80

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00135_.WMF

MD5 f08b597fc0dad2e60eb47c729ec5a0e8
SHA1 6102ed704c46ebab3fa452e0978e001f6799e7f0
SHA256 86d911c492b42593042265fd0e6f48a2cee1f9090238e1d849420feae106ccdd
SHA512 b64d872c27d5fd0918f8b6df4c9834718f669ddf7823e191115e64f1784961c0ef384b9de3310bac1e5c10fc52ccee0a94392c5c595f271e169649654e2118ca

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02097_.WMF

MD5 e3d6d9c99344bef76ff5e6fa940c1379
SHA1 84da7a8bafe3d5898bef2d806b318af5adcd85f1
SHA256 dd0a8ab83ad0ac36cb27968e73c3b8c87f5d3080854b214a74b53c152f534036
SHA512 63184737bdff4cc24545d32c83df3656d772538a91644870386aba113dbb09763d4357a45fc5e9197bcb0f3b5aa519d5f8fed6ff48d4d8f953e56b96fd43209b

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00241_.WMF

MD5 b0d582502cd3ceeca01a0741bc96982c
SHA1 015498c371e78b8fc5ed5d0831bf2f8fcf803d05
SHA256 255c3a22d46b57e3f291eac23e404ce7b331400041930a0b43eb777bf8ed06fb
SHA512 d0b92159fe96a71ee641bb11365923eb89c391045c2b275e5fec0512ffca3c430cef1c25270c7440cfbb36d2e525675fd80b69ae2a9273f27ea384d19c58cf07

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00636_.WMF

MD5 42968ab756f9db46dac524acd13c5283
SHA1 6cb4841f1adb1015105a551e1de9a673f2169650
SHA256 7fbcfcd86bdfa943dbd68f67c3fcba6e7ab86fda2d14d28862c176bf18579fca
SHA512 e42291e186e3b3f2e0dd3325d9ffee51a5b1b80fb0125a9fed79926f95f400ae38e7dc60c03718f3b6c8ed970fb9d2d9902bc8648c9d8f0fdf0f9fba8f735dbe

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00351_.WMF

MD5 dd7428c326b6303dcda2df68badec0ef
SHA1 83d0d1df0c2116857baa8ab9c2d5f856e29d6b04
SHA256 59f4c13183ac051510c1eea1127c45540085a860875b07d4987d64ddbf46acbe
SHA512 402a8282fd6f050b125d6ae5efb9fd2bc9976356101714e908743d20f0cb317e43180936e44b709cf83cd12bc628674b74d46a1579332e54d0176484274bcb67

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01244_.GIF

MD5 cafc2a2dde2f05e2a60677690d2ca245
SHA1 8bd9c447b79435b8497212ef76f5b43dffb030a8
SHA256 db91bef58cfa8c3ad4587f4d737202a2ea4374deb35305e8e56a4e0b57232a7e
SHA512 7f293929a1147163d71c612084c7fb99740a1fdae3a3f9d7782f795c10c1b7b2e49617e9d6746938167a2dd49bc5c53788bd8751c61ad145d2d42700ae1f1575

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml

MD5 7e5a19c335555b4fcaf22078f0a5e362
SHA1 55079ae8c6067cd839503f9c3ae7ef9deb72892d
SHA256 202115097d1bee389d4d4d81db00117252be97d5691af316941f3843ef7a05f5
SHA512 371b8cf9a6485a2c59fb928a8b460caec1f7a572126641f568f77133b78e0e7b91fd52c10e6089c286d4162050ce50f9aeb1886784d75d338ab02a6b7d357a68

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml

MD5 0fb569bd35d44c9ffa7d4728af4e734f
SHA1 b41945703b8efdabbb18c60ccd93d2115ceb78fa
SHA256 788ddb3f7716950d0d204e6cad9fe3cc1dddb6140f615cb1c76bea0541722c20
SHA512 b94c1fd2dd103b19b5fbac6c76d3166be91b01d659e1c912a26ccc48664a153c62cbbbf15ab3869aef08fdc8bb3918e4ce83bb97a1a428f55ce12793d50ee646

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml

MD5 5360b12f6a07af7be93437d215f72fca
SHA1 fe12fecaca49a131167d88817c4941514ea408e1
SHA256 a0cffb66ffbe1d4701a3aa75ae66af7ca178b45f5c722de3d9021a543129f80a
SHA512 a0b23b148cd30b1d4a41e81aca63179eda341bac1d1c3bf83924d0bef90a47e11f2de08b4cbb879331d507184ec1df9b59c18951e740b94247ef726b15fcc410

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml

MD5 c3c9945cae188df73afd04c6251ba98d
SHA1 4327d33b49b3c7046cdff83bdd31c724bdbf4118
SHA256 a2a40bb99c6a44d49eeb216549045620e8cb9fb90fb165eff71f846f30264096
SHA512 a674c78678624d59cff6386381c0e4e459836484aca4e617fec26729878743d2ffa5dd4a3bab0a0f0f27d60095739cf4ee0a6b0f4a5d79d31b43a7ecdbba02a2

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml

MD5 e2b1e53f26985bc0bc2a99c7d107a1d1
SHA1 b0b9bccd847f973baaed9790a33f3f77d2d1db1c
SHA256 3dc463a76fc170607c07b104c3cb531362ce7d6e10c1a34e0c0f370aeae08ce8
SHA512 0c53d4208a6b0cc0e6959d7eafc24012efd854316ac3830267861fd02f1da0246a268e75a7549b8b5ede05d08798f22f87c7bc305b62dbf76632cdff107ff718

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18255_.WMF

MD5 68a8b1b2741f9c2ba2c58d3afbeff021
SHA1 7ef6db0684eda77c6003d00c98da41a3e76556cc
SHA256 3b19ee6de90710035284dadad89bb5ad0057db27c79ad2eca5f5d5e540a892c1
SHA512 fb35085a488c6f3cda39a51a67d32a8f88f8ca8b68fe07d68f2a86cfa28879b4998bdec237ee28e61a1271a5cd9f5705e1cf8bc6176df8a2cb3f410da2f90d5c

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10264_.GIF

MD5 6f6b5e30af6a9e64b7b6a19c39de7e0c
SHA1 f4e37133cd52efd2967e90d645332c44a56b6832
SHA256 babd6f664158d665504571b169a1e81ef75470cdca4fdd7d95be6cdb7826136d
SHA512 4521a9829f60e2f4af33d4f72dbeedac048fcec352554b449ca36bcc32b64b65151bb7fcec78b389c37ed5819acd4c7f61e9ec08591408dd2400cf78ab5d67ed

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21333_.GIF

MD5 c7ea739796f77dea0edf2dcebe980a6b
SHA1 5bab75849b9d716b8fec896e7b0f2d37659b3bad
SHA256 4cc7e6272db6b1ad7581f76c63c694e926e20698e9b02223d5041a55960463f2
SHA512 afa36a9eba55e94eaaa5c64129338d6af50a0a485c2b37075594e0415b8d2f2d181574a8b99969a92f90790085f761fb66b1a03020afc715fa17121b803ac534

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21339_.GIF

MD5 60c6b126049a35e50fffeadf17279275
SHA1 1d58c87e67c4b9d2c7ddd6b1f9c033eff16ca9b8
SHA256 77133f431d5e12dd850002c0d3d4e0fecbe3a7a699d604dc8c5eae9976e1d260
SHA512 a3e171c1c71e0c8fb05df6d783f5ac9c7ce0f9c3bbe653952ea048adce025192d5eba4ed8cc7800bd52afd265256ecea887ea63725c49cf563455ff321d45e76

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21434_.GIF

MD5 81e4bf29a6552cb0df60980b937ed4a3
SHA1 ca18e846361c6f84ae934ac108d5df987e977925
SHA256 8d84ef2aa665b1d6e1a15112d9c53eab04b68a09a088de5392ee63d51060db81
SHA512 ff58938f4d4c80baba6b15d20744b9762757cfc6834d8a5023b209f07914793881361ab457eed2fb0d17e28a8c99c541a142809f19715d0350c4487e78846ed2

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21505_.GIF

MD5 6790430bcb39e961b83668cbaa1573dc
SHA1 9f01e584f766dfbb5e49d6e32f7dc51fea2d0d91
SHA256 5514e3463923ca8257bc073bf34413d0426a6b45bf569b5a5b74c7c5298c57a7
SHA512 6fe6a31054dc68ee8c59da7de683ce56963f27b6a3e8ed634184c5ac99b6cb4dfdc2ab7980b4acb1f9b2a44ed61cd363ebb388b44cf466c736789d9bda98573e

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115836.GIF

MD5 4df019b7bb2ba1e54ed725a85be04261
SHA1 f40905a7a7dd1623fa8f075715c862f6b944e961
SHA256 33c35642a71ce7d31f92ebe614045d206968f058cb345c7df4ab397a2655f16d
SHA512 654f35be8431fb1e9995a75ea93b9fb04fa12e7ed94923df34ec99bf8052c46effb28ea46417357e1a6ce6f9a8663525d5ad48cd74942968df2a178396024ac1

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115842.GIF

MD5 5dc32f41bef844b95b3a8d79e9633c42
SHA1 50cf558caa78030567cf4e265f7c9cba3a2d904b
SHA256 86d2cf5b090f43ee54d8f7c1dcf746a853951191457ff6dac96269a9d24860b9
SHA512 99e7e8bbb58a6727ddbfa71f9dbb7d02658a11d7e735367ead3cea004ed3edba9cca8997117745fb40733672879b5f466a7e39cd5684729eb413bce49c2019ec

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14595_.GIF

MD5 a50b718c3518b630251fb54b92bde360
SHA1 a9582222b6f4df2b4e3e4ee5fe91d25ff086b943
SHA256 9d2ce1c032646d2a3381b68bc9201e3dcd53b764e83a0d356d67cc4926ece015
SHA512 95e0676e3177262d29c4105edd4ce1fa1c2a2da5cd3289ab0f873fba782a0185e4bbede5d64fae1f6c4cea5ca3ae0697d7113e6ee63f229431bfaf3f8990c517

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14768_.GIF

MD5 e0a6fc12e9cddb11d637714157db14e8
SHA1 5c2c7b2a90861b03082d3af01f802d42b937476b
SHA256 2f1411c6a9eed5ac2ccf7eb35456b8601e3c96907765746895325407cc307cc4
SHA512 3f30489d8544921a38f743f905aded78827948c695acce03cf892121893ad7193f7810ef5e5941e2183483e27cd384fa37dba257931f392fe0781eebce384ebe

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14801_.GIF

MD5 8edc22fedce822ad66c7733ea98784b2
SHA1 9c0986ff2345b18e88d604e24a105ba386d87b21
SHA256 fa807c957eafe34b850cb453a096df2e5899f0902a837fccd59f9aafa869fb44
SHA512 31bdbaf34b4e8f2edff432a5f1ee5fb571105081cea907b6cd41c529f4a9ec4956d009378f3b4fd912abab84605d78da298d4718b75780814e1fa1e86386d20e

C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_COL.HXT

MD5 0ec3bbc188caf04134280e5a95f00446
SHA1 bd398b51e76ebec0b43d756e04548a1907e8d2ba
SHA256 97779f7cae716a4243ac78cdd8c051cfbefdd111d26740978dd0f4c962c2aa7d
SHA512 e67b8b8f0a30a663360fbac820bfe536abb5534db6e0475424ad3dfd526793663ba5e7d866ebea85f67c9154d6bbda2d38789255f83567be05848cc0d7c1934c

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_OFF.GIF

MD5 c2dc578691371996eab94eb37f6896e4
SHA1 9c09715d6b50b203e161cfb59bbbfaa7837532c4
SHA256 9f3a97071dc41574af5b54e44945fabef8d5da339d179476a78dbd624a60033e
SHA512 a3778926bde4b74eb0dbda8c7857f2f05c6abfc39222f80332bfdcf7fcfd4db9b81ddca44c45a1155244e667f98f07c7211c25a29c68a62d89b8637e8ae05e70

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF

MD5 3e586cd8128ba5d03ccbc121909e7421
SHA1 140dc52658e2eeee3fdc4d471cce84fec7253fe3
SHA256 1207fbf437a6d60bad608c9c4a7397194c4f3768142a32c7e5f3a1415452a992
SHA512 f1759159e90975a7baf3c666e402f9063909bb11f47371c9472ae40315ba13454f0ff4aa418c7d0079eebc09909268b5d2d39ef871f0e5850544b1442f9d6f1d

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\TAB_OFF.GIF

MD5 9cb5fb90f42219febcadbc6eb57257f6
SHA1 c948b86625804155f9ac9478a07cae11d8021563
SHA256 1093af6901915021573eb2e3bcb49af7f1eb79df351806d325b80f1baedaa185
SHA512 9c9031770c5c67f40b93dc7dac91822f3b5eabe1deb83eceb2a878afc810a810ce0521f966e68fa49aa1973cec342cd3ef6096ebaaa191b885a542e4a178ca5a

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Main.gif

MD5 79b9e09ca5f8f8ebd840da4c96afeccc
SHA1 efd9e4cb4eb7a896db0cd0de5138eb5be50864db
SHA256 318e9e1df845c4135ab519baf8e2c9e617df90e2b3020741ab5d926bb0d4cc93
SHA512 2df29a7c367151d76b4adab7002e0e90337c1ee07f935545cf30cb729ae91171bceeec0e2611e50d91d097797bc221ff63f949e225629f23a0dc5de3dae851da

C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK

MD5 301657e2669b4c76979a15f801cc2adf
SHA1 f7430efc590e79b847ab97b6e429cd07ef886726
SHA256 802bbf1167e97e336bc7e1d1574466db744c7021efe0f0ff01ff7e352c44f56b
SHA512 e94480d20b6665599c4ed1bc3fc6949c9be332fd91a14cef14b3e263ab1000666e706b51869bc93b4f479bb6389351674e707e79562020510c1b6dfe4b90cc51

C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK

MD5 b9205d5c0a413e022f6c36d4bdfa0750
SHA1 f16acd929b52b77b7dad02dbceff25992f4ba95e
SHA256 951b1c95584b91fd8776e1d26b25d745ad5d508f6337686b9f7131d7c2f7096a
SHA512 0e67910bcf0f9ccde5464c63b9c850a12a759227d16b040d98986d54253f9f34322318e56b8feb86c5fb2270ed87f31252f7f68493ee759743909bd75e4bb544

C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_COL.HXC

MD5 59bcafcabdd1f16e7b9889ee10dec858
SHA1 116cf3bc4321fa20352d009e1d0cea588a9b61e0
SHA256 006f8885e892963b3d4a0b53141f888ef5d0b36770d43b82296bcbf800a89d13
SHA512 2d0fe70022c2bd7397b94c78b27d6c3d2426a644a1601b6381084941e9b1dca913d0e0787d8e463d69d7730031233f5b85ec76b480b736ced324fbd45727dfad

C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE

MD5 69a90c625e4f2da17fe8c9b0b3c90e74
SHA1 16d29fd72f21d382a670cd093702e5efa81f26e8
SHA256 0d811192c78e7665d8492c6fe65016138ba890c646106aff1c69f58608a6ffcf
SHA512 0909a2bc6e887b10ecdd9e237e902e73ed1568b301da70e2a8c3fde93f4b3cfe061ca26e47de60bb43fa592dc1e668752fdff0fcd5b41b557d3db392ddf208cf

C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR00.GIF

MD5 f5cfd73023c1eedb6b9569736073f1dd
SHA1 669b1c85ecbafe23c999100f55a23e06bf59ead7
SHA256 9e1736c43d19118e6ce4302118af337109491ecc52757dfb949bad6a7940b0c2
SHA512 5d8c1aa556fc17d6dc28d618f521aee37fc0e1826fdbcf8d106e456fc3bcd3c76e712d23fef3378bd2be17b80eb5bfd884ccd89b67490b63c7bd118eaac471d8

C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE

MD5 c6ceaaf7416376c0861224b140551eb4
SHA1 93c36c54271424d6a584af901d81a6e12c0a3f39
SHA256 4329d06b307d7baa736be92037731b35124193b28028faa5bd18310ca8ec7b3f
SHA512 5a4eac226221ce1789d8fbaccb2aa8affd499e4c272bfc307378d3cad8fb9e018405dab65ff0952c7a7a10d4a5f9abf3b94e62f3ae6fbf99ba887336e83d027b

C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.XML

MD5 bec4473fc43b77e28e60f89da4e29c00
SHA1 d5dbc7c6642a8a23da14f952a0f64fe874e8191b
SHA256 5e06bfa9ebccfa3d8759270620b6860f0b92be9d69ef7d7802b78ee5b5f07f96
SHA512 ff2c101c1172e64481be5e98b2216d5eba93b81210a1a67adecfe05bcf37c3d965c06b368ddc1ffb7e4187cda0373720f6a27476f036a41517762d5cb3729aea

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

MD5 1cf09023314d9efc8ecaa71fe78575f1
SHA1 6354db38d1ecc77081e367351addf50870e9187d
SHA256 7f02e7b949cc56b23f2a426c8052516dda19bdbd0c770cdb1bf16a0b1b1ff46c
SHA512 68c49ac4fd378fbd8bcd0800c4c44d275c29bb5fe51d767047ea6995cb28af3646735fef7703dd11fe7a0d37b029a2ecfa3887cd1d5991ebfef94361d9baa84e

C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE

MD5 31e9987e7b7b2f21f9080249c37b5974
SHA1 c800695dd4eb9352e0c6ca8ac41014c0ca3c429a
SHA256 615f52744799318bbc2a11381a3cc9aac5322b57f33907c898d29acb44a80963
SHA512 4efcc42cf10da5af7ce5eba6f9f04a1c1fd215dd33b94e54520cedbd7174e559d3428c3694012d98b8aece4f9cc4e44e21b772d83285f2f0698e879bd5f93f31

C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE

MD5 92ee5c55aca684cd07ed37b62348cd4e
SHA1 6534d1bc8552659f19bcc0faaa273af54a7ae54b
SHA256 bee98e2150e02ad6259184a35e02e75df96291960032b3085535fb0f1f282531
SHA512 fc9f4569a5f3de81d6a490f0fff4765698cdc891933979a3ce661a6291b606630a0c2b15647fc661109fcea466c7a78552b9cfbca6c5b2079ea1632a9f1b6e22

C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTL.ICO

MD5 8722af8683c6dedfa35cf708f04e507a
SHA1 e411318d7904624a56946cec0059e380b0a4bd0f
SHA256 a338f849bbccace695e284ab83c0cecc84876fdb292078f1186b31e9b6a07127
SHA512 1341ce0453aeae411696a7343f2f6a6fa991fbd483433841cfd4b202ad476d77ba62b66ff547baf4e29a5bd38e7c1f2f78ead201ed1bb8ec50b98eb763bb11da

C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTS.ICO

MD5 d4a7e4b0851785143ecd98f019ace3c9
SHA1 99d3d7b7167a9ce2fe67a0d296bfdf60ba7a8a8e
SHA256 ea3a2d1ae34d98f545d82a53ff2d1c6e5334ab4a0a4cd902e3fcd0fb697bf32d
SHA512 cfaa3e8c5f61f0b662c6e04296ae67b83d81fe96eed7872bc503c131cdf47576777d1857d0575ca309652f63f5de2a8ad6fe072bd3c3127eda3d353e61260c2a

C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE

MD5 243c9f1cee9fffaa9b73f065246e06de
SHA1 e0e321e38f8cdee3d43bf0d0e3b454523add746b
SHA256 f41c01b8a231f973be49258775d8128a5a2ab3ff047307f7c0a238561156bbcf
SHA512 4f902dcf7cd49e5e0d147013a84f83cec62cab27749a1ef957a19673bffb6077fd74051f920086fb2d76f3835562d32605818ec7001575badfd76c02213e22f4

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp

MD5 79f7ca0fba179cb0bc93eb2f178e4ace
SHA1 a529d3822d5bbe18f6c3acfe44b19f0449e76f9f
SHA256 86a618c687c518ca93f7151a26391ef0e19101986d30f7eeefa420b0574fc5ec
SHA512 3924f19e1a9e1b9b9eac515c1d5dffff2aafde9745ad8d20b0d71dfede631875c611b58b2624fef0273830341b497fe7b554710d18bdfedd57c36ac0a764947f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp

MD5 cc084392f2514a4337b42f4865e2cc83
SHA1 79ff391fe2ea7244cdb5a1e1e5bc68ee0cc1c17a
SHA256 3bff857daf1c246b3ba79bff08805f403b65b0e2a5cffb40b078a383eb861514
SHA512 9c19d048cc3c0b34e8191368b9d243a4a9a25bdf4c55b3d51da4e97a679ca8507dd7368fe3ba22cb32451d433533d215549a276271462f8d1d1c2a9ff37ab68e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImagesMask.bmp

MD5 5b4d40b272eb1356f8a88982e76d4451
SHA1 4344a4f7503185c3830fdc877e6d44ac0f1198bb
SHA256 90ebb694c6e15523caa8196f148f47d1c9c477a48c49d638354530e0c2b811ba
SHA512 cee35a29ad193bb1f672cd69fb0c6ea7d35ab7427c5a33757842881d8db17b0eed1e1c59dc52e577ca29f5b74f83f9b023a61b844eab469eeedd04195293654d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Earthy.css

MD5 e2bdd4d017ce36dec632e386e894a4e5
SHA1 973c9f51425416d311a4fb1b502de562b57f152b
SHA256 c23a5cc2d7277749c47ddcad301aa92fcbbaeab54e552813333c1306c5cf2425
SHA512 85878f146a7bbcbea9b35cb48c79bfafa27d7872c4c312e824944d9bc70f1548624a2f58839958c8033981b6aeb01b65ab2f454a75963f91c282871d9df90075

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GreenTea.css

MD5 6c3081b7bee29dbf58f91f2e18d844e2
SHA1 9437dfc92ec5cc8e0b938a23d11f43cc3d1739dd
SHA256 cb973b51d6e0730a068671ec24e50257ecac543574a2678214b7009fd6620d9b
SHA512 2d12c25529f1b40724e5d4e452bc5c5fbe196646e29411c5cd8dcbc2897c65cae881d9be2ca5a9a18c36e2e62127a625271c3c0f5970d52fa29c4c4a9b52cd75

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\VIEW.ICO

MD5 385592b8ece89d5bb6c8ff79b132c562
SHA1 bc14ffc7e1686ee066f445f1ab95714ad631b9e3
SHA256 b57536fb8401facf2e6aed14ed0f15e42a4f38b1e05eebc1a8be1613909c5165
SHA512 62ad043d2e28c8e5eddfb9d46edbacd40ac092b3fcc0e5bca70ac0d07d9d4b80cbf194f99803bbac70f3b963f9a3e7ae2ba29ecf3d71535ea3ab257115862bc1

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Groove.gif

MD5 f536fbf78e26387affb82ee89943b870
SHA1 3ac8e44a9491c16bcd86dab6781acc4f7e1f76a7
SHA256 34dbd6bf55d0d075d666181d9278b8387482a8b5804e44e1ddaafe6876dadc15
SHA512 d9ad640884f40495b4255bd221f0902ff64f84e3136053d03abee7ca417d32a1d72f24a75cb67bc50629e102bdb2f81c0bb087e0eb5cb82fa3d67c4fa5d92450

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right.gif

MD5 697538917066fbdc54bb7922e0f2eef8
SHA1 21cf57e715733ecaadd17747a6956fea5dfcc3e9
SHA256 1270be94b76ac32534581f51fecec7ce90ed9e0f3693f310058fba0c6ca8aaa7
SHA512 26806e433c67cbcf7bff91a47e214a312929f279739bdf2ca0b5d26f04e40f76f6350161c7aaa44de48fe70aa6bb67293d9736aaac526f1f794e94f135538be1

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right_over.gif

MD5 bd38f281632881248ac7f09eef8a6319
SHA1 5a40ad5f3ec39d2ad991e0b94683a0ce987d5066
SHA256 b92428daaf38be6775a2b1ce78f5c8ce213b90c6e6fbd95bae56458ab90f7437
SHA512 1e102e101b9c679ff5bbb874806650bc12a69dbab6fd446617e392c99620c81e35c2233a745934692b2e4f20b46a7cf5e90cf38a97b87ea588d525ce356b6099

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF

MD5 ab58d658c2dfe0393df78f57740dcdb8
SHA1 096427e4fce6a16c49a01f645139172fbf077ba5
SHA256 882993b55cc0c527f0a6059b69b3faf4ef3ccb9cecd3d8847ca0e49a1444debe
SHA512 bfbad9a939371aa29f4ed8c5bcad0d0299766bbe6dc1d9d6233ae0c060a394c0b8bf665b11a28c3713d434340dda690cabb578ecf3e2a4a462d797f0b3f30df2

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF

MD5 0ad4cf7b35f62b8ff9c73f481594fbdd
SHA1 08b895c85051d99477cdf56d80c4006c262048ef
SHA256 c55b90509b8cb9bac53fbdddfc93d4e572685c509f1218423c43a5d6013bbd48
SHA512 697f1c0117c89ea0486b5b8e9dded787eafcfd710251cef4cf5cc275b1572a5cf9d499e44fa672aca8a77521a33b2e5040cf69c7cc3947fec2cd75d2296edecf

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

MD5 ec8d9cf15661e1e246997637ac868ca2
SHA1 e172de70f1a3707fc8501f5a2207613f376169dc
SHA256 82f9a5d07d2ed70801a407aefc9336fb4582b17a23686cbd30ce31881a289b85
SHA512 d87760b7b4b1b286af229762c9c2b81847c803410a2a36834861ee85533ff2c2614753db56db863c73dd6ea6807c1074a317e62f066870dfb6fd4257bbdefa2d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

MD5 9d1101f2c45ce53f2ead40247bc2629f
SHA1 c7c2770645e7611ae33bd7a0b3ed948d39f17c06
SHA256 47f0149b43961165c5fa224dbd2d1e956cf0a26b86d15ee3e12652c2a6e013ca
SHA512 91ae75b332bb98b6116352147701514db0426f710600bcbd1bdfe31f20ab83c2c21c794244055372e5d11ee177f8dedfd31a1d9a744b84be0f57b580a8464ec1

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

MD5 3b8883ab58438b245c89bc76ee848752
SHA1 7b01b457344fcf92362d14247f2c389ed0c89b6c
SHA256 b3b87c3ad568de5a1f07702392e3bfc76f41a47b2fa1d710198406c3c5172697
SHA512 200a52dd5e9334f2c768fb2d152a82cfd551c0991eada79ee92ae41e8beb82a1eac2d90fdac2d9741afe0b7edcbe046cb92a6cf339d25709b53d51f5feb55b1c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SAVE.GIF

MD5 9c1b2a47c87f33de47ccfcdc098e1806
SHA1 4ea8f90ce4f6569e41788252674776594ca668f8
SHA256 8d77e83b50a81c442acd64cf5a57ee30906256da88e661e87cba51320f2cdda9
SHA512 b317fc3bea365325bc928e347d081bf019c0dd35e764172ed105212e86ab4ab303b92bd1bb0752cc27c0a7d46548e199df353fb84873e812a744878d9d34bd30

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

MD5 ccd9d8aa4c9fbad1069e4dd2c4982652
SHA1 58cc653eba0694d39e7615ee7e049c8441fe6600
SHA256 35e1150f8a8236fd8c2be2c6da618b5f5366caabb763b7453201f5c430441aae
SHA512 7530335f5f01da26479349321531093d3da8a1cefd4e916496dd254273076df9ef5eb91ecde1221e37a2525e76a8578a6859ec79a15ddb0a69e2e39578afb8f0

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_hyperlink.gif

MD5 f25638c3ccba37aad21daf44d061ded1
SHA1 2db65949b3b8b9f2ec83a7aebda1d4379c17391e
SHA256 f2d7df9f7c7a829d151f2d26f67f11bb6b824fb5ed649c159dd6124c4b4dce60
SHA512 362d8d85fb18947f6924d956f93d8cc8eec7febac2cc8aa5bebaa983ce257c1f0eb416663d650c0958d33d7ddadbf79e636a26cd6f592ab38057d7dcc2227c3c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxinfo.ico

MD5 46b109680d8e37a25b4ca79ff35e270f
SHA1 e1d4ca57aa3114a7931c7a5bbc8be1ecd8bd7882
SHA256 54a918ed71329a2e6af831153825cb69b8cd45938a352d3b0882c92969a353dd
SHA512 7533cfb7af8b272d23734efddd2eba7524a746ac0664621ba3c05f139417f6e68bdf6e38c57ea16e8552d0b491a37f320f8f95d7b9e39e3c171a28f81643197c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OnLineBusy.ico

MD5 175b6d3035eaaf10bcc78b54ab021ecf
SHA1 480f5c00b285f824d6eec209d6937e05c34d1805
SHA256 868d0516a42b8340eba07ffaa00f5928e1d6a7daf2a3c4d96c1b86b80e2e3e81
SHA512 eb0b26da872e4e957415ca60d0114903a3b62dfc6f4b02db745004a32ce55d791baf8d550284be03157a59a433fdc9e39a3129155cc0a73cef87febc51fb2f6b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\PersonalContact.ico

MD5 d33c6324366941b3c100293e79426478
SHA1 afd047c1461a2ce36b775cc94392672eb43f1463
SHA256 d2a2840f1282913c2678160f13f3204616a9c302ae3b8f47bf17783ef3323aa7
SHA512 7cffef992a6008d2d5b1cd768ae722d533a7e2a637b421ab67f16175328ffc9f3a4cd72ed5db695796d335371aad94c4bf9003fe685c3833b7687b59bbb6b940

C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE

MD5 581aa57648ed8818fbebec016368ddfb
SHA1 17743588090e1ef647e9c09ecedac57fd49ac82a
SHA256 bcd2a1ad7cc2d80f4f8e2bcefff734fb4e89efd58968dc13e864a43666553b11
SHA512 93768a1f2802a0a99fc6571d1375d7e7bc2faa8ad60e50772ef8fed22b07201e9fdc4b7d73f9212a1ebed50f9f3d4c244a0ab22d310ce91289a725ec5a538fae

C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe

MD5 7edab6d619b457241241ef62ddf90f73
SHA1 6c1ddbe90cdd79759c11a471e2373085440ffbca
SHA256 715f27fadb7a11200fcfc52ddc90197b4ad3e5b3dce31ba63775902894af52ef
SHA512 c0ac06b8052db4811c34edc28b0fda61edeb686d05f1788a4fe212cee32181aa81ad151d7a9829bd5a47f06c29e326a558fd798cfa434036c976cc8953ae3591

C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE

MD5 53548dd9406e59dc4929da8cf4e9fcc9
SHA1 ddf4879f17815c1e8167936d9b6a54df08670efc
SHA256 88b9ebe8c0b1ea189055fefde387e9570e88fc3e256fcea7b6cc56687a6d8ed8
SHA512 352a4b812ab071d045b9b9ab0492f5cb0c75e44e1e0b06e92b692099cc49820ff366eb194643002982d897dcfdce133e71346be35f44967b75cd11d69f83ab55

C:\Program Files (x86)\Microsoft Office\Office14\misc.exe

MD5 4b9f8fdb84906485c04e480d5a90c607
SHA1 dc5568ecba03eed566f768e6cd90958d78c0f3bd
SHA256 955baf0bc471e146678e7559277f6bfe2dabc67492d030366ff56a162c191adc
SHA512 677a8167c3d98e25fd3b6a67cb3bf514ef4ee9d70267cbd26fbb0f455f4d47548b95217b813e61591401e463007e18c8b075485d89aad065e783e0ec14873df2

C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE

MD5 44623cc33b1bd689381de8fe6bcd90d1
SHA1 187d4f8795c6f87dd402802723e4611bf1d8089e
SHA256 380154eab37e79ed26a7142b773b8a8df6627c64c99a434d5a849b18d34805ba
SHA512 19002885176caceb235da69ee5af07a92b18dac0fb8bb177f2c1e7413f6606b1666e0ea20f5b95b4fa3d82a3793b1dbe4a430f6f84a991686b024c4e11606082

C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE

MD5 d99f6ba25373939cb6e651683e3f580a
SHA1 b69ce717880f1ea2816f24e111d4d43a5c673b23
SHA256 2d871e41253bc025a931912117227029be4083c4a110203582f2bb46df48ac0e
SHA512 5641ba48991ab178a40842d4c444286cb97659c21228b89cec9964009bfe1ad9dd570b2ce249504df3d9b5e6e3bb8d0ceb4325b52f945b683dc76b45249d0de9

C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE

MD5 6b53560b0d6081aafa69ee8687f3f169
SHA1 e7e7a0fe35e4524c1e97f7c4648e87e7bb0381b4
SHA256 820e94d494329c2b5c4c8abebbf0c413af0c18f2b02693cbc2dba587fffb2cc3
SHA512 11369b380a51575148826d945f14a087e2062a52978b2739140bc2d584aea7a98e683303d59eefc8e8181bb5122023b1d21cf2f45e73e2cd3e3257ae848a381c

C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE

MD5 c3ee902099b98a299b1a215aba1b27bb
SHA1 602b023806464db25f5f8e4ffc157cc7d7e9886b
SHA256 e657a9f85af7cb5ded734e162db514e466256a83d51f4454abbf19c54b30686f
SHA512 3538548c99f266404395ce9bdcadb542171799865ac5feddce936305ff2b09ecb939bed60d1e7011a39ca8548af39f9b4ee723b15674a1df54404270fc5afc9f

C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE

MD5 ee2881f27810a544c36ba98f208b955c
SHA1 3d07297466693331ff2c01d31f4208a7e61b1bed
SHA256 f4ac2436a046fcecb4723531f4e03caf6bbdb9e43daf4798823edacbb121289c
SHA512 3362ecefe69c6ba8b4a6491dd133c339be5a47c68bff204fc086e4db27f3b7a761be52c1f2fa756bae7e4563b6537cd9f4c670bd2bdf98fe943ea9f33ec2a270

C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE

MD5 d69c90688436599c02adcae443d5066e
SHA1 db630b4b8ea4b1f398f489bf63a24ef718013c00
SHA256 ff2476e26f6fe1ba615d7c3b4f9dd96a1d944c45569be1a22529ee48cfd6a891
SHA512 53e55fcfc0946a172d9d30a8f953c978735e39eb6ded62d4df073d49c958e389054560678a6db0629bc53e41c7aa65646a8c9d8ce146b73b7918033460a662c4

C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE

MD5 871d63b651881da72ba1d81b4f1c23bb
SHA1 0792e23e8831aad7bf2524ec3b825fd12beef262
SHA256 e944575e070184af5e9870c1f4984e10b3de361f75683377c74c5022153e7521
SHA512 c40e14c2af28aa9aa3d6db6aa3f45233f53abef6d00d4437c59d29e36955d3237f32ec22e06ee18db04fbc27cb3f79d75df1f646ccb55500fec429509d1f4809

C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE

MD5 a42dad802d28bb23964c726b6df4a7e3
SHA1 e781e9120dad101caab3c21aa3e236feaf898b2b
SHA256 e48cdc6c411889025c285a3b2d2bb70a6a4e9c9a67c47618970db964ebf058a3
SHA512 d28512cbbb97eacd754f3c30755a008ccb88a47704b2f6d7f7fe69184250bd754af4fbc5839970576a6f8d37724a910ea25111152fe445bd2950fd53b6194d92

C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE

MD5 2d0666d10f88a7b1501e169e1374bea7
SHA1 5d2317f24a4ac9770049ab8dce0be81ea4fbc332
SHA256 c755d7f9bda9c1753c6bc56063179dbe9fbe8e4e3b4b644bbf47d3ca844dd039
SHA512 aa701f423db0038a5076e2df273d74d30eee199a023993d8226da6ea4ea92b1e7ffb8701256b52d3852ec3d11862c34ce538cf149f7d27e597ceb433a242f83b

C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE

MD5 48c16165783f3a0ec2ac960ac528192a
SHA1 030b007b373537e689c5f9a7fde88c4611e1c3b1
SHA256 818526afbb35cbb37586c8b72373a21ca883492436ecb11e7886723cec166737
SHA512 c25df1c765546ae1fdb399b25cc4280f2b5d66e6fa77fa7b86facfa92355fbe9f6d5291c8f4bce5428c52e312812bd9f5615cec195e2873a48b3253a7265bd78

C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendtoOneNoteFilter.gpd

MD5 9546c10433c45bfb9947449dd8d304de
SHA1 f8ebbbe3ad6a8cfd13607fd3a7fad7a3a7a50158
SHA256 6778c7c7b6b6c1c273e668169a7652a681da86ad62d03f7c5aa120405069feb2
SHA512 90c6dda39740f839fb470f838c35d5f264a0a8664c57cbc66c431082710ee633ca4672b3b64902e7bbb7a61e9b9f4eea251a7d8b6d5126de6d73d3480fdede5d

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\AMERITECH.NET.XML

MD5 eb74234cb882f0fedae27f0b9e9957d8
SHA1 973377cb3ecbbe475ec49d45f15ced0a02143a1c
SHA256 0645a4a67dcec462dc9f335bb0564e6e39bf12ea7e40cf8de81418210102c2d1
SHA512 480e05680cdcb4d72456228a7a61f2577eb2e412760fce40a5b4066d140d41545110b830851b764ac483a6630dd5ff1e27ba1f95643fa3fcb801eed514ba4b29

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTOPENWORLD.COM.XML

MD5 b024a04198ed894b334178e411856122
SHA1 ca7552399eca0ceec6a3dbf393396fade2f5f550
SHA256 cadbea407cb411d2ed1c47c77536b622eb7d53d4fd3ee3b9897d554298683fe3
SHA512 466ef38a6bd49fc816e208b408e5bcc7d366dc7eb9072600ab21510b6e1417894bffeee5ec96f5a0a535d8e541fd505ae3450f2233e5a128bb073394c530e879

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\WANS.NET.XML

MD5 b4052c951a5d5df0482bec08dcd1a1d9
SHA1 99f3e0929eabf972e94c276c6423499860202f65
SHA256 f860ea6cfbfe8ddb3862a09c1b443f3273dac1a4757ce9e7a3b34d46f971ff10
SHA512 c26450d504e58cdbba0ded009158837855dadd8040b0c05845ee25b540567758c650df3d6b28c3571adff47e39d8ef99b30144250477524a19ab172d0870ef82

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.TH.XML

MD5 938fcac2676e99d92efee069eacacc37
SHA1 575b35480aab9ada77d22f922bc57cb49a7580a6
SHA256 9b8747ddedfdcb06f34ca5161281e28aafe3bec2e4b21aa731e17bb46dabc6c1
SHA512 515074b8b8c14986ab86913a659ffa007cab07db5c6798ef6a4e12279ad3bf68262ac42ce991ed20a06825a8e5b8d0efc48aca38dad5503178d1dce0ef68c33c

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.AR.XML

MD5 dc5794fd7e35debdd2e25f3e22761cce
SHA1 348034e08eaa9434bcf5713e9880f60bfd33ba78
SHA256 15dfcf446deb114d465215cf49907aa5efc5fb8531f97607d50148cb4b680288
SHA512 6a9b27a6702e40ef03367ce611716816cc4debac9086983148ff75c4e8656f10ff5edf73e95e18efe9e0ef7b721350e86a20919061d0ce1266258384ef98b1d2

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IT.XML

MD5 0b0d4b77b1494ca873f4311cc88a9fde
SHA1 e88f8c3100290bbcdc224f4db05a77811726fe90
SHA256 60107be66c9efe4d6aa0a3864f71d60b3800c8d6400daa36c05609d099b5f891
SHA512 0a2410540f096ebd0464f16681b7375152fe8844ad2fed5fe86b352a61d6c65695051c82a36b77156a79ac633943463739752163d48b26abedf2db2c49ba794d

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE

MD5 07c6b27f87811c0a80092594b3ff72dd
SHA1 352c669011b5d01de046db9c5e8a9f97c7f03dfe
SHA256 d287039e1eb19e4158bae34399ca2ac82bfde9f057fb3c05a775796fe2474814
SHA512 8906e9bfc6410b68e003a3aec41f561136e1468558523168d34466b2716c7f96291c4b3a54e64fe8f2872fa5493128e32fd3130aaf5af08e58f025f4b51fd5cc

C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE

MD5 9d7ec4fb756915aeea367ad94a6e5eda
SHA1 87ce6b8a986a812cf3ad70613aed62297dcd9fc0
SHA256 d1ad282f3cb65a1416d318c280e5468142b0c759a819a1fd22fc24df875a72f4
SHA512 47ef167da65a484182028ad1e5b5f29cde847830dbd8790acfca33f0a51730a7b05ddd470eef587eb6cf1ff73db1fdc300e400ae66ebed867d7125fe7f8392cf

C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE

MD5 54503a511a5b9dbd0d705a1d02fdc9f3
SHA1 b18bb163994daf07e1880a0cb5359c7a5955dc0e
SHA256 bb7fde1ee80d000a2ebd6934a60c8ab3756a50d11b24b3316727cbc6a3ac31a1
SHA512 0f103580ac4363987ff2a952cbe3016a5b603a038b5c037c7bfc02dc8c67448b90e712ec884fe35f35ca3de4e1f1dd4269b87137c32525235096840f666ff58b

C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE

MD5 28b995237c639cb76cfd9e902202779f
SHA1 4caaa8be73c527d848c81416c6535ad2572d1a83
SHA256 1bc478aeeca525d61389653b6d25f272b77574fc125ae5b1607fe5b255111294
SHA512 1fed188f9ab63b80077d78cf88acb8fc3669d6829910201267983a7b1d28618336cbffc5eac9578d5cec5ed3cbc701266ccf32b8127259a14d4adc5537eb23c3

C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM

MD5 7d0a27db87cbd4243eacad312e5d7f41
SHA1 9b077bbd55fc3718e25dd9b80b89423cd9495633
SHA256 8ae7498b01f40e9d2a04df8a8a91cc0b180eb9eb64b78129f59a6d6ab547816b
SHA512 88ed00f2eba7cc1e53fafddcb74c2c1029f2866c4379816b0c53a6230dd5a06eb33092647b36c90f29ebbb7c705fcb065514977acb06fea4cadd43ae144f73ed

C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Form.zip

MD5 1b09d4b3b183d0e78c9627ba6b0f925e
SHA1 fd441ff31ab04f40acc054b90c34bdee299017bc
SHA256 2555bb5583cd7eecea012833776c74683ce3479d1c1553733366905bc820ea83
SHA512 5426ddbc2ee693f1397c0a44ca5c6f1f8b763189326edfbdae4e82157ffa525937f78f0461f9d9b284a4a2491c7b1fe20d887adeb3ab7a07186b46ab6f5f8038

C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.Lck

MD5 f1d3ff8443297732862df21dc4e57262
SHA1 9069ca78e7450a285173431b3e52c5c25299e473
SHA256 df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
SHA512 ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.000

MD5 cea67ffae620e6410ed0590dc6ec9b92
SHA1 de0e7c9e496fdd650fd8ab826e84b256eeb85812
SHA256 2dfba633817046c7f559ed4b93076048435f7e1a90f14eb8035c04b9ebae2537
SHA512 ba21e55aa88dc8b12e13ebff9e67570177db6aacfb606658650397e6423937d882b1e1c93ed62d12de0dfd59791d78c6a73d68e55f343cfa1f85235daf3b89ec

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini

MD5 0a9c72f9db202d3c13e46b9a902f4a6c
SHA1 c0ef3c5679f5c071f592f49042733f9542a59e4f
SHA256 57eb66eb632b72c290761008baf8118400f3a914e5ea4ff8621c3d61d529c89c
SHA512 2788ba119c86c5f806ac04b1435d0ca668ae665d843d99128cce7b2d79726434d15c2dc0d3d991cd9fd2a492f14695f01a7c5e825211e7a6a593cfb6a85360c9

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk

MD5 3acc3cc8c26b9cd4f8db480174d5210f
SHA1 0084bb4735d725d16042918ea916d3e39d379177
SHA256 18df269c236e68e99a2e97691011172e3c2c600448a13dca21118370bc226335
SHA512 614d3e11bf7670772edc4135db9ea0056d23b2b7374bfafd47bb3de080cd2e35b83b336ce3eadda374b869af5f28b0b29998f011455b467cfd4cbd47bc1ab7b3

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Memory Diagnostics Tool.lnk

MD5 17240404cc21fa5bd98a4a03b059f656
SHA1 17bf789e27311a0ab774e7a293b834c82c425d49
SHA256 54ad5402b99458324b0e2a71fb21fe7c0e16eccf508b444034a6585aae645053
SHA512 d05635f214f250f97319544464039754e289ee5424729d053b5efa90159ddeb6b1ae3902aac8ddc711b5ca51e78aab299f06fd8c19f0d14c9ab621941983a7ce

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Remote Assistance.lnk

MD5 98ca7859082dd1dc8570f548fd1a4894
SHA1 4687cac842d71ea8ddca89cc681dbc83df8aa787
SHA256 56ef96896db0a2f66b66a8513c0c1f699c5c67f1b23d5e7daab3e679e37d48e3
SHA512 c215566e992e46e77bac8dc462301b82206f499d46153203129bd4b05cd1d22621afc2ae828a998369fd0e3578f575fcc53b429023f74c3d7eaf01a8a65b040d

C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn

MD5 80bda6f948a1289beefa36d2ba38194d
SHA1 948905d56e776f1efa1e026b309c6669b089a2fa
SHA256 9cb5d05f0db60b9e0d1b76af229fd2a705903d6a1278d4b815faa536a60c118d
SHA512 ebbc2ac06f50c65430f2d3df2dd94434a6bb0e431a48e5929d57b944882f66e488f6abb668535f0bdd5007b92d18d2c4b726ccbc547c60c6adb3c8f5b7f4e586

C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn

MD5 55b53f1413edc16c71b2ed8377f7cebf
SHA1 c4c7cc19e754412b38845e6fa4c48d20b1c51da4
SHA256 3eefc4790b52024832ea4c03c6e7a781f3ef9416866a959b2777fce101ad9d61
SHA512 23301467411dbbfc5b302282dcb483e3d2758f7b4f999f32717e2d758479fab08e553149558c4a0c2f69b8db739a3eca67e78ef8ddf3d6304e5b577044d55b8f

C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn

MD5 565aba2aa486212bffe024fefb3a8ba0
SHA1 13f8e2befaf22d391595db2f5bb2efd761cb41ac
SHA256 891c1644d5e29e33e5bb88666853f9531b93a3d6fbbd4a8b01e4e8701f836bea
SHA512 a7a9610937383b8b9feeacacbda08f5d05692cd1550b238caac7a94d17399d689bc95e5afbd7a378e4cb2524d59c3bc3591e975a6aad65bcb6f6cd2e65cbe8ea

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index

MD5 1681ffc6e046c7af98c9e6c232a3fe0a
SHA1 d3399b7262fb56cb9ed053d68db9291c410839c4
SHA256 9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0
SHA512 11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT

MD5 4ae71336e44bf9bf79d2752e234818a5
SHA1 e129f27c5103bc5cc44bcdf0a15e160d445066ff
SHA256 374708fff7719dd5979ec875d56cd2286f6d3cf7ec317a3b25632aab28ec37bb
SHA512 0b6cbac838dfe7f47ea1bd0df00ec282fdf45510c92161072ccfb84035390c4da743d9c3b954eaa1b0f86fc9861b23cc6c8667ab232c11c686432ebb5c8c3f27

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old

MD5 28e37d39272f9d6d788d86cbf1810af5
SHA1 aef68a573fb6ec07b0188e2bda3be86c0e79c299
SHA256 06ea118edadd836a02b202c05bc7e47356b57e28c01edf1dad6cc4cf90c662e2
SHA512 1546ae0b5381c79337a67259b889cbceb216358ecd37e7e70d34ebcd52e3aabf1f13952240670884c8fcc705fffb339d0b6ad63c32e412e23fa70e47fe489473

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000005.ldb

MD5 e62da29ac3a82185101eb38cb426322a
SHA1 bb7cbd9ba983f9dceb9fdeaa062f2a142bc84cb2
SHA256 dc2021c180e2d8367d094b4c07d11bd556d64b33d1fe8bf58e208e8da8f5dd55
SHA512 158c590f882fae0fbb8c8bf37e30401272167b76cf26736d0633d4af28c70e91ddefd155090ba13e19c027f8c0546b8176049132370a0068f9c41a413aba5558

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000004

MD5 871bdd96b159c14d15c8d97d9111e9c8
SHA1 8cd537a621659c289f0707bad94719b5782ddb1f
SHA256 cc2786e1f9910a9d811400edcddaf7075195f7a16b216dcbefba3bc7c4f2ae51
SHA512 e116d2d486bc802e99d5ffe83a666d5e324887a65965c7e0d90b238a4ee1db97e28f59aed23e6f968868902d762df06146833be62064c4a74d7c9384dfb0c7f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png

MD5 251a7e1401487e69a415fde9d5128b27
SHA1 9bb2d9b5d93e8f9dfe5337014008bce57b3cdb18
SHA256 d1db33e3ae5c6779e11ecc0ddf3962bf0559582980b5e5a92fd5caf91cb1bff2
SHA512 b572720338c60d4c27870e563145269d62470bd32cfb6ba4dbecc881632273189946d813fb6c6f4ea0539f9f0a6975c89b1bcf7fe7c297a005a4b15d8a4eccd2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\64.png

MD5 5eba5d7f4a561ec133faf5a6fa54a84c
SHA1 8ec9a9b74632a3b8ce7189f9c58ab3acdf5aaa12
SHA256 0abe90866c4fbc89ae5b4512dde9df1c441a2f5923ee3e7932cf34532a6bf773
SHA512 5730894b7e0e4899ae77f45c6a63e02f4a7757e9f9dfcdd24f1029a72caed7f6a40d5bc52cc711a5b4b4e2ad0567ac25373cc019736fec38ec19235e0fb7396f

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P56GQFE8\desktop.ini

MD5 53553242d57214aaa5726a09b05fe7bc
SHA1 931613845dd0e72f1b1a5ba0c89f1c34e5cc089d
SHA256 1be2b3990b410ca4fb38d1f79019c4018cd8820b69618646c81d22dfcbddc802
SHA512 dd0a0b9213182c99444bb7fb2eba5b28f521a768880be2539706730693ed9ea462feb4fd46b1deb5e7d4f31a284f2803b476209b451c9dc4d6ed056d71736d64

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B6CFE804-CBD4-11EE-A2CF-6EE901CCE9B5}.dat

MD5 b4202f7fe985b9648b4676e6f70832bd
SHA1 d37c2b3927946ed617455b3c5913fcab0bc1af52
SHA256 6cf1b57d59e7111bc218dfb01dda93ac0f776715599a1c69f89035bd20c16a10
SHA512 447ea3de41bc400836a5a3df01efe61c2b3d5d646e9310f399c4842c5268d96042d8432d85fde19dcc8f43a2243626e9de850c9ce37d46fe0d0dd0fe5b2b6a88

C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini

MD5 897208d5df122e307ab837d982b2c085
SHA1 cf4ca14a7adcbc197cd84c1997efdd076911d608
SHA256 eaae98aa73fe0b561c8b02607a524fb4853bbe81c6de8c3d8a9b7449366809d4
SHA512 b0aa03063c42515de12fbf6d89924a3ae7d8bdd64d7c9bae94c75d571c939655253f3e87368fcd96f5784b2aee8fedac8f66200b8672ab47cc8b37c57a9ad334

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini

MD5 68cf4c147c95c7e6a1e5a6ee6dc7a185
SHA1 4204d04da17eea4650c1e921106988ea61c97d40
SHA256 c38f1294a259a7e943728e76d1a9d2e0992d22f4cebf6de1fb42204e7126d19a
SHA512 94dc7f770068c869ac5471148e7ce30670a0bde0014c98a295b4c9b68bb5aba33d39fde081be849c625f501bbd66014214e2c5561b8c0c0deba02e9c788ef098

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm

MD5 6df9012b2b7cb3c55963499a26309bba
SHA1 6d7aaa7d2bcca4a8758b398ab7617839203c828a
SHA256 80bd5cb5a9ca35dcdea1d59b5f1778f4114f6215af38004a02a99a1d37383648
SHA512 32aa05aca47a17b6afdbadabe83e929e5a55777c5f5ddb0c854ae78ef403a2baeda46e7f1f1fd7de5237749f43d5f8ce0c95e260ef25e27e20cbdffde41bcaf6

C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini

MD5 3561c0dffdb90248fa1fc2d4fb86f08a
SHA1 f68f30ee52133e400606a6be91d2d982388b43a2
SHA256 4fea5e6a3ec5f5474a26d858bc77b6d7bd3ab864ea02d988683fdc648602b248
SHA512 6b83e8fc9a2ad34694319eff2972435d2facffb23f6e5d6b2eb7381bd9012a489912c56ab6dfce07ca387b777496f612e63842aa294a208f5360077f37e87b1d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\safebrowsing\social-tracking-protection-facebook-digest256.vlpset

MD5 654285e76e3062621bb2a7abadeb9214
SHA1 90514492cfadee2303e64fe5bb1c852fc7caf2bc
SHA256 6c2b87f2b54344778d2eb7f85ae86f2079206f40d185896f7dd3df446533e8a1
SHA512 2ddd07e926504fa628db2e422ed2975fe4d0d99f8effbe43025e19634ad34b7f54b5de7be5dd32972377fe67c5a6d8436c525a1fc9db2d8ccfe676c1d9084c99

C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001.log

MD5 c3eef41f29629d2c7796d9c3ee638df3
SHA1 65c07cdd1c2108cb27649aad8690f2643d018e41
SHA256 04893027370077030b48fd90535706dedb3b2d31e4f6ce5bfbcd1c8578017383
SHA512 96898187fe2e319b120c3026a300b06109bc1c9720660a30d8a3705d7cf58f37162d61e904f64b798c4368e4716c3adbbbdb8d047dae4822c131f4526d5b331b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F90F18257CBB4D84216AC1E1F3BB2C76

MD5 5d52c133dbb0c7dda6de26ed1ca2c54d
SHA1 d61596a342190277c0440fb1eaa096e22ec92a23
SHA256 913c6e2c32d99e4baff62cf421a494730cb043924f2c6bf46406573b59c641bd
SHA512 60bbc39283fa13b09473078627965c153aa35cc330bf37ad9b0827725b1f0fa81e72378d0b88194641cf2c4777a9c4148e6925df180d1315f7b674b860a3d944

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 d2a70550489de356a2cd6bfc40711204
SHA1 02ec1f60b2e76741dd9848ac432057ff9d58d750
SHA256 e80232b4d18d0bb7e794be263ba937626f383f9917d4b8a737ba893a8f752293
SHA512 2a2d76973c1c539839def62ba4f09319efa246ddc6cad4deb48b506a23f0b5ddbc083913d462836a6eff2db752609655f0d444d4478497ab4e66c69d1ef54b5c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.Admin\times.json

MD5 0d7db7ff842f89a36b58fa2541de2a6c
SHA1 50f3b486f99fb22648d26870e7a5cba01caed3da
SHA256 140eda45fe001c0fe47edd7fc509ff1882d46fbcb7c7437d893c1fb83012e433
SHA512 6e6570a7cc802760730db659a4ede4221ac2cd944f4b0d97b0a5c8a9f2a072899e3c3fc5dac336b53f8accde81cbeeca6c5998a1471a2f91eb60e3e13620368d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\sessionstore-backups\upgrade.jsonlz4-20221007134813

MD5 5896cf4827474d1dd04f483e94f82442
SHA1 372c979db150dedddc4d4520e68b1922a282ce01
SHA256 f9a250dc807b5a4fbf459bf5a1ddcd7347f0e6f21f8df32aaa7a79013e540af6
SHA512 23f167acc659615289dfbac3a7d9fdea5c3a7de690051e79b5ff693c2a29c518e12be87850c7136b43cf321eac9695847bf02924c4024b5218e196e9a9f389cb

C:\Users\Admin\Downloads\desktop.ini

MD5 65fe580cf845ed035c4e57ad02a987cf
SHA1 6a7fc08e53675bd325b0e6426eec4ce52db7f2a6
SHA256 4afd6e7f6ef862c727cf5780abfde2094eb56e93383b6e9d4cb7fae81dd17cd1
SHA512 bbc34c4f8892aaae0831e02cdc146ffca22efff5e70601bafa084bb0824e88c87fd20988e602fdcf649ba0322ea1d74cdd5bc7805525987c4115096173e33b76

C:\Users\Admin\Favorites\Links for United States\desktop.ini

MD5 59763dea4943fa0a7ec51296d5f2c7b3
SHA1 c3b3795c396c3f64ac68d9304f97b34adfdbf206
SHA256 6eb69e26de2a26eda48af77d4cec893aa0cf4748a64cbefcfe11a22c1e680ad9
SHA512 92c41f07d1aad07acbe943f36731f4739b5bd84822f660459e464262d45f4970203210180655683feb51868735d9deaaf37fb8308d415376bc631ce887b94fdd

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk

MD5 1477fccb6f5105178b8a4959217a35a0
SHA1 c66fa5d6d133a7cb7247edd1b32fc6b82dec3dd9
SHA256 118980fc1bef9a9da8a06e2a864d3f5f5573b37786bac8709746a8ca26a12523
SHA512 1715a141037d97e12c98f91a62bd44e76364af02e8ad5024699e9dc3951d005eb3471de1bde3569a61af8e5127883cc1133b6274928bde3c5ad5840e36ee764a

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk

MD5 393017b9101a884b66d64849d99a7d05
SHA1 6fbef1dbdae7b9c1eb817a8c762704f4301192da
SHA256 fb701ba16878b120e90469d8238b8765f8a157f6aabf76d94fd6aa09b591cf93
SHA512 175fcd4da63f57f127b2382965a38a9359fee7f7a694803bd4f76e8715ac9c607e6ea863b2d938514e727f539613b7e93ed3110c47b30ff4530c3e142237c555

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk

MD5 9081505b52708b1cf5f639883942d813
SHA1 1efd3054cc8a59abfc3e52f5aa5702c8fb18b0d5
SHA256 5cad8b3db8fbb29e0cabbd785e1e3449ebcd5b04544cde14c93812a93860cc47
SHA512 23b0249a981614c2ac604fa68be9876919513ebddff84aa08e98f05495531f0c4ff7f1dcf19e2b7d9b6040c65e96dc3c210a695f66b20c25b020461cb9c116d0

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Run.lnk

MD5 25a495be8250cc90b02a483e82df99c6
SHA1 0f8ca0d9fa83bb38a8a400a893185e589a968742
SHA256 ba1d859d62b101dc263d6834aaa81378941736dfab33b15243a4bf3b45691735
SHA512 6926347d0da33ecdf2af9d5ef5966f2108da941447c4e33ca90eeebf82a4171a1439bb3b285c31387e08b5fbd964851fd98d4c352975802de74ce02b03b7bd0d

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

MD5 6ef918fec6062ec3fa9aec3515ff22e9
SHA1 7b97afba8180e32e17cf04e2ebc14306fbd37a63
SHA256 9df18e83bfce0d614cee8a1ce8ab9500f4fc8c1b39f41acb9b7caaa317fb55f2
SHA512 03c347f8c31b3aed7c3b73450b774fac8a917d2ce7ee9bb58e9da6c3121dd6fd88334ce9ddb56404c1d9c9a964319808577f62855d559a66606537651780b7b0

C:\info.hta

MD5 c45425de4b02ffb21540921477482f27
SHA1 481cbd36f1e88d0a46b25e20cb0f836d75512b59
SHA256 af77dd87c7c5d122b4550b829e9df84f2a66493c1561c260600e33111fd28d92
SHA512 8a458c9cc897f078b4c815a4bcc3baa3d146fd19fd10a1da2e37a824ee78ecccf8067a1604bf9bc3b280d627b3d411cf4f999ed21908e18c23473bec52a56a85

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 01:24

Reported

2024-05-20 01:26

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (516) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[BBB3507C-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7 = "C:\\Users\\Admin\\AppData\\Local\\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7 = "C:\\Users\\Admin\\AppData\\Local\\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1162180587-977231257-2194346871-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1162180587-977231257-2194346871-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationNative_cor3.dll.id[BBB3507C-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\TriPeaks.Wide.png C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\It.snippets.ps1xml C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationTypes.resources.dll.id[BBB3507C-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnms006.inf.id[BBB3507C-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\tmtransactions_xl.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.mo.id[BBB3507C-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nb-no\ui-strings.js C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEINTL.DLL.id[BBB3507C-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ALRTINTL.DLL C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\share_icons2x.png.id[BBB3507C-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\Microsoft.AnalysisServices.SPClient.Interfaces.DLL C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_18.svg.id[BBB3507C-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jdwp.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-pl.xrm-ms.id[BBB3507C-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Glasses.png C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\js\startup.js C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\msedgeupdateres_tr.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png.id[BBB3507C-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\ChartIm.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\Describe.snippets.ps1xml C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.id[BBB3507C-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\14.rsrc C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare150x150Logo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\ellipsis_16x16x32.png C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-32.png C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp.id[BBB3507C-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Design.resources.dll.id[BBB3507C-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\meta-index C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.Unsafe.dll.id[BBB3507C-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\MicrosoftSolitaireWideTile.scale-125.jpg C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\file_icons.png.id[BBB3507C-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg6.jpg C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch.scale-100.png C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\Microsoft.VisualBasic.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp5.scale-125.png C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_contrast-white.png C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.id[BBB3507C-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_removeme-default_18.svg.id[BBB3507C-3455].[[email protected]].Carver C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.FileSystem.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClientSideProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
File opened for modification C:\Program Files\Windows Media Player\WMPMediaSharing.dll C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4080 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe
PID 4080 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe
PID 4080 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe
PID 2368 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\system32\cmd.exe
PID 3592 wrote to memory of 3280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3592 wrote to memory of 3280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4396 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4396 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4396 wrote to memory of 232 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4396 wrote to memory of 232 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4396 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4396 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4396 wrote to memory of 3524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4396 wrote to memory of 3524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4396 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4396 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3592 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3592 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2368 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe C:\Windows\system32\cmd.exe
PID 2996 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2996 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2996 wrote to memory of 3216 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2996 wrote to memory of 3216 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2996 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2996 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2996 wrote to memory of 4276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2996 wrote to memory of 4276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2996 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2996 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe

"C:\Users\Admin\AppData\Local\Temp\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7.exe

MD5 c04308d1711d130ef4600da630e12028
SHA1 64d394337a374713edc6b089c993db708740d259
SHA256 cb9c2bccf573d6fe729544b89d0b4c16b6ce6ee657cbcebe0e14a3225ac648e3
SHA512 661cdae65d0e444823000f0be93cca2c5a06d237ec646ef1e41a785109718ec77f89a01aad8ba6beccfcf4c2a9351947677ba5b91ebb5ba705b3310744cb2ce4

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 3b73078a714bf61d1c19ebc3afc0e454
SHA1 9abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256 ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA512 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

C:\Program Files\7-Zip\7z.exe

MD5 26f7a83fcf6b31b786c91895d1bdf46e
SHA1 ee774dde283164e3728f154a218de091f87d161f
SHA256 3701a7e99b37d6738cf1406569b5b3a7aef28ef55ad7def4191ba57835d502d6
SHA512 ffdf7aced2f86ca568eb13c1b44458b5336aefe5c8517c86d3171766f7694f7a6ba112a6ee3511eb50712b9f954d1c3de12e3e68259174efa8ad41f8d55c5991

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db

MD5 1681ffc6e046c7af98c9e6c232a3fe0a
SHA1 d3399b7262fb56cb9ed053d68db9291c410839c4
SHA256 9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0
SHA512 11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

memory/4080-2748-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md

MD5 ddc4cb14453391bcb5f4d645b2916a6c
SHA1 c4738d174c90c285e17bf51a9218256f45f96ea7
SHA256 0c19ba9eeecab3cbbdf38da08c3fa0266f10ce8166e056715931efc543335eeb
SHA512 34a32b92ffb2945608439653b5ecacba49fd3312ba5487ba14796c75b07655f0d8f735453dac117d46d204d3f810126f8a189f82c015fa8bb6ea37d9b8e0e30f

C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif

MD5 d13b5ffdeb538f15ee1d30f2788601d5
SHA1 8dc4da8e4efca07472b08b618bc059dcbfd03efa
SHA256 f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876
SHA512 58e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 c5b7a97bda04c48435a145f2d1f9bb42
SHA1 bd94219a79987af3e4d4ce45b07edc2230aaf655
SHA256 07ec9bf950252d0254d4d778698c2e4173f36dbc3f57f51f34d1b85a07c2eab0
SHA512 7eb1a26cf8ef725ba6d1934ca4802f70cc22539017334c1d7a6873afeea6236bcd643b52630f7fa9d8a9e692f718ba42cc704ed5f8df17757028be63c3efad80

C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml

MD5 809457c05fe696f5d34ac5ac8768cdd4
SHA1 a2c3e4966415100c7d24f7f3dc7e27d2a60d20c9
SHA256 1b66520d471367f736d50c070a2e2bba8ad88ac58743394a764b888e9cb6f6be
SHA512 cf38e01d3e174ff4b8070fb88ead7e787143ce7cf60b91365fafd01cacc1420337654083a14dfb2caa900141a578717f5d24fa3cadd17c1a992d09280fd8dc44

memory/4080-8236-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK

MD5 b9205d5c0a413e022f6c36d4bdfa0750
SHA1 f16acd929b52b77b7dad02dbceff25992f4ba95e
SHA256 951b1c95584b91fd8776e1d26b25d745ad5d508f6337686b9f7131d7c2f7096a
SHA512 0e67910bcf0f9ccde5464c63b9c850a12a759227d16b040d98986d54253f9f34322318e56b8feb86c5fb2270ed87f31252f7f68493ee759743909bd75e4bb544

C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK

MD5 301657e2669b4c76979a15f801cc2adf
SHA1 f7430efc590e79b847ab97b6e429cd07ef886726
SHA256 802bbf1167e97e336bc7e1d1574466db744c7021efe0f0ff01ff7e352c44f56b
SHA512 e94480d20b6665599c4ed1bc3fc6949c9be332fd91a14cef14b3e263ab1000666e706b51869bc93b4f479bb6389351674e707e79562020510c1b6dfe4b90cc51

C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html

MD5 3be680b6a8edfdeed37bf5068a37dccd
SHA1 75bc261fc558634731e683e431e4a31c5b463107
SHA256 1777e4f7955cb5900c97d92081efc4b11704ee3b265717a7d7152972b49a36c4
SHA512 a3c8a91689105a14c49b020826944d32540353c56fb9e9a011639ff5107d25e1d3466f0fc487ef953c6bbf0c006abc5204e3a8f0093e1c633013a547f8ecab21

memory/4080-14584-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4080-19563-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe

MD5 3f08f2e23dc44990f0ef9b9869351758
SHA1 8026b7e51c8b3fceeaed6d1c2a6671b63249e183
SHA256 75cce63070db3d924f709518399ada2531d12adec577bff86f23be7ea392bb3d
SHA512 086645cb6611bb2c32b73297b35ba642d6720c18e4da66cad9e1e5902aabf631320407e19be9920b1dd264299ba57c1bd2aa6310c2f9e08c997b2698c4aae68a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

MD5 5c2da2ebcfbb5e30f1869f66ab6a527b
SHA1 86b7ca5343d9c4d174f5c7529f6a8fb2c9732e1f
SHA256 996f5def024bfd8ab5df79ac0d61f7852d2f5a51073eb3ed3cb11086bf324a18
SHA512 8e7feaa9f901b7252625eb76fddd7272e105e3bbb8dc12b5771ae67cee1d58a26a59b065ef5f0a745d09278dccac4ce8649cc839aadefbb397e9488814df4160

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

MD5 aa128add25b91dd886afcd1897d29598
SHA1 18a29f7d127823fa94ff045bcd2fa7626b21f419
SHA256 b2e44e781a01b1e6d04260120a7d4f7382bf4fc246ecbf27024661dabac0ebdd
SHA512 7a6403caa5dbc9dfd7b141b4ee3752464b4746f8e8023d87e7dea96d4ee8f61ba25fbd5260aab493b8e29f5256d9241948efd348e2087dd0948356f3e8d638b0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe

MD5 9611660917f601f1fb9198507db3eaf1
SHA1 53822d2e951a491b465ad8ca2ecece5844f05f22
SHA256 755bdc2e23fdf84876c1796733b4c5529389bd4136d1d4b291d79f973311ba89
SHA512 23e4873b8cb56db517928e9035f84890fbb573baa2064dee7ec5692d3dcfbdee0efb2b996608fc5d937c018a5cf1144aafc7c42b2bd49e630ad558ce3dbae411

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

MD5 b43a07a463c9ad9d8419d986dc6211de
SHA1 8c8db898325d2d3bddae171773ec374d85fef90e
SHA256 e0d6fce3bb1d440b19a18a3deef77ab4b9e24dc342ed0139492328d638178e54
SHA512 6036525f03bcd817b80283dd18ce3f30fd09f2403429c056c1f62d59f44179a9e0061bc72fb3921f56393cad82c8c6597b7929d87c8abe57991e595956ff7f73

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe

MD5 1f40eec06bdcc9e949b1259c5e61991a
SHA1 2cd91e12afb44b2ca62e9e82e95aed01fbca00c1
SHA256 cc43063ba6f50fb20a2632be4fd156d388c4ca6d527594c70477f5c4b6e13795
SHA512 cffc55896afe44dd3ee213425ac1bca9e9104ecc9e283844709764a828acafd314d251e14a78cf8062d58447a20b59ec340159264e290b779bfbac7557b4d636

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

MD5 cf9ffb7ea7001f26fcb3d5f6da2aed64
SHA1 479e5310378d1e773e4b38cedaa5266eb82cf79b
SHA256 a4a5394541eb8a08d54a354f9cb445e577e54d22ee3679391f9c0ca07672fcc2
SHA512 1af42e32c203aec582a0f561297c1338cdf92be5b46a02984515a6c4ca5cf45429c79972f8e1ab5f1a2cc0162ea5e61995f01c3179f303a5c95419e360139736

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe

MD5 69e4ba1f83980700b6676a20dbf7b3d0
SHA1 030edea5f616be1bddd9af64a23aed89f5e14d5f
SHA256 b5ed2baef8e4752fa2f84d711597c0b9db1d501daa501067c5345d8cc2c73a6a
SHA512 abcad716ffc648bfb6380125e9e1f2f728e39b380ed6757961fb8f4c3b87506e70db0f7a0dbc69636b6c7c75cedc978cb4e917b63db1e22f97b29de9e3a72267

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe

MD5 33ff04415f2d8f2a29ff3908429a3c23
SHA1 294ea591d235a728e5023397e1aa32e7f9cce2d8
SHA256 e3fbb185f7debf1ab7dbb0bea1c19b69473806855bb8efb267606baa3b01964f
SHA512 99b14b21d06ba857b43d9b6db6a11c6feb95e6f279e8f7aa182d92a2688bb2f946c75cdd7b4849d937944b1f164e22f1ce4cf1c6352367b47b22cfc800c33d52

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe

MD5 ddd0389389450f55ce1a1154fc6caca2
SHA1 7dde57eb3afe8d0f1d413c278e342604e1df2427
SHA256 aea9fd9958934efe57f14b2e375af4bea0acb728a61a8ee3664efa938cb840bc
SHA512 e6e3efec88f74a862371e3a20404ea043f12b1a86f84db25dfc3eabc185b32713b8c168b7ba285fe2d7ac8bb1900ba421a4b1e49b78b6eb36a09478afd7bba38

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe

MD5 653aeebc98df7ee6e7867b25e835e3c1
SHA1 bca711524516bfe85d7aee7a83516a41dbaf165a
SHA256 aee0bc18d855eada25b25016845447b51b9a885755ff85c7db9954419ab9f848
SHA512 a9cd010e20ebbe3120515ffbb161a8326aace09b9a07c729e1a7723be99423102d47e6c9e94db7f3161ee13583e7c205cd8108e0e4c2c9a42a362746dd454fb4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe

MD5 30d7d53969ea68a8d4b36ebb2cbba7bc
SHA1 2456c3af5412ede0f510db4f65569433da119f27
SHA256 bbebb679023fd1768537ac4436a0a4ad0bf86a162eb04b3e02e66059f097f905
SHA512 8152071217f67a8f816822f2b6941036d4256dcb24e6b7cad9cee99c7cc7cc0deff61340f43f4e4a925100b771a43b1fc72fab3a521601adbce693b4578449bf

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe

MD5 95610f9dcded01432d179f76a715400f
SHA1 435b7845b5dc5c1d3348640277a231be146ff646
SHA256 4f97cdcbaf61c668233cb0ffe7a4868e287bfa2ba969760ef70c20a703354dd3
SHA512 de4b305b541a1511780e6bc3a759fc1c64addb96290decc9fba6d4ea42a320aa422c8ed55a7b7fc91d308491f711243b42cdecad47c39c47cbd418106a8ee0f8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions.png

MD5 eedd2d13e3671d589714446755b78b38
SHA1 2fdd23507187a259f5a7edb01611a37b6b09f4da
SHA256 467082e15a8ddefd51088e12a6189f9923dadfdf363ac1b0448ec43dc483cb3d
SHA512 ef47a62ce6ffb0c5b34b2c6d72f5874dbad4109b98aaa21f56b8b2d83471f5ebf983f6dfd889399abe4fead6296cf2ca3f409a4aa4badad8cc3c48f688323837

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\remove.svg

MD5 b651e9101be833e87337050028831efd
SHA1 ee594ba38a6324369ffc7b4dc89407d3436e34d9
SHA256 4717e5fb82c0ee85a7c97d022f410990a62efa2492070e42385cfeab67afd619
SHA512 3552858c2a688c95a76c0bb8a6a76b119b744b2e8ae7e7f30135ccd8a145318762faa52c1783a639fb179056317caeaed20c15f211db1d45bc957bc3ce591aef

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg

MD5 1bf37c0336c12ccaa1c62386acacc858
SHA1 f1e187c79588e4e9fce931997443d7e5cafd1db6
SHA256 a9044f3c6877f4fa6789bd90f11813a22696bda53e0be17bf52229b70fa87673
SHA512 f75100874b1dd43c49f54a9aa4621e8bd1efa84359ce44ece2444b639c7bcbddf6564f6c4be089f5d656550c7293b9f5ec4a4b20880939fbeb5ebc21e30866b1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-default_32.svg

MD5 81cfb9735fea15ca8791a3c34a78d992
SHA1 9b4962166a47f5edc62e5fe3c4f8772446db9296
SHA256 3d89171c24a889bce28f04adb60f08a141584b7c345b158536a72a8070c252b8
SHA512 f6ac853f4012ddcb29e5079ec00bf058343af1a6d6cedbc9613056db0575c77e964b0864c9693a6e02a525d5e13ccc54e0e7fd938ea39c3d2c6005db959b346a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-hover_32.svg

MD5 55215e8f92d35f26cca06fa9d5d221e9
SHA1 994838c8df5921e3828749a7703ebfa8383e43b6
SHA256 e94ac27227c8a25c3f8ede219fd80ace01e7176a12111125b31ae1dcddd487ae
SHA512 7972d3fb8c305a1b41f3ec4a618c9904c1e655fc757f1dc83f9d9041433f3c30e6708ed3d4fb3166cc41d9773df3f159aa44333f76fdde28f317676046bc9c67

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg

MD5 cd5d2472a2bf9ac7eb4e15146b30bd2f
SHA1 bca600423f99b87df44fde9d96ff874017037afe
SHA256 038589c0f8f0b9fbed7fe7835de0237de4a28ea404078955a78c0b8145fa323c
SHA512 dde83047b85cf0afd4ac77c9f4e850ebba48a1e1d581ed78c30733f58a9d5e2e22d34a2b2e57e4527f3c314f84922c3aecd6366052d46e0d6157990ed888a27e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reminders_18.svg

MD5 3f16cc51cf788a50e6cc1ae60897bbf7
SHA1 e5a8c8f5227ca6da79589192892e81b6a3f43686
SHA256 30f1d12f90b61f22130b22667f722aeca0aadd59ba3e19d866d72a99a3f0ce3d
SHA512 17686bb9e01aa108b9b62b33bb70bb8aa35e4d88199281aaacbc8d8da7d54f1f353bf31a109dc22a4e404780ece4cb3d23f0ec81f80e9553ef060011e568134c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder-default.svg

MD5 2807924fc18c958c38a7004a5dbd4091
SHA1 85534040543c3306284e6a475999c46249a35e4b
SHA256 0345bffb28f80f4d0ded1a2af09a337b18ab3a80c68205bc8321a6ad4d409500
SHA512 264d29c6b920b3005ebda1fdb0e0ee6e17059c69d63969c61ea4b5c5464022166ccc04b2c1f69b91052c3e3dd551a087e8e5379d2a62c452184a12b278a8ac3a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_hover_18.svg

MD5 30c9bd1aee3794fd46bc99fc2a359212
SHA1 9817640da0b98babc461d277a39b323dc9a76cd3
SHA256 4b10fc416763ad7b65a6d6fb3c0016505ec5aaa7a117021a26e4dd6d11fe7d1d
SHA512 bae367b7555f5f7f677abbad1dd548225c2580ffe21bcae5022f8eecf8c97cfe8f7813fd86c31a7f9052c174610ae9d2ae21ac22b381701975492e2386f67f94

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right-pressed.gif

MD5 e3c4dd21a9171fd39d208efa09bf7883
SHA1 9438e360f578e12c0e0e8ed28e2c125c1cefee16
SHA256 d4817aa5497628e7c77e6b606107042bbba3130888c5f47a375e6179be789fbb
SHA512 2146aa8ab60c48acff43ae8c33c5da4c2586f20a39f8f1308aefb6f833b758ad7158bd5e9a386e45feba446f33855d393857b557fe8ba6fe52364e7a7af3be9b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_hover_18.svg

MD5 0498cfb8aae1383c049e8ccdd85f3abf
SHA1 c5fbfcc70b441e91a5ecd23295c745aaf076aa4d
SHA256 ad125b854735c81b5782a65b5b006c7c991e28688b6dd8e5998f432976b9223c
SHA512 113f19bf726f79473ae2b4406a76676ec0bc4709a26f374aaa3bbd9d0b5790ee4fdd8ebe1a3ab68995973923ae33df7c1c6798e93bf060643c14acfabd4e9302

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\ui-strings.js

MD5 0d3a12fd3f68decc694da04b57e61d8c
SHA1 f73d4d591f6ef0b2b04fc90d2e840329f7590743
SHA256 ee0352f75df1009fa6f5eaf323a1ed55c127cc679ac6b9de70b1b3f8dc9ece76
SHA512 2c58a879d4022b441056c85c301ce26401da5f7bc9619debd35fa3bd98b5f1cab8f21e2ae5a177865c64e741dae18f39f99fac1cf00c468ba0e281037d5e883c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ui-strings.js

MD5 68b6f0644d50595a97c9fd60b8d8e697
SHA1 a4d0edf9264ce1922dc419c7f3b3cedb2814bea7
SHA256 bf9b3f1f9a3a163d41b1b20a2c410355e6ee72ae97725a7bad97ad23993b0b5f
SHA512 d1a26cc27c302f06419abf97507c0a4d06729aeadab615acaaac0c3fcec6d7715e10642121a4d773ad3d5f613030728e49fb3d07303fad05f7a342352ebad003

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png

MD5 65c9f3fb24b80d8c470d518f901b9c60
SHA1 b9521c39944357d4b55b91f9f3739575d1f3bef1
SHA256 8de76ee7eb6b32c307d4a46a43ac55bc15b917e2a24d36c3d001878a97fd39d6
SHA512 6572d65abd587055a69980558b2568266ff76555faadf3ddc93fa65bdd7a009a2fbca10f37f44c27ae889d3de99a3673c2b9ba6e6456242e951703fa32d9c636

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\ui-strings.js

MD5 a778c47dd8521d6a12093b3e97ed8474
SHA1 2099d940cc672373884e1c622bbb606e9e9438b9
SHA256 d5343776747d802d64faedd9954d2a4bf555a6cd85396c55c39a8fce4c5353a6
SHA512 7c9c9b406c1b79b3298e975abb3f64927b6beb9e8784b75927e19ba649936c19f04d958d07499a5d5c52049cf2d3600e32f6f437c98b2946a977ca82c71e7224

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\ui-strings.js

MD5 dd24e91615f1963a5c64bc9878a0a8d5
SHA1 407ece3322d57d16a448b5522d4f29229f80b8b1
SHA256 4cf9816ed1062189ff0c8d427fba5e912cc68fc9af76cf7f08fd255977de3b33
SHA512 a88d5e6fcfd998b0abe79b5b314f3f83f424be9447dca01e1a64a3e7313eb247baa894c10c5758c6788cad27582c09207d00d2e7bc41515e7f1751e05aa812ba

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

MD5 3f7323acc829bc8b3799148d439b3d47
SHA1 3d3c540c4080462a8013d6db9383ad69606779e8
SHA256 d9de646d51650572b66a6cf8a52ad1efd46b7a47830fa7972da0bc05baa2fad0
SHA512 09e2a175dd874ac369331fbfd863be20c9ecc005bfd6c7eeadac071804653265e4f7195d70058f2f73951a6a6e202fc96930f2ce71c2d815b228edf01729b559

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js

MD5 fb4aa89fb89bf94d0590a3174d1193ff
SHA1 c3812f2105099071c24141a994a9d5087199dbf7
SHA256 655a3ef0465a9f30fddf25f4dde0c19a05c6f9069b83961800c1944165955273
SHA512 a494c0d9faf3defa9ff320421d0c00e4e39845f7e998c6a06c50b5e7edbb1ed7a948dda23ace06a3433843615553d2357f1cb04acb4ad1155ec43f1d07511524

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png

MD5 7ab2ac51d33778dac850c5dd8b4ba45d
SHA1 b3f47f20c438aa488fe835e0145c014853ee48aa
SHA256 ca17d6cc1f7ab317c34a7cb767ad017163e71726ac648518679c6b1c59fa86dc
SHA512 c14ac0ad209625e0acb2ca9e0afc5f6c98901b01f92b675d073b72929455f47ccf29cbfdaa248c602b02fc2bce484c56753b1a54e66f6ce9df2ea57bed88962b

memory/4080-23009-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\ui-strings.js

MD5 07bcf4e882ae521ec6ddfd0bb2a608db
SHA1 88e2ab25dec6ba9fedced9bbd21da03639da9409
SHA256 bc9df2774317cdca8e5a702f249a6994fa3b63852e7749124e82ef1f37b89aa6
SHA512 ceafee63fb03e94b418bd87c6af91a53c9bef53b86eddb51a7aee77d8ad5e6654045da12c3c28f3ab4486d2f6f135f7f834790991037708b0301085f62e22fa7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\ui-strings.js

MD5 0ec670fd70f5e89c3d2727df9f2a5398
SHA1 d19c88c8e11361d4f29719518b8543e0ecf5ff09
SHA256 8267479623714339b61159b2f8235b15a38ccc1199eff859e5dc13359f8711c3
SHA512 a429234afdc29df1276238d3e329299a6fb5b1ef6044429c1acd8abb95c0b76a14836b47805c5d464cfc95978f5e3b10eceae6c26a2964e2c352fafe1d7dd6f8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png

MD5 c7fc95def1d53bd3e747248ecbd3cd5e
SHA1 1b251f02465f9c7dce91aac5aa0679a3c34318e8
SHA256 4049b739e6322c7d7caa241ac41c8e0b1f2893957204a910c9708c7731a7a8b5
SHA512 f4b90435a3b250c1d3dc8df9bb4d331dfe9b1c0212eeb1768073afb81b3915fe61a7c4af151c8090565f778dbdf1f4fad7b5f545c9a21b7782cd7671be2ac96e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png

MD5 2a78f84427d1d591409740722e60d793
SHA1 304f17d9c56e79b95f6c337dab88709d4f9b61f0
SHA256 4eae979bb805992739f77e351706e745076ed932d3ef54dd47ba119c4c2fb5c6
SHA512 d687c646bba8b801511a17b756f61a1209ea94938940fbe46d9e4893f14606f9e1e5ff468ba4a77474603f5cdbe0cb9df3d24767e5c9ac81a0b373dcf4a4f3ac

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\ui-strings.js

MD5 1ea3b76135bb4a589027d6243075a936
SHA1 2951fdafcb862ef53fcf213572368bd5e08094ad
SHA256 c960c819e997c1c9d080235a5e24e65059b63cf66b95ff3da9a44773ebf81c1b
SHA512 3c10075e71d2e44535e19c8660bee7071a110d07dbef67ccc4cc94c45f93afd72f8ce6b24be31e6193549823b7db204e20950e5c1a075ae159c39682db295d27

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]

MD5 6cbbe3240a203b0ff387d9bbdadd49ef
SHA1 2c65f6ea9acd8d164ece87edf2f142942d8cdb42
SHA256 7b3bae54e7a2931a1957c1ca23189cdf913f567e92af15089f033b99e33351f1
SHA512 cdd8e32fdf610a0c00f7e8093c98d421f6c60bb75be67fe0a22ca1b5144351526a2b56ffd955f350039e4dca823e45a3f1f4595c3f9f209b3de28cab972cd140

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\line_2x.png

MD5 b513ae819f7d8d10fa4f6cbfdf055b22
SHA1 b4228971cceadd4a698f3c206d8f4bc24a37f991
SHA256 25778f162c4243167f8eaa876f1b0619e67afc158de7805600471a563ec5e8b7
SHA512 c11266406d79494f7d74f8f8a5f955e2bad14b8924877e882fb3e7cc7442998cf6e7a9be3aa7f1a945af8bb2add9dfcdec0ef54239f6ee80748d77444dafe6fe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js

MD5 b17a6a8826832fc2e1098d0286242861
SHA1 8ce2bb5944d61be2b628fc80ebabc769768e0b48
SHA256 82a1cc52037ccd1ee4a73cc41b86ef4c9b45db28025d56105566bbc9f06bc41f
SHA512 688757cebb6aaf1a9948ce1dd30318ac2b7afb7a47938e6eecf1bbbc1be058ba78744c208d71a9747ae514242b09322489ad314119cf612a7e4a717907521962

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main-selector.css

MD5 651bcf535ed50ffa7724c8751bec1a66
SHA1 5758c4862740517ba28026c298d1b3a61f43716d
SHA256 359f38eef400e2fa3924a3258652e74ee19cd46cb92e47bce91f1194fce25e9e
SHA512 492b73f1622e8a1a064141a2edbac9fb29e5f604b629b063fc7251289d237e50721e1295b4f3450322fe72f01b57561a79f0ad4b3a20290cf3214ccf0204d372

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png

MD5 bec4473fc43b77e28e60f89da4e29c00
SHA1 d5dbc7c6642a8a23da14f952a0f64fe874e8191b
SHA256 5e06bfa9ebccfa3d8759270620b6860f0b92be9d69ef7d7802b78ee5b5f07f96
SHA512 ff2c101c1172e64481be5e98b2216d5eba93b81210a1a67adecfe05bcf37c3d965c06b368ddc1ffb7e4187cda0373720f6a27476f036a41517762d5cb3729aea

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.js

MD5 d3e4c2fefeea6e6c467df305f7a8f3af
SHA1 a4468bf4d5abcb4d720b0fefb396dce5864e4717
SHA256 e9288289beec2fe3b6ac24c1311451c8d079786a09515b95cbf2eda7f87f0b22
SHA512 b81a9d38a4a6cd54c2081289192ce7aee3e34d71f834c9b94eac8cd79a5cb90a0dbd3ee0da89be68e4fb69a82903c658addc272a9d70d8f8f8f8cff5c2c18f10

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\ui-strings.js

MD5 a3f07671642038caece41ff2a52d8673
SHA1 53442624b01b79a3729a23d4f12efc8dae4b1002
SHA256 088d391d696ec15140e7b4dbe6fe17e95296af9d09c7eeff17a0a9c241925b89
SHA512 5d1ab4b072eec924d13d760da6aa958cc81fa58cfec3de8ff239d131d37b31cdd547eac0fa5ab34c060f0f28a2295e071a1a9573815541c5b92cf0c63f11bdb7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js

MD5 df3b4d35decc08d05ef8ee0644ab7274
SHA1 6b0381b9ee40dc8470a63218e5cc5feb579f7334
SHA256 e27e5eb93a24a2d866e30bf027e4f0c3da9fae8968cf5eb69446e7f668356164
SHA512 257c770416a94f5b79ed837fa0f5e7926cede3ce06c1a9b819c1ca77c645f37bd366564cb028b0ba6afc5444aa5ac774c3af36cd7c108164d1000254cf85c94a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\ui-strings.js

MD5 74ca2c01b07af0dda4bb39ac330fc49c
SHA1 7cc7781cca7798ce0940fe9be999e85f8b5064e1
SHA256 ab9ac8d62fd064748c921e6bd4c123f5cc8910a384d1804bec33ffe27da27c4c
SHA512 cd71201d364c7cfc9d317f091a9dc318d77bdc7340ec4abceee2fa23e3f58cfb1a8f45b5216f5ebb40b3738fef28eeb37717b2508aa1369316da6b7c82c510fa

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png

MD5 39e7048d412b94bb2dad145a2daa5875
SHA1 08778bbd84d9411f2e531867dffe45fee5d60d24
SHA256 4985216f1f370fff03c45d4a711c18b3f49165f8278e6cfc231bb38b920095a7
SHA512 65803d69def3517f0021a291748b55cb5bb2e8437732e6cb9b99b1f778f766fbff2c484b664d16ccbedcd51c14f89e99cd5f977cf97d680eca78a9d4f8b87fb0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\ui-strings.js

MD5 92f1f77de0ce17e9486d53787f69618e
SHA1 41198fdd6a18321c15c3d4647962e687fc036af6
SHA256 4ecb5e390829b5b11dd02db2f22ac1349e32a24e5bd3a8489f6fb5fb0f07eeb6
SHA512 b389c8364936fbb96a407fb1a848254fd8b7bcbde05637ac1acfb48ba0b30e887dd44b2447e1e3eb75a902241d67571584a819927cc8d0a91d325f5df79f12ce

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js

MD5 72542b122d453927f3d6c59552165606
SHA1 6e2b7f049b60f10edcdec06f357114448c0896f8
SHA256 3b17f8b83bec3e72acd0d014f58e7de206106a7644bf3293f93c7456ced47419
SHA512 25eade5c88cc35325978ba2e103050608fed4330a1677280eb2e0445946a3367d26796ca1233aa6d7ec4c87f04faf7706d82c72b3f3485d80c18e088813f7a1f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\dd_arrow_small.png

MD5 3d55e1e012d3824e53e84d404a6e2f2e
SHA1 9983296698d4e2736faf1c529e8d27f8071d7939
SHA256 6559f403524ea6ef9bf2e1d0bb66d1af8152920fb002ec2c4ced993083124a88
SHA512 ec75d4dea30bf7567b2f6e30ffed408815c57680a38659f6055d770c85393d8a5678d38a066ceb7fd0ff9c5ef49cf9fd73d7e8eae5a9a83360a41ca74343f576

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js

MD5 421cd12b43e660f10da31bee36e85f4b
SHA1 b568bb931d5bf4b5805d20fc339b06f9b3763c9d
SHA256 ce7c16adff608d624a412164fdc692305fb461f4b14f9167e6efa78dbbad12ba
SHA512 f56bf5a7a713cbf018203c24a7f9dd426a2cf018cb3ddf9e27f3a7765be3571339421fa5a2cc68f677eb4929a2a2835238a723db4de07bb0634e3f151878ac86

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js

MD5 7d8302df4582de342a31d0335e979ae7
SHA1 7a3e918e23dc8002dfbe1695f8e8fd52db995d1f
SHA256 899ad5e0b3501d7e00d2f3bd3c7729b4223839e8629c61328db0f818ba0870c9
SHA512 cbc23b3285f6d8d72221d0fc05ff59336402005e7d3f50d66249ef6076648ec2e22d33ed64f5436767c123f59d37dae45270a259153ed98b885f9c43ec9bc2aa

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\ui-strings.js

MD5 0900039f6502c5c4418f5b712f0dc94e
SHA1 cb39e28be0988298003a966ac208c54f83a6ae27
SHA256 7037318dbcb8809fd3d03ab0293d58666df18363f0144ef65b738ca3fbe028f0
SHA512 be9fc36c81963737569c65e4f295f347585bcec88b4fa6ef9da1478f4e0f947b64b8ccaaffb816a74216f713060ae0a56f58c3bea1d12b16bb8488a7663db391

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\ui-strings.js

MD5 35d5c7b80ed270a94872c0e56a6c59c6
SHA1 bbc4ed04ea6c922213d7cc19c62c3c4cd23b7113
SHA256 5c03e31975b96b3d151d9e034b884cab9c6fb29576d2b5653c375fc5661b6dd1
SHA512 57ec341f6ff49f24516e117d5c0b119ba4c62dc0537cfcaa15bbba248729c06d29ca224462bb331c44ff1b3abd724df86d0b2ec473ae9f5d54e31ae2002e8bdd

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\ui-strings.js

MD5 29dbb24810bdd7f802c1165f8bc3a714
SHA1 9ed5ed2ea58cb6d9196e8d88fccdd8f0d522ea47
SHA256 c9fdf06266cf9e6d61f7989471abe569239a93cc2c0f65a7c596a81af8d6a67f
SHA512 3802320bcf7b20a6656460456d5b03ac4f85e4572d7530518dcf99f28162964adc211c5adcfb7ace603b6734271581cea26c9e85821b88b1915e13780a19ec24

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js

MD5 b54b9c5d611b062aea9d8ec0d192335d
SHA1 a6a96602b80181ef494a0da49dacae1c44f7c739
SHA256 d70a13e9b9e9f4026679200872160d667979bd0ae57e6527d44090e49bbc2c83
SHA512 e56e4a0dba26c3bd824bcd397d495249466a3732bbe1466f9ed1c23ec3a25d79e44e360fb5ee5a229fb24d6961ac32a2a57d0a29fe669e767bd33b956f57ebf5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js

MD5 7a232b079f30771ada44ab6a1843ec14
SHA1 72349db2853443af021d538be9417fe32369d2ab
SHA256 e33edcde1654c47b3f834797623932ff5dd99a4331b255b60452d69d61ccfb4c
SHA512 431073f497196ad03ba92a8087aa6c50717ae137b05aba341cd8f7ec1705b46f2878b30455c10d7339f89ef16022ca5d054b0f96e5956ef0590121ad8e1a6638

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\ui-strings.js

MD5 3b8883ab58438b245c89bc76ee848752
SHA1 7b01b457344fcf92362d14247f2c389ed0c89b6c
SHA256 b3b87c3ad568de5a1f07702392e3bfc76f41a47b2fa1d710198406c3c5172697
SHA512 200a52dd5e9334f2c768fb2d152a82cfd551c0991eada79ee92ae41e8beb82a1eac2d90fdac2d9741afe0b7edcbe046cb92a6cf339d25709b53d51f5feb55b1c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js

MD5 edbd91ead174c60fdacb765349ea4fcf
SHA1 e55660206658be80e2033a93abd8854653246eea
SHA256 dfd68e26d32c27e8c7d096cd558b12da3228019525baaa2d4b32030339fb0b6a
SHA512 9c664370c6c102a0e6992f2fe711e7fe7f6ac732a8562bcc1839a0d99d828e4ab0b3dc70f33f3cba444d04161d0df13b70e72b9079c5aabc7a85543168d58854

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js

MD5 5af99e838bada8e34b660d7fcecae2bf
SHA1 ead4e402f4696ede69adb3e4cd694e7d52925844
SHA256 e3f604ce27fb93d417b9e8a4a5f10f6fd17b59a76aad9754ea0cc5c56b31687a
SHA512 e69f6f12a51382491b4bec6f19260df249dc6dd9a33fc590a90a055baa5f6dcc80894e2c65ecc7dd0d10040c90740dcfcd2f98dbd1f2fbd94c34941897f6ecd9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js

MD5 ffaab524b0c94fd06a44c1b5b683e0dc
SHA1 17dcce5e4d3b9f718c902863652cb67e060e2f3e
SHA256 d0a34414103960973357a239952bb0fab5f988ccda1b67ff8e6864afcd806272
SHA512 a7ecbd3e9656cb0fc1304b4b86980e97680c73b673c4284bbca08c4a3f3ade0699a7de61f0905aee9d521da4beaed61d3ec943090ecc44833118f1f5a29318ab

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png

MD5 45ad813c887294a1c5c88358f6e6fd12
SHA1 45266d0bda31888b67b10c601d303caca8786d30
SHA256 91ed5badd0d99f45c65c0ccdec04fc59fffb1f6d055a4d2722dccde82a6bb73b
SHA512 b06ab5889fdf50735ff0c3cfcac3e526b9f32d694ac631e7c2a06eceff357f17e92540df5f84426f8e8f75726c1e7df3592f1620728b70a4b5290c9e49e377f8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_thumbnailview_18.svg

MD5 9b4c8a5e36d3be7e2c4b1d75ded8c8a1
SHA1 1f884298931bc1126e693e30955855f19447d508
SHA256 ad47fd9e87159d651a53b3dfba3ef200684a9ed88c2528b62e18f3881fe203b0
SHA512 e1acc0b10c92c2895fc916fc8feead869e04315e5e6e279f8e61b344545103b4c9ff808c9ca2121d1b013879071364f677da128caeba89bf918ec2791e5ed094

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png

MD5 5c4cbc56377969e41dcf39d60690feeb
SHA1 a20120d0d043af4d3b6a72db517ab8a623b3febc
SHA256 c0601bc1bac97e69da3ef3e2898aafe64aec5ae4f3ccbdb7649471f76da4ca0e
SHA512 4accc91aeb47949f1137ac69a0740a25c957853f59ff8d18077e64b1a3262488b71fc4bd45714075a0652328e1a49a602c7950b86edabbbd7e5abbd9000b705f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png

MD5 a7a19c86ac01e03111c30032ba417b55
SHA1 fd7f42ef37d82cf1704b65762a8bc6b4a868234d
SHA256 494032a3293df271c7cc5d26a5753acffc5f6df811d024e9b573f2fa380f3591
SHA512 728d4755dd7d21c5ca285906d5f043728fd089de42d2fd04beb514563224104f7672e5f5144e4ed68770b933dd1069d76b26d140eb692d83d907176330f3f6dd

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png

MD5 f2f1d5a683617b2bdb6cb0b1eae67135
SHA1 3e0dda160b0f8b963dde8036b45aabab5d86504f
SHA256 96497e49c11ebeb0f73bc01b033b7f45cd9f8eee478176e11b1c7342efa63569
SHA512 cc9688ee19a6391296abbae9fb1422a6d72d87b7abe8552e860eeb092f8cf7e6864a7f06dae6a60784b77353c38103abd3632492f8b33b7b3d900531cdb673b2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png

MD5 4eefd60f439096ed98b6d8a585da12ef
SHA1 75cb70498807b0c823cac760e00652842c1a63c3
SHA256 e743d6195ff2f42282e101f9471874e8df79dc05a69ca20abf22015d48d28c6c
SHA512 78241e2336f4ee826719d5adc70543db0f0767a1660f723ddfce72c170322a13c0f3c547eaea6b6cfc47cdf6d8e5edcaff4bd003cbf3eb9d3435bec5158fb8d2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png

MD5 5991993dd41d6d2b062d58bb70971e0c
SHA1 1a75ce12ef1c4cb6a85225d0bf4f68d4a3edfce5
SHA256 bd66e8f62d34f70917102405af895c0b07b79c13fd2d1ea65ebfba3bd4853aeb
SHA512 75511589b1937aca668348061728734718d02065ae76446b61e3292834709e3b66f2a453717fd593a8fa1db92ad7b97af03f7d2e7f5538716582ae7d8c11e09b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png

MD5 6018a4862e3cc6b434d517a47858a2bf
SHA1 23769e9ae485bb2c35630db9a6ecc8a40c2207cf
SHA256 fde09d85ac7ec84dc0b5f2bf1c1f935b80a3e45dd9257af499d412302602f310
SHA512 4fae17ef027649315cbc73ea47a2fbdd8c8c05b9d818af5b41439e9e5fd81d62ce13f6ad125a2817d0bb4b24a831358803c53003628520cb9c2a8376ac8e1aa3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\ui-strings.js

MD5 cf69901e6d4609009dff8be5b3045c96
SHA1 712afbf4bdf24b6fa059f0fcd837449d75432800
SHA256 16d0edc8b7ad7705b23a14058f366ff1c0dfa16a0ad14f741924c308754cf8d1
SHA512 84b63e071f56e8e406fe361473dfd6eb17daec1809eed425b1b977f0135d6a78a3375c9bd1a65daf1ac7977f712b63ed735eac8ebc91e55c1a3f366e288a9ed6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close2x.png

MD5 5e0d423694dc87169e1124f26d755117
SHA1 340b47ffc7ffe45c30ce927f1c839d01600f6161
SHA256 68df674391ddb32170020e5b55b8df9ac1bb5274419dbf8748ce53efb18584cf
SHA512 17ace592b7b00dd530d923711160c39417b6c6412c3528cecb002fc065a16dc439555f61e4f6de7ac86291cd9cac5f5ea8411bec8ffe043faba887026fd2ec77

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_checkbox_unselected_18.svg

MD5 8c8fd1cfdc60f513bf20132a1d5aeea2
SHA1 40167e542ddfd848fd138e2914dbb7f116a8f99f
SHA256 f438a4e713df6a982afbe2eec993cd582edc37a876fee88e1ddabb478f2b5ee0
SHA512 e5a985404619bebfb615d4b5378942b56089b40170e4072c61eb9ddf722639941e820f039437b59cd3859944b3e06ed72ee49e879522e81fd9d49b56c8e40d35

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js

MD5 8ab4b211dc3d2947d2466033f6d524f7
SHA1 7c457aa6cb3b704da3c977bbcf3953c3c1a7a7bb
SHA256 5bc633d52bc4345c9cc4ea7cf49422a85a9fe401faf3239ef72b53aa0dd667ee
SHA512 0b7e9cda1a82a15fc9492a35808bd1ea43966cf5e55d84b9831f79d64f36a66583a14f0ba95eb12098bf9df6a95eef0bec6606aba1cf56bdee0e046aa60f8d5f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\close.svg

MD5 2518c2304a390e60d20b53b101fc0056
SHA1 aae24d58011859ff6986508882dd7eecaaa7f604
SHA256 03e98670a1d9049b8e1f02c4fdd449d098465f7578ee0eebfaf3f138a78301ae
SHA512 b7457acf824d68e7728088668cd8d44e06566dc71d156db7e9480b957305f2268778907a8e93e4e2d1937b3c3cbfeeb327399cd7f33a60274d91efab2ec3f534

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe

MD5 6b0a4731a12f99ceab2a3a60aa2062d7
SHA1 22105cea1a8f82d2825ce76553abffe85687e804
SHA256 da0864d98fa6599601257e4d098d40dd2a3611382f66baabf5b4bbde70c5167a
SHA512 b8425eb8d548226e06e6272eb77ab6ea54549f6897881122ea437521a13acd219ee63ad0af0bdc1a107adbdfbbf92b4fbd524b5b2813a5176366eb6f7ecaac1e

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

MD5 9c59ddbd6efb94149ccba07c086de145
SHA1 e2c98419b84e37c1c4a394b8ec6451072a1b8dc4
SHA256 dec84d95197eb2c166e8a47b085b02ec2d21dd7b2f0d657d832b4f38dd257e5c
SHA512 2355f97c7435734a675f1a25068f0a77fab08e29868c82b107813626ee8f705dedf63500bc6ee5e898451de147d9a0d999217385a42050f9a7ef071974b1809e

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

MD5 d898745feadc433e88f150481184f0b9
SHA1 114b2cca045890b72dfb7dc7abbe7878be5626b4
SHA256 9a265e8bae92ef6eee0c931d32bd13c843d3c49926a0e7fc8d7735972f28e381
SHA512 7faf47d247c58bbf5167ed8bc1dfaab0d01b585a911b69621efd1719fc81bb202cd512855389aeb965927aa0e15e25ba7ddc9aa05422c17f3dbffc80a15dda74

C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

MD5 a97d500ac76b90370ebd1f0c91f5e68b
SHA1 0d9074e44698f9f3f24ca9b2f60e76f43e1f3fc5
SHA256 707ba797313ea4b21615bb6ce8631dfa48ebdc94f218c16aa0911a6ab6852615
SHA512 e9808493066f136a853fc780ee95d5ab38c98e0e8bd1175b753f162bb57c2dc5672466aa3446b60ff33615da5ae9ba098a980e372e12485e34005f72b784fc06

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

MD5 b8f31bac1be89bec86839ea45c0b8055
SHA1 27cdfd69fdf474ec4d961c599bcb66ffcf9f3a2c
SHA256 e41ae236411596b566331da7f5f798299db5629cfb05d1b43074f5975efb4c54
SHA512 b7844403a8b1ec7d976372b2c2a84315ee92c00b0d97ee95a264f8ae7c29f9db5e5ee415aab0a5b83f2188997cad3e702395eb1720f80df09c1570bcf35dc1f4

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

MD5 8991abd1fce1ec520bafd50a5e04e08f
SHA1 4e85cda9c5a1b64fe7e9b93a217a739d95f40186
SHA256 3a12117fbcde5289c5aa488bb4d304c748607e6725f80abb2031436b33360f1c
SHA512 68c1f0b484448cb8132fc0ab3098311e4fa71f5f2df50c872886329931812b2657c4a4ab2118c9c077f560b1afa8eefd8dc61dec57d655e95f52aff276675a40

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

MD5 648a2de249b93c97992bfa1b091378b7
SHA1 8ebffecaabc9bd80da4ae8e543dfe2f195eec3e3
SHA256 79cbe36f204b682248295dfc99ba1838b9b473d61c81b0b12811dea9c15e04f2
SHA512 cf4686f2a1efcfcbc87ea64a5a3621de725fea877855fd641bb34f0c898c17d07c6d8396b2e5e2075eaaf36c43060f0d71ec9711047dae56d317ba8e01a07ff3

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaw.exe

MD5 24aefd930cd0067bc1bec3a181d14570
SHA1 218c007ee9e37224488dfb849c80f791902d78aa
SHA256 1fc7d0e532af4bd685206932715ccc46019e8333b57adf2e7417fdfa2d756ee9
SHA512 8c9ffc265527391be4972c9d7620f00da4523f4834f9f4fe0ea79537c3f166c5f18d6cd9d5cd5444df2a420fbc1541fc78e29ae10d080413460c08c987dc80eb

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaws.exe

MD5 728747e82b337373a05772a52cfb2d9c
SHA1 3dbad154ba7298bcc16ec9c226f52718b778d8b5
SHA256 be1d040714fd32b9a3574d41fdfe407d1f87fdbbc568003ca06258d13d5c7b46
SHA512 0f62926da147a65218a464d096b18c9514370f40b69fd658ad6e56cb5bc8c0f58513c1a55045cd7b805989f66b4572d30c883f42b250848c4054e8a4fd3152cb

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe

MD5 400836f307cf7dbfb469cefd3b0391e7
SHA1 7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10
SHA256 cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a
SHA512 aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe

MD5 5da33a7b7941c4e76208ee7cddec8e0b
SHA1 cdd2e7b9b0e4be68417d4618e20a8283887c489c
SHA256 531e735e4e8940dfe21e30be0d4179ceaecb57ce431cf63c5044e07048ac1751
SHA512 977aeecfbc693c9d5746fedf08b99e0b0f6fd7b0c7b41ac2b34a832e68a2e6f3c68f38af2e65c87075fcf00c1c6103e34324df45d7da9412cbbeea7e410794b6

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe

MD5 6393e803f97c7fca713d899cb9886d18
SHA1 9172e7ae4f35a478cd416ece868cf308d303c3ab
SHA256 e7fe1ff96b2dcb1512bc530e2ac86ded63c495618d18aaf3c3db52e6ea3e2b0b
SHA512 de53203ad785d523124aeea4f5ede064dfa635d13b99db991728976bef4af2fa9afdc17f27a31c2b854a38cd2f37edd2343a2bc14581141217d09495dcac9970

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe

MD5 ea605a6af7d7304d83b21619cb33ee6e
SHA1 5eebc2494214a8a22229630c77469bd9bf8c9157
SHA256 fa1ae4ef51e2ed75f7ad56cc553ece61a84ec415242200d66b1200ef8d40bac2
SHA512 4868ed87dd1cafa808469233bf01d5faf29c3dc94b31f6a46959b5b9eab1158af0137a8a649eaf1c3b855fc7a9b2ae860838209eee4e53a937e01cbb0e8066f1

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe

MD5 1b9cc7e46765f3a07113568a76fa2f1f
SHA1 6c7b7494d4cd17c8f2fa99313a0ddadd45bdd471
SHA256 ae5b8d19cc48f20ba8c466e0122ed37279e9ba335d751e9f7bf6e3f5aab608b8
SHA512 fcb61565b91f3d58a207a7893be8ce808bf6d6f582ee353e74de2d284ce81248904b7f7eabc179666764704c386219786599fae61651c071f063a6bd9b5c9746

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 5bfc589d17d6fd6077affdcff278ccb4
SHA1 6ab62ee661fbb8510a5c9dbf1650babace18528b
SHA256 58d5c00fb6c0b65b5b313b96a2fcd5cbf352ae6aa3c1d9d86fda4f73716f7d39
SHA512 85ad6035333de189b8014da3a611854e415e90ebac57d8038103eb429325f2e57d239a774c9bc2d7aa17981b49ac57d36db8a4df575015a9d2057602fd3aa525

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe

MD5 fad9966e54caeb1542a3dc3559a2af7a
SHA1 545b0a9ac104246b9057c0c2aab7338ee5897b7a
SHA256 5e6b6f12832b261864c521292db9a8bd58e34883de6449f3edeb625e05679a94
SHA512 39e1c827a46e50be83c99ed82b418a492ac364ee7b8c53f9a6f366fcda582ebc26cfc98cdb7b47a31b06d40fe211cab8ea68938015385f130db7d71d5a831af9

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe

MD5 026c541324e53acd6dd7fa5990f515e7
SHA1 031761f07d0b635f90dd976f5f8e09a4a5e19aa0
SHA256 2468840dcaf48964b4fb38e0b7eaf75f6e9fcb4b39a3c9a518539111eb3cbd22
SHA512 8188bc3a11afc42007501137cf7c220ac488175b75c9718ad65497a0ed4186bef2836a49eaa1fd2c9f63647d58e2dfb73d90a5249ac558b30b1f633adda32eed

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 dcc4a91f78467b86dda3e0e63d215514
SHA1 3928cfc282ba30f60ef3d9db8b5a812144d42405
SHA256 9764703fb8ec1231dfb59bb7115a68c1e5f7ce5afffbdd9938b4e12cf95e4814
SHA512 ab1dd826695ad4e17a482be8cf06ced7ce687a09bfe926bea7ede7eec8e718c6b36242e25a63898af9f1e74ff09c32be49bf2c178510e370c9ae2cdea37a9a78

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

MD5 f2c13e37d477a5ef7b0f0886afbed857
SHA1 025587f7b15dab4e98503b7d703ac3b295af4b9e
SHA256 4f55e11b91801073662bd201d1352c873f5b4e7587bb883bcf03787b16a2d840
SHA512 69856b7b7f9056173113ee08deccc9e47ba773796e0b848aaca303b4c5bc3b8524f3470db4a1294fc38cff9f3386c37565b56f50d14ea76642486fc15cbb91a1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe.manifest

MD5 69016e6a597d194701476b8e04d4e028
SHA1 71a24ddb0c5bbd321d3f09d7b322c3655fb5e129
SHA256 4740d289d0a31bc1fc00e255845b3d8ba7cec2d6d0ee92177d23aa293f9fca3a
SHA512 a9399ea57f65c6569e2a9e9ebe9fa2da7184ec92a555549f39cbbe9dff15530ad526107a2a2304d822be37580a965c6ea4e88a46adebd8ff3af402d2c25321ae

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

MD5 bdf15ecba166024c5972e4a3639abdf5
SHA1 37d5b9d863243a28939b3cfecba22c0258b1a74b
SHA256 4014a62b112caac4d49b3b37e65af9aced2f9dbe199c7cc526197d7a6621868c
SHA512 798de8413d902f73f8af7886c1f6e6447d5545083d9d749bd9a445c87cd27360bb99201f6b3debf0b5323822961d6bc455e684bd79cbe0309a9c12ed1db8524f

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe

MD5 6cb7441c3555b5b3b70f9a758b157fe3
SHA1 d3a906fd5751c52b8e3ae3d5736f4a623b09ea5b
SHA256 e6c6d233f8606139f3d32965078e58b49b46c98bb5830e623bde67f3d7592a6b
SHA512 77c2b0c062545afa3f298f0cef24961adaf3d74f1b1eb5b713792da211810a6b4a189646e3143ff212873462d2aa986d15df4edda552a9552cca8b96ac5b64b4

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe

MD5 9cca5e6792720f078a37651bd98f2b99
SHA1 8242fadb90b4c42de72d98375407e59881cd35e1
SHA256 3cccc1a17d3b21be67c1b32b6945f8263f20b4deee86efc735d450936b786e78
SHA512 1524bbab87ee1a66e5f67666d05a385eb7926987e8bd2c897683a3ec6e8ae06465071728f2468426ea69d652e8e7ad804537fa3f3ab48b10866a0949ae5a6550

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe.sig

MD5 d8d0face111912e6dcc93f665bfa10ad
SHA1 e171cc8b4abd73e2e6f9e0145e8e3d46e333133b
SHA256 5efe288bf88e3a66ead387ee327d7f2ae6637fa507e14271cd1c30024279945e
SHA512 2bedc86a79225d3c23067a042a219976a670ee164222cbde077edc2bf5618181eb5e26edf86946e2797016c5a87f3534e47dc4ac76d40487354a701ef77aa51a

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe

MD5 b852c5acd4ae8a684063720ae806fd23
SHA1 0db080a9a1d5ef3f304e56741a0ec1c264248319
SHA256 e3fe2f2583ce960b31a4c09728fda62cea45015681821ed8d525d6bcf206a660
SHA512 a1f0b599049080267c765f1a654aaad6e73892b80916e7ede6f967df47131f5bed8ea734342db1cb1a8d3c860a16f4ada15818d122aa66b0c835393b18df0398

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe

MD5 56868dc18ca2a7b382a6f793d46f6c5f
SHA1 b1e9cbcc325dc1a643a25a87a84bb858a783446c
SHA256 85e818b844c8a3a70141ea2c10afc9f3382486c06e5f757ee98475555e315c25
SHA512 c0b20c68b4075dcaed8f95fdc7644326e272cc4c258b1dd74c227d3acf4aa5169f8025899c44dba4caac5b8588491284b7999fdd59957f9c885a20ba7c9fcb42

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe

MD5 1e47a7f8e04105419cc42f7e772f8d01
SHA1 3aee077892dc9439dc6f8064b4eaeb66c63ac836
SHA256 c5d1b7a4ecb0e5b0b90eca811a5ae8e5c559df1799b7f0c20ad9f3ec0a58085e
SHA512 356f82bc3a4d6078dbd3ce563d0c0b6aa756154992067f25f773f0a796efb3e54b872624f84c18ff39006068076afa0f8e01a2fdcaa653238142881b631b16fc

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe

MD5 c9d5dddfc861cc4d45299759c3bc4d28
SHA1 265104cc490c6928ec1926fa34f9214d9395d46f
SHA256 321d1163fad8646d2dc9c9a2e168e66ca5727edf489a339dc156304e2455df7d
SHA512 c8df5d807da6c4d44ecaa9bc8df3e50fb296eab8a8fbf2445af7dbdf1644fe6ece02c7b753fd8caf8d7d93f09b89a8b16d46409773f040eaa177be7c1d9c765e

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Staging

MD5 27418f9aeb0fae483bcf13272efe6310
SHA1 9a28ce8233f1be05276f787e06f872f7dd49f8ed
SHA256 e3c2af35d1dfc500e16f826a071cc311bf55003a3de77de7ea3376c6b6fa2857
SHA512 35386ad7cb2b39b8d9dc94599e08bd68cc60e3a192090b511f1a2c99b3824b7f74949ed57494ea0e4ba32d25b2c6bdc30117687a5352ec96ca41b1a927ffa7f4

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 5b0b305ddaba0b9a7bddd50683705c5e
SHA1 c8cf5ead9706dad6fa61ffa23144b16693922c47
SHA256 349b0dfe077ce9bc911903c2f6c097c3ecf89c8b3abfc1c7d74dbf95d46ee2f0
SHA512 c278faa4138a5322a71c299572c99ff1746603b7ed9264dd490253f0ee7e64c91430514863986bf2fdb54ab7c38f019edccd29f43bd6211c721ee33d5c1ca916

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeComRegisterShellARM64.exe

MD5 a3e7fd9a9af9647807df5e025c50657c
SHA1 089c2a5f8aa25504279adad5b4d6f282a9bec437
SHA256 05d47c5ecd269f601034820ca5be4e6ed4771f7a999d99f7a1e3483fe125c936
SHA512 81e6706a3d6be91c336138da6624ad9b3295637cc8fff2ae7fe4cc6ec83a29f392a69e6a4f976eda57fa85b28c3250938e0c5a7fc78a778c28074f0377a4aed5

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdate.exe

MD5 17f8d7fbe297c5551397eb42c0233765
SHA1 6475fd23f6126e8ce9da8b915b5e54e6b490af92
SHA256 eb158a5050135eba21cfb374f28afd0a64f2a41d416bf4e394d40d7ba1fad01e
SHA512 ce9e82aa42d0015b70a79d5cf3e7e1b0eefb2356c5b38b875be141a43bde7cfa1f9e7c157c403a7f63ec98e4aee43af7ad0e4b613ab8e8a4502990e3662f6430

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateComRegisterShell64.exe

MD5 b1e375233d883ab8f2428b2ecde1f139
SHA1 c33c5e2b494d53ef953a11964692dbd95bc61377
SHA256 d0164293f3185213deab4f938fa2644ce61fa39462d11de98bd50ac14993a994
SHA512 831864475b4ffd5c01528bf353cfd4d4888c03a96105f726445ae854a9f0c605e634d409a9a8fb68fe96013ec5055c67642e9a609c9b8794aa1149bd0ba25cb3

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateBroker.exe

MD5 fafd66c030c9029b9d71180442f2258a
SHA1 4344ad335a61b7cabf03cc6985287ab633123bbd
SHA256 f362b88e78241b9a79824e4138530ed0a565be50b9ca4521b254b241a0b6a465
SHA512 e978595283a6621f572d34c7f6335c3093fc139a9ab0d8bfbc888282010a6d1133449773154a87908e2fc69ab6a6f8e4d69b47a431ceb78ad460ff6cc9533390

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateCore.exe

MD5 71c71645f10df80ba4f905e0652a63b9
SHA1 c7bec92a409150cc6ff6715d6116a41364da2d77
SHA256 f71a626255495657658428382b62009cc85881595e02c2698aa0b69ee6079f9a
SHA512 e7f89190a9e297880801e0e4a1e8c3cfec23808c7c8864a49f50deaeceac1aeae1af3fd121b57f6cf6fdc6dd95436fd52fc74caea4498b05b373991dab8da193

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateSetup.exe

MD5 143610cb672d113f768b0a0f516b83c9
SHA1 b7f957ea20cd298a8fe365ebbe448191e215820c
SHA256 8522050f6ac7cde98e9e6812a15f156dd61aa1b49e2e38684bd37439b8da5d24
SHA512 df37eccf8e72f9f4fa9ec4ae0a895d7317cca559ceac82d170e96bf89923f92894986aeb750952d69e1d3f103e7673d92d97a6b551a05a8a24eea41b58425ccd

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateOnDemand.exe

MD5 00f040175f172f86bc3b7d8d6e6f5185
SHA1 7f0eb44eb78f01382df2e662fe6c9126e6f0986c
SHA256 50f89234bb59249be5f89308c91e586d6702bfbb3791ec482f9f24d155641aa5
SHA512 9246bb8603a205fd6bd9c60db23ec957c83990f28979663a6314fd8670a0368b7c4316611cee4856e10827fa28d06ba3bd5ca5acf4ecd20b45a2f7b2b7097e9e

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.29\MicrosoftEdgeUpdateSetup_X86_1.3.185.29.exe

MD5 d21b0983c8fa9ff1055b353c0506a1ab
SHA1 970eff6225eb063a84043d2e24de17509f202bd8
SHA256 b005a31d00ae05b35d13fc75dde411636dbec39063c327f4273c586285d647fb
SHA512 1f35421341bd9d21c3cab377fc6538cb63e0a406779ea0c7d7805bf37a119bdff7e882fa6455a2cc20c903fec72189f5c17a77c14daaf4b383a79d7c54f5e35a

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe

MD5 c5c4ce70ed0f3e25c7b4c7979fd480c5
SHA1 2a3154b51ff2d4d380b6c7556537da0399ac8063
SHA256 e964b449f06ce942fb84186b7ab20f0dd77471f75821fd7949009fd91c3d5168
SHA512 7761eeff6708c49619eb9a5e14c7516ca16107939f7a3f2873091dc5629799ea4603324cae5869a6de5912858676340e429b8bbdf1382baac9761d748723ee97

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 4c0a44979bb984470f56bb3cde4dc1ea
SHA1 b4e80e639b7871deac7f81b6ccec35e73158c379
SHA256 8969cbd521a9cabfb5afee05b4993efbf6ed3912f574073a7064c46defd767d9
SHA512 118f606812069d45fe05d6cf8fc90274fcc1fbe221ec6b259984c1c6c2e93960d972bece55ed09f02189ec9c308f8c97f12b940e4d4ae1ea4614237a7ac978f2

C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe

MD5 ae91d609f41c01512a760d2a48c537e3
SHA1 3b43d719bdf38e8ba493897937d99d7b0582128c
SHA256 ec9fade9478b126a77105e32fadf47b8d1cc6943e97393fb7900f1f142ff2d74
SHA512 9247884f97caa9cc84bf46f18a97d56d85f26f14ecdf695ca57225ec9d925c84b8c48ac087f96cbd0664c36a6d54378b6d6e601f09b14326b34633f9634fa1d9

C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\PackageManagementDscUtilities.strings.psd1

MD5 5f3c20c13de3ac54a574e3dfec50a560
SHA1 ff983979d46433ed43e738f5c34c5340083cca11
SHA256 a6f6e59f677587238a2b472d2f214b1c95d61d86a7973cdd89a61e2c05ca7594
SHA512 4caa9867ce2b6bb9abe419a9306d1e417a2da05d5af5624bd92f433872338f39d5b88cbb4d94efc34ff29ced991cb38ac531ff6b6bcd9f899bc7061c906f228a

C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\MSFT_PackageManagement.schema.mfl

MD5 125863dbbbb069fd535aaf5f8b17bfbe
SHA1 ba601b96a414c6e3dddc42e6a0608ecf099e6310
SHA256 424c38504d88d0f7b3691471d18b1a21141b9e31b1cee5dad278963613252480
SHA512 18e068cfb976f972322e12fe755aa37a3f44fe79e2da094042f22f1a3b0a6328033e05a625f4faa2a373c654751ed1094f9c04d9411e86888448e367ded915d6

C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\MSFT_PackageManagement.strings.psd1

MD5 9cb17fa9b59645c7f574893b4565d2ab
SHA1 274e027aa39e24845fd11fcbf265523de44e69e9
SHA256 e2e70c766bc6c37a41a221b53a0e62ef616c8fbcf7a244c4863f6a74c06b8e64
SHA512 d28e543a9355274fecea9be5b1120fefea5e4652835e477cc9886527c0a67556582368618ef1ad98fc95a406541cb7541dc30451033a77b8c0f2011874b1a774

C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\MSFT_PackageManagementSource.schema.mfl

MD5 1fb20e4a02ba1ad84aca9d99fb1921cc
SHA1 169ea6ad71a5c4f4d8312668259ffb793e6cac0d
SHA256 1c55f2acd075736d1fccd0e7bca9292072d933e2811b8e042c172e9e7f112f39
SHA512 3516ca18f6f5b64fdb2de80c950d114b2c5d979c24764cad4328411eca14c47c4758816bce45c3a691adaef50fdeeef64ca51a7ce603aa5ac11bd308a9166621

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

MD5 74b21006a8cf4e783c8a8193290d97e8
SHA1 16523f9ec69dcb25ffaf20b404310513a61eb0a2
SHA256 ac075d5a359d8cff0aacef8220b69c540180c38606a614e101d9ebac18c66a4f
SHA512 355bd26c1f01d18493a8c1460250b2c90dc5317e8b01b2b4e7413292329fd995c50cc4dfff44552113377d039aeb9f6dd4d8ea27c303ed973ec6c420c4b84a33

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\5DE348A7-D1AB-4F5E-935D-8A3992E6EB3E\en-us.16\s641033.hash

MD5 f536fbf78e26387affb82ee89943b870
SHA1 3ac8e44a9491c16bcd86dab6781acc4f7e1f76a7
SHA256 34dbd6bf55d0d075d666181d9278b8387482a8b5804e44e1ddaafe6876dadc15
SHA512 d9ad640884f40495b4255bd221f0902ff64f84e3136053d03abee7ca417d32a1d72f24a75cb67bc50629e102bdb2f81c0bb087e0eb5cb82fa3d67c4fa5d92450

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

MD5 bf62a1a05269db144a8bab3de2283faf
SHA1 efa6c881a8a7f350fc0f400b8a19845a570fa2e6
SHA256 1817c3596fbcea63395561d3f6c84c3d638491ad9c6ce026a06286cc6bc42d79
SHA512 c19d315f581b4bae4f98ec6ad42cb4f81084b13f4d98be7b47b7a3dcc59b7fd694a40d05e96631a772d04df1ad775354e3693b65614519ff213971a9ffe408da

C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-Eco3PTelDefault.json

MD5 ab9d8ef2ffa9145d6c325cefa41d5d4e
SHA1 0f2bf6d5e1a0209d19f8f6e7d08b3e2d9cf4c5ab
SHA256 65a16cb7861335d5ace3c60718b5052e44660726da4cd13bb745381b235a1785
SHA512 904f1892ec5c43c557199325fda79cacaee2e8f1b4a1d41b85c893d967c3209f0c58081c0c9a6083f85fd4866611dfeb490c11f3163c12f4f0579adda2c68100

C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-d5a8f02229be41efb047bd8f883ba799-59258264-451c-4459-8c09-75d7d721219a-7112.json

MD5 709c6a80af0276b170c521117ede47c6
SHA1 8e6d9001ca20e76482e1ab88d54d47c65c8c7836
SHA256 d8129de4286dc4fd245c7776b51d76aaa727956e8fc88ff928eb69ff7fc17e0b
SHA512 bef13fa741340cb7c1174406f76f9c65445c76ec091e47daa8537b5f769ad2231347c61144ce8f6e4cb16fd5cd27bb169930c3f8c3b5b9e24e6609491fbbd4e3

C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\0a8c1492-65ca-6a01-de25-0e183559d10d.xml

MD5 234c58fcbf2775edbfda910d2e0cb945
SHA1 16314a6f5604aab01e76d5e7f7794b40c23a4785
SHA256 68193f3f98611b2aa42be4d2995b0b9a2465277c7520231324a08460639a41a5
SHA512 fddd87a902c108de1d986dc6e4fa7347e3908076d1ec3f64b19602d3a2318ad5ee0a1d46599ba860dec61843c2954d3cc9e91aac9718a82d1043e32b3dfb6bdd

C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\8292682a-6850-c06c-9b6d-9646f16d4ed0.xml

MD5 af98b62b3f9d6e70c082f05969c0d2b3
SHA1 2a78fe6ace36668a1505ce949dd5415cf172590b
SHA256 77544451f210250b90637e7ecfebfc0ce00398ef964a2d46f1b92adf4d6f97a2
SHA512 6a8d54bbaa9d6f04de832a60fed8f471eaf38bce9f95942d2fa84dba035739b65cc4fbe58904a7d2220af89d735b96be1bb6aa43aedecb83afba6c4d3be20850

C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\bb341db7-da00-fd08-ef70-5250799a6eb1.xml

MD5 703493f4417c30ed1e1856d3628945a4
SHA1 c8da0fdf2d0580a739f0d11a4322131581b67f77
SHA256 7c23b4ec3b42f260dfffadaf7d59a0efcc8f6547149b45907b1fc5242a4e6c2e
SHA512 2876029ed71708e31bce2871dc62820c6684a16be26802560341a07dac9394095d7b672ccdfb65bcae8177539c4f20cf4e8b8b8e892fd117f21cebd3632275a4

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk

MD5 8b550761ab80413c9c09f7fb472dbfaf
SHA1 67122822562203c17dd3f762194e470f90ddfa97
SHA256 f5ea79165516de2e7e1efb53d016983f5d18c3184413f044a4002f4b751c918b
SHA512 9546013cf4d45a2c4c609524b7ed4adecc7dc2fecded7c3b7085415a1bcd1c25db5d88bb591ac05fa5a6313763a8e8d5d8fc6ee6610b454cf7696b647e7781fe

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 a781800433def8446b0b631e3b7db830
SHA1 1ce441e9a4a9da03c5eed0a979b68f7c6961cac6
SHA256 e49020dbff46224343726fa09eed56fd05a11beeb0ccccc53c40a8a5d3d57959
SHA512 168ca24668d05613aa129a81a9b38b902bbf76aed988facf67df25c15392d002832ab19fb19a3e6e0804490886dfd57f0c5c7acc233d75b056aba737ac4e6026

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 ba49197d84e5d25c79991e47feb9b94a
SHA1 5803101592d127b2d011bdc42148648c70a8b629
SHA256 aac45a850c05974a5f716019c498f28276fd6a37b2b8dfa7dd03567ee65cd531
SHA512 6a635634bc65474db7dbde74cf32fb9126fd1e00d09499266370f606e23275c692d7e40c8a8c3707418f5a2745c09b61b104e9f6fb7b6658a70c8b8a52ea91ab

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm

MD5 8776c367699ad807af292f1f5d085d4c
SHA1 9209e352bf9d3999f94881a75d6f7d39bc6d7f77
SHA256 18b602cdbb7656129a359046fc68faf1b990da88c6c3b3e6b20c1df399cc0645
SHA512 83a17d98d175a122fe98cf89c476826769d8fae0d74dc93c8fe48d12089e26bfd501a586db3783a03e1bfe07864ebec2a6b5a48415554c61cd565131ed40a9e1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\CURRENT

MD5 4ae71336e44bf9bf79d2752e234818a5
SHA1 e129f27c5103bc5cc44bcdf0a15e160d445066ff
SHA256 374708fff7719dd5979ec875d56cd2286f6d3cf7ec317a3b25632aab28ec37bb
SHA512 0b6cbac838dfe7f47ea1bd0df00ec282fdf45510c92161072ccfb84035390c4da743d9c3b954eaa1b0f86fc9861b23cc6c8667ab232c11c686432ebb5c8c3f27

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\dasherSettingSchema.json

MD5 310614b10980392ebdb5a5a8b90b527c
SHA1 8c8fb36e7c2a1574cde7fdea30e8e5f14fad7691
SHA256 445c811c35e2fbd4aa59389ec805492c7b2db50d65f5d161417ce8302b103fbe
SHA512 416650adf9a61cbbb6eff7af635264e5bdde903477465cce05b63773927b8afb35e75fb68497882bce7778f524b9c7f3f2befcfe3840e99bff90ccd305bac66e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\_locales\hr\messages.json

MD5 798b4a7c5a9f20d24f36ba8daf7b8f70
SHA1 0f007b82783ddea5da7374c96925b77a7fe9f57f
SHA256 e5cbc8e3a6e843009fc9a9de7a83df9d05532e08d48da06c66f907f58d0c745e
SHA512 e3faa4376d03dad6cd714dee6349733abe29d0c2118456f80bcc4c758015b12a06b4ec6532a6e98d512f5c6dec7a7ade5c1d2a418db0f739ed17f18c0cd6b54b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001

MD5 f5cfd73023c1eedb6b9569736073f1dd
SHA1 669b1c85ecbafe23c999100f55a23e06bf59ead7
SHA256 9e1736c43d19118e6ce4302118af337109491ecc52757dfb949bad6a7940b0c2
SHA512 5d8c1aa556fc17d6dc28d618f521aee37fc0e1826fdbcf8d106e456fc3bcd3c76e712d23fef3378bd2be17b80eb5bfd884ccd89b67490b63c7bd118eaac471d8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

MD5 fc91658bb81ea407fd37a59d65f0d86e
SHA1 6cb269ab1a592dfd2039dc8c50c00b86af94d3e6
SHA256 4bafbcbc4cbbda94d0a315a09176de0ce6872cf1d85113539a7b04ff2360efa1
SHA512 c5b8832097ab5e74a0c31cc243c98c6a2b9734da4eb6e25cfc28070529ff4b6d77de1e97388f188f00148cd8db32f3ea62dc86aa841d47e25da8d8dd2267061e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b203621a65475445e6fcdca717c667b5
SHA1 c17fd92682ca5b304ac71074b558dda9e8eb4d66
SHA256 17b0761f87b081d5cf10757ccc89f12be355c70e2e29df288b65b30710dcbcd1
SHA512 ed68f5f49945dcd0d81dfebe2f2fd1fcfe016807d5c64ee0377d046efeb0a7fd9b4b9589b3df8a14194d51dcffbd89c8aaa072cea2ad4e7976bdf53528ea90cc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

MD5 2dcea950234175e3edf672936843ab5f
SHA1 4ca6dfb9ed642bbfc0002cd47abaa2dc895ce0d4
SHA256 74ca16b1138459ef2afb19324097332626ee7c897687c5adc5488f93bf0c11ff
SHA512 483866f3ee1d730f1052b0ce34832e0e42145296df490a68901b95e616f2dfdc39fb13e2ed80bd259c43475830f6a74257a5fc8d163e7f1dd17d39556501dfa4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

MD5 9ee38aeba19f4d46fcd9eda4661325d2
SHA1 d458ade2d50d219b089b0985ef765a80843602ad
SHA256 d99258f5d81067df4e95825381104fe6c90d04d01bdd2915954dd06f75d07c10
SHA512 f352805d5ebb6b3351dee65dd1f66ae5493ea36dc342c31d8e714fd11095739f755a50d865b9bcfc40c60616c9bcee4cbbcabb6c18566fdb73e778cd41112738

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin

MD5 1595ed4372d33dbecabbfd411c6c8f46
SHA1 8b8ba962b765110f762f873edbc3193adef48b33
SHA256 8f6abb9e202dd8027ac9abbd475a24e62659a0b2683613f219c21d1238816ed7
SHA512 e0017291c0d0685ede7a6492c2683a90b37482d21037840ab3e2cef4ed381bbffa8c31ef3c8d06db0a800eff69ba4505012886f88a911997657b3f26284142f1

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin

MD5 97d6d52a254a9cbd2bad939ce1926af8
SHA1 15a64b0f07658da802cb0bdd43c9c6f2df2f0af9
SHA256 bbfa41253ad301a1cd9c7f6321bff365068178f26cd84e8afb127fb4001bc4be
SHA512 98e76665962acd459228cb9635d95bb37c6e538eca7ae50107c665c93be334b907178f87749b3a4f33db34152b9d9035163fe2429306eb3ac45ee539e242c3da

C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini

MD5 897208d5df122e307ab837d982b2c085
SHA1 cf4ca14a7adcbc197cd84c1997efdd076911d608
SHA256 eaae98aa73fe0b561c8b02607a524fb4853bbe81c6de8c3d8a9b7449366809d4
SHA512 b0aa03063c42515de12fbf6d89924a3ae7d8bdd64d7c9bae94c75d571c939655253f3e87368fcd96f5784b2aee8fedac8f66200b8672ab47cc8b37c57a9ad334

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9O7X9C7J\Windows[5].json

MD5 01b53ab60d1307f1db2f793377d3af08
SHA1 aead0b1b398828d1bb81e91a52f28e504d717e1c
SHA256 b5afda9531d50eca02d7e10dd6a5e5a9346ef452f1aea17049b4acf84be62641
SHA512 ee7663533aae47cae26d9605f045b9165ed9ba387789a09db6e4bd0d76ca08aaee685d5299a8ec40ee086123f4e3ab766a793d9199c639d18d56d87c37cc8f6d

C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk

MD5 61d2c715839bcfa06ce4d23dd84e7457
SHA1 cdb61e6100ac4882ba4863875f63e38b8b804ddc
SHA256 1f9ec15f6ff239e14a3a243a98f19ae7db16d425a63b2da0908cc0ffcb1258e7
SHA512 cb6577068e0b746a0ff0148238fd5be9e02e4ff6218fc21d78194a06ebd3f54aa12a1a9b80a4cc9a9f66f72f49eb875eb367b344f674807af11373770f75d952

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\safebrowsing\ads-track-digest256.sbstore

MD5 017813103ef615c6e4e41c106f0d8540
SHA1 a7bb21ac882f35d671d5f0597f8962f9e04e371c
SHA256 f18f13c653940384b01c154887477150b1c0669d5620d263f72bfcfa57daee09
SHA512 0a615cbbde1ce71e1e3623454e2dc355f5ff2e2480520ec0598de70a9cdbb287959bf7958435ed05457957e3ae09d2db2884ffd743806191b773d91a5c882fda

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png

MD5 535ee7f4b7959a29e1d1be5a67e00334
SHA1 c8b3bcb1c1fbf79c59a847510d884da10dc62f19
SHA256 46dcb7a9e7bde1f57e5ed2eef9257d2d0ad622c1b3da32700f6d9e2ec4a0e287
SHA512 b0f9d39cb8200c35c564053454dc9fc67e68140861255f77dbe63679375ff3f892426109e95633fcf6e285b9547d890d1281d8ae4ef97cfb78433608961934b4

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

MD5 a50b718c3518b630251fb54b92bde360
SHA1 a9582222b6f4df2b4e3e4ee5fe91d25ff086b943
SHA256 9d2ce1c032646d2a3381b68bc9201e3dcd53b764e83a0d356d67cc4926ece015
SHA512 95e0676e3177262d29c4105edd4ce1fa1c2a2da5cd3289ab0f873fba782a0185e4bbede5d64fae1f6c4cea5ca3ae0697d7113e6ee63f229431bfaf3f8990c517

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

MD5 80be6efdf5a776659777bf07d4aff891
SHA1 1f98e7ba8de8c6b39f4b202739ca71fa2629fd6d
SHA256 9ebc694d4895efc802ea27714a71986f293edf4b63e9918c27d65871b06f43a9
SHA512 03a5434f25209a74a0abc6045c66a45e098d487227cab71004363c8c823840b49596857e8f757f42b8953f9bc2066209b1e8f52104d1837705828cb2676119cc

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3226942a-8f4b-435d-9637-f4eb0e06cd6b}\0.2.filtertrie.intermediate.txt

MD5 ca9c491ac66b2c62500882e93f3719a8
SHA1 a10909c2cdcaf5adb7e6b092a4faba558b62bd96
SHA256 8855508aade16ec573d21e6a485dfd0a7624085c1a14b5ecdd6485de0c6839a4
SHA512 65faa9d920e0e9cff43fc3f30ab02ba2e8cf6f4643b58f7c1e64583fbec8a268e677b0ec4d54406e748becb53fda210f5d4f39cf2a5014b1ca496b0805182649

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F

MD5 4f00b32a70c5d829f8199614fe56af64
SHA1 ff2afa238f88ce8cdb4430fe578c58823cd6d752
SHA256 e3833793f7412667cdbe15693f5dc4994934d1a6695392f8bebb74f985658256
SHA512 6ca12db615454c1b842040e5047ab24906d372b15b547653553d39ebd18cf4f90a360c5032e415d00ba313cb27def27aa8eb7e94ae3d86fefcd856b693f0c6aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 8c1d71b2bf2d4d1eea6a825412dd4544
SHA1 7160c20079f39f98532f42db23209435edeaacd7
SHA256 0441772f66559a1c71f4559dc4405438fc9b8383ce1229139257a7fe6d7b8de9
SHA512 5d70cd72a6f162cb39167337001b791347abc07b9edc095516489de9e9427cb824bc79596362b41f78e73144d3e224dad14f3dbf48cdd0fa08f4b5073ab702ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_5C1009244D39FCE23AF8F277537F2613

MD5 a75d7d422fd00bf31208b013e74d8394
SHA1 3d59f8de55a42cc13fb2ebda6de3a5193f2ee561
SHA256 7a12e561363385e9dfeeab326368731c030ed4b374e7f5897ac819159d2884c5
SHA512 af3a1e15594a0bf08ae34a5948037ef492e71ee33d5d4ac9f24b18adf99a34563ab40ba8f47f2adff5d928f18d8a8cd60fc78e654e4d6cf962292d2f606def66

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\storage\permanent\chrome\.metadata-v2

MD5 c183857770364b05c2011bdebb914ed3
SHA1 040e5ac904de86328cca053a15596e118fc5da24
SHA256 094c4931fdb2f2af417c9e0322a9716006e8211fe9017f671ac6e3251300acca
SHA512 8ac7790c0687f86d2d0ca82cfc9921c8cd6e6f5392594317d5ee6f3661500de58ebd5ef6300a412c23ed1cd2748c5eadeeb9719f32758590bd4168a0259bbd70

C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini

MD5 6e36ba0fe61f7c6334305d61299c04cf
SHA1 646aaf623a9b65f3054571ba8680342cf02b6225
SHA256 367467f43d580c3c07040a78c7890ae4262dad4778878f9a49d5f652c81689a5
SHA512 ee5d694d66bb3ee0d55129c96c83116e7af28b6838854d110cafe9dcb530fc05ef8b97469d7fe0c864481298fba5008c97eb2b503e90b58b1e33f8856cb132d2

C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk

MD5 7a4228aa2003a72a296e741bfa8246f7
SHA1 e94ca8cb43d671cdc3ed759980bfbaf73cf4c6f8
SHA256 462fa5c6568794276673c9159500918afddf8f170e580fd1f3d483c48934b050
SHA512 ed66dc35762f661f760eaf0feb82e22c823f11e552c9f938748a8b158ecf0828f40d48afc4d5cc07122f41a13e7b322950b9f156808b125bc7a1ae19e066d304

C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\06 - SystemAbout.lnk

MD5 45de417378735f7d0d1d3c3148dc6d00
SHA1 3295b1605ccb0910148b618c52b4d0c17fbf0a9f
SHA256 43782c4d9b63da7cfe64f6a9a06a6cf8007d2a793b8a5f94c9b962bb5cb25b0d
SHA512 23ee803d8a1619d5d5a3dcbdea08175b3a6dca7a29a9d37f37342bad73ad4ee383b68ebd237099cab565699150f90cfd9014aa35e2fa09a6cabc0fa6fcae9c04

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk

MD5 35705a33e80294bdc078f5582784f4fa
SHA1 3b8d2bc3650098d604e3363fdc41e9bfc2f4609e
SHA256 d0e438519a8e2075e13430b66debeb7204e5e8ab41fb24eaab20db0bdb66d835
SHA512 e560c350940f15a8d5c5187ed833190cdef9e4862e8f06dde9b0204ad1a0decb9adaadd27c4b7015ea5e7fabe7d7a63538ba72def9997e56300cc8ddc4249061

C:\Users\Public\Libraries\RecordedTV.library-ms

MD5 a9d5728f9b0e997753288b3a140c5335
SHA1 a44e9168f2e351f3ad4ee2f7c0e0037d64f65066
SHA256 84ba348aafb41879cfa434256c8657baff00a9bf41d5ebe041b0ef87e7419f28
SHA512 13380300950d351ffb3256e3b65f6dcfda8c52dcedf6627e10ef231925e45b178d173e7a24406bdef42949f9919326e7abf8a9101e2fee0127c578a46a1df294

C:\info.hta

MD5 5bf11052b71f316c7abf098b929c8f2d
SHA1 e55e3ada67a38ec7ec170e61f126a2537e781b15
SHA256 05e1e4bc0abc40f3a740d9f726d484f164ba0e369760110a1f2c269622b221fe
SHA512 938d4c13f13c0fdc70b04a72c1d455c3a1b6dd80eba0a1c02693331c907e43fab5456d8d426e35dbbee632b86991483212e2006d5bc9d21ab98470d795632148