Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
11/07/2023, 18:58
Static task
static1
Behavioral task
behavioral1
Sample
busavelock96.bin.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
busavelock96.bin.exe
Resource
win10v2004-20230703-en
General
-
Target
busavelock96.bin.exe
-
Size
332KB
-
MD5
881eb9957ba912beb13685dc507e7724
-
SHA1
b4aad9a1adbe5ec389c15502d57440d0a29bfdb1
-
SHA256
aa7d8be213152f35b5bd6e74f60cf14d5b7a88909ac79b7b25e6bf5b60ffad46
-
SHA512
9ca26fcb63a3d6bad459c0d386638b4f1c5d07ab1ebeeb6b958adaae77fe9f277ceafd5a050bef1bb34b6b5aebc0c2a314334ecd4b610bcad296e2d4ceb79680
-
SSDEEP
6144:PbDN9i3aojIaWQoFeyDw/VG4g189vjHBqVYGpLRztkT:d9zOWQoFLDw/VNuoytkT
Malware Config
Extracted
C:\odt\How_to_back_files.html
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4732 created 3252 4732 busavelock96.bin.exe 55 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 492 bcdedit.exe 4172 bcdedit.exe -
Renames multiple (7588) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 5004 wbadmin.exe -
pid Process 4228 wbadmin.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\A:\$RECYCLE.BIN\S-1-5-21-1498570331-2313266200-788959944-1000\desktop.ini busavelock96.bin.exe -
Enumerates connected drives 3 TTPs 26 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: cipher.exe File opened (read-only) \??\I: busavelock96.bin.exe File opened (read-only) \??\K: busavelock96.bin.exe File opened (read-only) \??\U: busavelock96.bin.exe File opened (read-only) \??\W: busavelock96.bin.exe File opened (read-only) \??\H: busavelock96.bin.exe File opened (read-only) \??\N: busavelock96.bin.exe File opened (read-only) \??\Q: busavelock96.bin.exe File opened (read-only) \??\R: busavelock96.bin.exe File opened (read-only) \??\A: busavelock96.bin.exe File opened (read-only) \??\B: busavelock96.bin.exe File opened (read-only) \??\E: busavelock96.bin.exe File opened (read-only) \??\G: busavelock96.bin.exe File opened (read-only) \??\X: busavelock96.bin.exe File opened (read-only) \??\Y: busavelock96.bin.exe File opened (read-only) \??\Z: busavelock96.bin.exe File opened (read-only) \??\L: busavelock96.bin.exe File opened (read-only) \??\P: busavelock96.bin.exe File opened (read-only) \??\S: busavelock96.bin.exe File opened (read-only) \??\V: busavelock96.bin.exe File opened (read-only) \??\F: busavelock96.bin.exe File opened (read-only) \??\F: cipher.exe File opened (read-only) \??\J: busavelock96.bin.exe File opened (read-only) \??\M: busavelock96.bin.exe File opened (read-only) \??\O: busavelock96.bin.exe File opened (read-only) \??\T: busavelock96.bin.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png busavelock96.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\How_to_back_files.html busavelock96.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_export_18.svg busavelock96.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms busavelock96.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\How_to_back_files.html busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-100.png busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-200_contrast-white.png busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VariableFrameRateVideoPlayer.xbf busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch.scale-125.png busavelock96.bin.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\How_to_back_files.html busavelock96.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-nodes.xml busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png busavelock96.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\comment.svg busavelock96.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\sv-se\How_to_back_files.html busavelock96.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\blacklisted.certs busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-250.png busavelock96.bin.exe File created C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\How_to_back_files.html busavelock96.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon.png busavelock96.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\osm.x-none.msi.16.x-none.vreg.dat busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-125_contrast-black.png busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-200.png busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\5.rsrc busavelock96.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInTray.gif busavelock96.bin.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\mr.pak.DATA busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\weather_2_travel.png busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-32_altform-unplated.png busavelock96.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\How_to_back_files.html busavelock96.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js busavelock96.bin.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\How_to_back_files.html busavelock96.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar busavelock96.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Fonts\BroMDL2.2.33.ttf busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-125_contrast-white.png busavelock96.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms busavelock96.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac busavelock96.bin.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-125_contrast-black.png busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\View3d\3DViewerProductDescription-universal.xml busavelock96.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\How_to_back_files.html busavelock96.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar busavelock96.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-ms busavelock96.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\31.jpg busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\LargeTile.scale-100.png busavelock96.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js busavelock96.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-oob.xrm-ms busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-24_contrast-white.png busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png busavelock96.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\How_to_back_files.html busavelock96.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ar-ae\How_to_back_files.html busavelock96.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\How_to_back_files.html busavelock96.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-100_contrast-black.png busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-64_altform-unplated.png busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\ms-logo-no-text.png busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-64_altform-unplated.png busavelock96.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\ui-strings.js busavelock96.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-press.svg busavelock96.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\ui-strings.js busavelock96.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ui-strings.js busavelock96.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\invalid32x32.gif busavelock96.bin.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\How_to_back_files.html busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64.png busavelock96.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\Fonts\StorMDL2c.ttf busavelock96.bin.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2892 3252 WerFault.exe 55 -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3816 vssadmin.exe -
Kills process with taskkill 14 IoCs
pid Process 3352 taskkill.exe 4692 taskkill.exe 892 taskkill.exe 3920 taskkill.exe 4348 taskkill.exe 3424 taskkill.exe 4644 taskkill.exe 652 taskkill.exe 2096 taskkill.exe 3292 taskkill.exe 4188 taskkill.exe 2920 taskkill.exe 224 taskkill.exe 3036 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe 4732 busavelock96.bin.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 3352 taskkill.exe Token: SeDebugPrivilege 4188 taskkill.exe Token: SeDebugPrivilege 4644 taskkill.exe Token: SeDebugPrivilege 2920 taskkill.exe Token: SeDebugPrivilege 224 taskkill.exe Token: SeDebugPrivilege 892 taskkill.exe Token: SeDebugPrivilege 652 taskkill.exe Token: SeDebugPrivilege 3424 taskkill.exe Token: SeDebugPrivilege 3920 taskkill.exe Token: SeDebugPrivilege 3036 taskkill.exe Token: SeDebugPrivilege 4348 taskkill.exe Token: SeDebugPrivilege 2096 taskkill.exe Token: SeIncreaseQuotaPrivilege 3720 WMIC.exe Token: SeSecurityPrivilege 3720 WMIC.exe Token: SeTakeOwnershipPrivilege 3720 WMIC.exe Token: SeLoadDriverPrivilege 3720 WMIC.exe Token: SeSystemProfilePrivilege 3720 WMIC.exe Token: SeSystemtimePrivilege 3720 WMIC.exe Token: SeProfSingleProcessPrivilege 3720 WMIC.exe Token: SeIncBasePriorityPrivilege 3720 WMIC.exe Token: SeCreatePagefilePrivilege 3720 WMIC.exe Token: SeBackupPrivilege 3720 WMIC.exe Token: SeRestorePrivilege 3720 WMIC.exe Token: SeShutdownPrivilege 3720 WMIC.exe Token: SeDebugPrivilege 3720 WMIC.exe Token: SeSystemEnvironmentPrivilege 3720 WMIC.exe Token: SeRemoteShutdownPrivilege 3720 WMIC.exe Token: SeUndockPrivilege 3720 WMIC.exe Token: SeManageVolumePrivilege 3720 WMIC.exe Token: 33 3720 WMIC.exe Token: 34 3720 WMIC.exe Token: 35 3720 WMIC.exe Token: 36 3720 WMIC.exe Token: SeBackupPrivilege 3844 vssvc.exe Token: SeRestorePrivilege 3844 vssvc.exe Token: SeAuditPrivilege 3844 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4732 wrote to memory of 4856 4732 busavelock96.bin.exe 87 PID 4732 wrote to memory of 4856 4732 busavelock96.bin.exe 87 PID 4732 wrote to memory of 4856 4732 busavelock96.bin.exe 87 PID 4856 wrote to memory of 4164 4856 cmd.exe 89 PID 4856 wrote to memory of 4164 4856 cmd.exe 89 PID 4732 wrote to memory of 2736 4732 busavelock96.bin.exe 90 PID 4732 wrote to memory of 2736 4732 busavelock96.bin.exe 90 PID 4732 wrote to memory of 2736 4732 busavelock96.bin.exe 90 PID 2736 wrote to memory of 3672 2736 cmd.exe 92 PID 2736 wrote to memory of 3672 2736 cmd.exe 92 PID 3672 wrote to memory of 3352 3672 cmd.exe 93 PID 3672 wrote to memory of 3352 3672 cmd.exe 93 PID 4732 wrote to memory of 4972 4732 busavelock96.bin.exe 95 PID 4732 wrote to memory of 4972 4732 busavelock96.bin.exe 95 PID 4732 wrote to memory of 4972 4732 busavelock96.bin.exe 95 PID 4972 wrote to memory of 1880 4972 cmd.exe 97 PID 4972 wrote to memory of 1880 4972 cmd.exe 97 PID 1880 wrote to memory of 4692 1880 cmd.exe 98 PID 1880 wrote to memory of 4692 1880 cmd.exe 98 PID 4732 wrote to memory of 2364 4732 busavelock96.bin.exe 99 PID 4732 wrote to memory of 2364 4732 busavelock96.bin.exe 99 PID 4732 wrote to memory of 2364 4732 busavelock96.bin.exe 99 PID 2364 wrote to memory of 3248 2364 cmd.exe 101 PID 2364 wrote to memory of 3248 2364 cmd.exe 101 PID 3248 wrote to memory of 4188 3248 cmd.exe 102 PID 3248 wrote to memory of 4188 3248 cmd.exe 102 PID 4732 wrote to memory of 4620 4732 busavelock96.bin.exe 103 PID 4732 wrote to memory of 4620 4732 busavelock96.bin.exe 103 PID 4732 wrote to memory of 4620 4732 busavelock96.bin.exe 103 PID 4620 wrote to memory of 552 4620 cmd.exe 105 PID 4620 wrote to memory of 552 4620 cmd.exe 105 PID 552 wrote to memory of 4644 552 cmd.exe 106 PID 552 wrote to memory of 4644 552 cmd.exe 106 PID 4732 wrote to memory of 1960 4732 busavelock96.bin.exe 107 PID 4732 wrote to memory of 1960 4732 busavelock96.bin.exe 107 PID 4732 wrote to memory of 1960 4732 busavelock96.bin.exe 107 PID 1960 wrote to memory of 4316 1960 cmd.exe 109 PID 1960 wrote to memory of 4316 1960 cmd.exe 109 PID 4316 wrote to memory of 2920 4316 cmd.exe 110 PID 4316 wrote to memory of 2920 4316 cmd.exe 110 PID 4732 wrote to memory of 4976 4732 busavelock96.bin.exe 111 PID 4732 wrote to memory of 4976 4732 busavelock96.bin.exe 111 PID 4732 wrote to memory of 4976 4732 busavelock96.bin.exe 111 PID 4976 wrote to memory of 4592 4976 cmd.exe 113 PID 4976 wrote to memory of 4592 4976 cmd.exe 113 PID 4592 wrote to memory of 224 4592 cmd.exe 115 PID 4592 wrote to memory of 224 4592 cmd.exe 115 PID 4732 wrote to memory of 2892 4732 busavelock96.bin.exe 117 PID 4732 wrote to memory of 2892 4732 busavelock96.bin.exe 117 PID 4732 wrote to memory of 2892 4732 busavelock96.bin.exe 117 PID 2892 wrote to memory of 880 2892 cmd.exe 119 PID 2892 wrote to memory of 880 2892 cmd.exe 119 PID 880 wrote to memory of 892 880 cmd.exe 120 PID 880 wrote to memory of 892 880 cmd.exe 120 PID 4732 wrote to memory of 4584 4732 busavelock96.bin.exe 121 PID 4732 wrote to memory of 4584 4732 busavelock96.bin.exe 121 PID 4732 wrote to memory of 4584 4732 busavelock96.bin.exe 121 PID 4584 wrote to memory of 1560 4584 cmd.exe 123 PID 4584 wrote to memory of 1560 4584 cmd.exe 123 PID 1560 wrote to memory of 652 1560 cmd.exe 124 PID 1560 wrote to memory of 652 1560 cmd.exe 124 PID 4732 wrote to memory of 4512 4732 busavelock96.bin.exe 126 PID 4732 wrote to memory of 4512 4732 busavelock96.bin.exe 126 PID 4732 wrote to memory of 4512 4732 busavelock96.bin.exe 126 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System busavelock96.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" busavelock96.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System busavelock96.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" busavelock96.bin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3252
-
C:\Users\Admin\AppData\Local\Temp\busavelock96.bin.exe"C:\Users\Admin\AppData\Local\Temp\busavelock96.bin.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4732 -
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵PID:4164
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3352
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\system32\taskkill.exetaskkill -f -im sql writer.exe5⤵
- Kills process with taskkill
PID:4692
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlserv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:224
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:892
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:652
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵PID:4512
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵PID:1780
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵PID:4488
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵PID:4664
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3920
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵PID:2492
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵PID:4288
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵PID:4704
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵PID:3908
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵PID:1608
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵PID:4232
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe3⤵PID:1124
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe4⤵PID:2832
-
C:\Windows\system32\taskkill.exetaskkill -f -impostgres.exe5⤵
- Kills process with taskkill
PID:3292
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵PID:2756
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵PID:4896
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵PID:2068
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵PID:3996
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵PID:4244
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵PID:3536
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵PID:4084
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵PID:984
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵PID:1056
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵PID:4524
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵PID:560
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵PID:1128
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵PID:3212
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵PID:3260
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵PID:4796
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵PID:2692
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵PID:3052
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵PID:1572
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵PID:4336
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵PID:2196
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵PID:4592
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵PID:4680
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵PID:2468
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵PID:1204
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS3⤵PID:4192
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS4⤵PID:3196
-
C:\Windows\system32\net.exenet stop REportServer$ISARS5⤵PID:4868
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop REportServer$ISARS6⤵PID:1644
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵PID:652
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵PID:1848
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵PID:1968
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵PID:4600
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵PID:2036
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵PID:4440
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:3816
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet3⤵PID:4260
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet4⤵PID:2656
-
C:\Windows\system32\wbadmin.exewbadmin delete backup -keepVersion:0 -quiet5⤵
- Deletes system backups
PID:4228
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP3⤵PID:4804
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵PID:4072
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP5⤵
- Deletes System State backups
PID:5004
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive3⤵PID:4844
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive4⤵PID:4924
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3720
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest3⤵PID:5048
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest4⤵PID:3344
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTABACKUP -deleteOldest5⤵
- Drops file in Windows directory
PID:4960
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No3⤵PID:1140
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No4⤵PID:3584
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoverynabled No5⤵
- Modifies boot configuration data using bcdedit
PID:4172
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵PID:4664
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵PID:2872
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:492
-
-
-
-
C:\Windows\SysWOW64\cipher.execipher /w:\\?\F:3⤵
- Enumerates connected drives
PID:3504
-
-
C:\Windows\SysWOW64\cipher.execipher /w:\\?\C:3⤵PID:4044
-
-
C:\Windows\SysWOW64\cipher.execipher /w:\\?\A:3⤵
- Enumerates connected drives
PID:2036
-
-
-
C:\Users\Admin\AppData\Local\Temp\busavelock96.bin.exe\\?\C:\Users\Admin\AppData\Local\Temp\busavelock96.bin.exe -network2⤵
- System policy modification
PID:3292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵PID:2008
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3252 -s 85642⤵
- Program crash
PID:2892
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3844
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 368 -p 3252 -ip 32521⤵PID:1980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5eb6eeb8163ac76b141b4a2026ff8a18a
SHA13a57c1491860cf660bb36013a4befa2c577ed15b
SHA25655ee5f4bf42403513d7f928bf4c70ccf590c553a0e43b7d269e406fa85e4b6df
SHA512a9210dca9f731451c3413922adb63bca0f473c95e49eb084e4767cbba5d5af91370917e160f9210c9b5828419bb43967ec8d03071b19b87b8d5413a5ca482d5d
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png
Filesize52KB
MD519802d1fad84f670ee76d02b4806b58f
SHA1d7dfc75bef1b5e2f2ee670ce3095cc0031d7e035
SHA256f5380719f0d81722ba1231c60e4791047b8d519ed6767935ff847b068c7684cf
SHA512b35dda4ee8d5ad90f945a1a2ce3f35d4fbfa597e6ea7d1a76b436ad102f45777c8de11e103b1fed76f1cfdcbe389f5250bbdc8721b83749078d796d7053716fa
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png
Filesize3KB
MD5ae50278a64bd559a64c0325e751a42a0
SHA147e7d9a4d04aace660fe5df1c083977904f10da9
SHA256427adc79f6122d03ca5d387eba1e1218e75010ce77aa8cc3f035e0409c4e3c41
SHA5122bac0928cadace39568a14646d228270a16f0f0cc683592df7c831a39a427d3743f2d0bbd312e02defabeaf540911d5140fc1c40e1f02f2413ee2b19ad5cd5de
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png
Filesize5KB
MD5d330bde2d743197ff35012ee92f4e16a
SHA1d726bf11acd94c05b71939f9fa31285541472e0b
SHA256bf466dd10d708be2c04eafd4824e7cf1735c3173dfaf6ed1eb158c5f7447874f
SHA5124cee45e0e946a26f4a644b1e2ffe014f54dc96d7c0d7b12148de1579f681b19a62a3fb51893f2bf9b34009526344c117bb3e6a0397f320e82dbb7e4697aa4bf7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-default_32.svg
Filesize2KB
MD5c09a004178f0661320e2e3ac43026737
SHA14883588cbda7986a382f5dda23dc6f549919f7ab
SHA256c08dd9c39f48fcecb47daf79028364e36e5b484ca6a4321ab0e8081a7364ca53
SHA512741c49fdf9f47b8fd43679465ab60952018b469a9d02a82438a22369208743e341cd1904adae74f346d075597f020dfbd87b53dcb6ba8047b3a3a62dd7655afb
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js
Filesize5KB
MD5c5e674a10ea926c8e5196f3520d88978
SHA1597db72c400155c421f83800ad0b82d71d16f52d
SHA25666765e59ef4ba5558d44bd389ff472bbe52de69eec6c6ed6f59fad0ec1948166
SHA512e1353e2511dd6b4b813d49036e651000cdc21e88534399425695d1ea2dfa88f6c72052091ee3b80ecdc4b83390dff937c182f05621bcf229cfe55be4f348e59a
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js
Filesize29KB
MD53116a947624456121bc66ab84bd8cdcf
SHA13d216dec6b7b8d164557da38ac77044d471353da
SHA2565637b21d30693f34a27919027de22d792228915359959d72ae152e3884caec9f
SHA5121404ed88f29acb580ea7812fc44050bc710d173f079035ca95ee1b1b538f6befdba60d5b9e69bc821e81276ec4e2ad5f7b7cf35bc217154969c84b0f187d57f5
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.js
Filesize9KB
MD5b812132a51687b5d478269f86a11f7ff
SHA14280a3b9612a7a0021366a025bf1f43bf3b63918
SHA25654c1837898fe610d391c66cef4c637ebd56509600981b827a2c8b7777d49c4cc
SHA512cad5f6c87804d5b27adbf4ecbd3d6156c82e05e84f7a6d272491af3ba9cda8cc18455f3e1ec695ea9a021bb19d5c74ba69f49922bc152ca2e61f6b4373723e2d
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\ui-strings.js
Filesize2KB
MD5dbe76630fcda12329ee00b298b91e9d8
SHA18a46f089681e70a76e3d0f4d2e3c90e189b8814d
SHA25668edddb2b8527fccd64bb74d61b3ff181e5b4eb52b2f06f5c28aeb821b01206a
SHA512c2280b14da6c68ba5dba4c849809f74c4f7b8e264df851c14c9e57c56e29b96bc67db8e33238aae953237cbce0bbb4246f3f6cf406d98b5c9cd15c8d9492713c
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js
Filesize3KB
MD524257bf129ffc65d07879dfe2dd695e6
SHA1f8a28157c25a69f5c9248c2ceedf9fafc3a31ffc
SHA2565a759dab5d18ec839672f82f1e7fc63e860b38088b1eeb53299b8aebe5016635
SHA5125dfefb2109ba24c2d0158621f20e1beb256687242d0a91f794d2090b2f4de3a80382b0f003a917874765418009e2d6d9e3073d9724a7b940d8dda484a25c5830
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js
Filesize176KB
MD5747f7d8e35437297f55e78b7f78b292c
SHA170941cb57230159c1a7dc01b07150ffe66838f97
SHA2565c2495bf2f0d63e24aae460daeaa4d5fdca5ec4d3ba17c4453bc60a30ed11f1a
SHA51289a7f4d2e5f6e50ba9b56a30acad94bb0442f201f988c96f3cfa4eaa90efa444436b6d45cbaa2fcac47dff14fd25de609328b5be4f6dd02f352a85fb47065177
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js
Filesize377KB
MD5a001c66e79e3d7742d3c773d539b63a4
SHA1c707de64a248048f587f9937dd2c3ae74846e7b1
SHA256af6307fab8acdaebfe4f6f59982563ffd96d142306c00520f31a4ff79fe3ca8a
SHA512f66e4b45ead0073250352f9ceba6966e5895dae7e38b6c4f5b17bfa964c69346aef0186b19b8346e67933ad42f6f330e3f916590c4e7331003ea24ecbc1948a5
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js
Filesize4KB
MD5a154266d4de63a7a746d21c1a104c3b7
SHA18b79999228c6dedbed9bbe617a942aeea79c4296
SHA256120f5e740cf110ef35700f2f899e9303745b1fa5ea39ce96b59f3e134e82e38b
SHA5120a432cace64f422e2950a7f979a849fff6ed3069d664b21f0bf9cfbf156c40577816b5a9ee6bb93a13c5e69626c67448e3f2eacf5752016e7f6566a73fd25a39
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js
Filesize2KB
MD576bd069cd3448ac702c1c663144f2374
SHA105c8a9d63e39304b1564138e930817da62f961ab
SHA25621685a9b6121ff1338746d0573f64046a65a45936d610b09e2de256c22f296c3
SHA512dca2170942e2b72d70303ee4c2275139002cf2ac10ddd707003c16e0891be13d07c46c1f329cb99c9017b60eae3779aa10509b92dcd1fa7bd405c2b069d8b15b
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png
Filesize2KB
MD5231ab7b6e1fe02e562d51bf7e72c7020
SHA15f33d7d68e01fed9042deb34d1e5507aa4646017
SHA25678021819fd08082c3cddd2b1708d52c722cf5a634e557d4741cbce7600742d33
SHA512be84296afe220073fae11fb0f0e8e65f15e4c6f767cc96b93b60fb9e8f1f6bfe352005d997db3b92ac1b79c57740b063034799a2be3c83f090320bd91eb29552
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png
Filesize2KB
MD54c3c4dfba21c6bd9b9872bd93c6f1c10
SHA1f70c3b33bb2db5f7220265417c0a5743a6bf091a
SHA2563b4b2ac4a152664652364a7d11b11d16c26466970f7ab9b2bdb4d97797a39c8a
SHA512832e85813c4ac506e7e0e6edb7484f3415caacd884261207d2d0371dd921faf37d41a0446cbda0afe381506835e54739592ab1e75e6ee5afbd4c1c3fa004e7b6
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js
Filesize2KB
MD52822b4d2fd763d32efc5278b6f995471
SHA1ec7501256ffeff945334361c035b27456c0244d6
SHA2565c824c4f0f2621311656939a7cfd58f04ee4a993355379018be41da04fd8085a
SHA5121c802fa1ababad0913fd0f8735b8826fba51c95f71c9f77138a65a05ecc6c159b458c5fe601a49e7fd06cd58c17d83840e863499c16089f324b522e4d9648041
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js
Filesize2KB
MD558e1cc358c323cae2b524fcf492876cf
SHA17268cf71a3eb84d9f01f11be5ee64e37493d60e8
SHA25611992867c0fa65c939ba4d9bf0cca1eaae020f11f9331954f9d6ccba385dc701
SHA512f243becef68af1bfd4b9e7149f8caea59fe0a0619f3de0e87d55b88a21dc758bf03da5445a2d3ed5db7e6859139d5c88061f12ba7fe194c8084fee941fec3600
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js
Filesize10KB
MD59c913cb159ebde8651461ff08fbfacf7
SHA192bbfb8cd0ebfef9df2f912e49f820dbb0a8a7ce
SHA256763c46ebc0ead24c1cdc6b091f143ed8b4a12cc3de4c47be2f54e29632ba0ecd
SHA5122c566b9d0a42e4c307ba7c0f4502db417d225097191422e06e98b37ef477218718ee2b6ec919384956ff536fe9b228ce246738126d3fd68638e9d650e5e48b9b
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\ui-strings.js
Filesize2KB
MD55584b5be1ed0b70e8306c9c2d797f5c3
SHA132d8f022c316fcec993ed316e08e2cc40216e773
SHA256c9e8868fe1dc8782ec3c4ae5927371311fad5f9ab735ad18ea225dc66b1ffe59
SHA512a43765bcb46e4ab50314e07bf823a06c3436abab0a54b263af3f9042c58490d4b27270c087bd4ae4bfd0d605b9db6bf0dfbd1c9d32f36ff066790d4cd77fbd38
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons.png
Filesize2KB
MD57ca99c37e8d6c046d8569093be7ca48b
SHA178afc5af71e196f5fecb816237e8cfbe10f7d446
SHA25665dc9e8b8aa861eb0021afb8ba56284cec6aada3f2c6b55a3240fc6330671918
SHA512bfcdbfe4f5dc5c11732d746d25aed40f7889adeb7dd389a308c389b35a67f6d537444aa790aa2a6425b69f3d111a57baa4b04854a4e9244625f9d752431b43db
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons2x.png
Filesize2KB
MD508c90a99deb38e0603f476e900408f55
SHA184b181f6082d261baa723a823f04d2211ab2aca7
SHA256a205c34072a12d208da1941828a058e820890c53736df2d103a492a191012450
SHA51273284b65190d84ea3c70aba52ed31974ce43d9a5fd874a9e516663eb014f24484da5a9e7814ae63aa05e6e782506d09d47b4ade14c37e4160a06483d00e48113
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js
Filesize2KB
MD5e109d3bbfbfa38798d966b5a21bfa6e7
SHA12b130fab359c24957bbc68bd243a25e79a41b4c4
SHA25659592add565301946a13f9d931762bb66b63d093495bd0a5d585e978f929794d
SHA51278540edce1850615f11406a1aff2dfaff063fee1bc865d8bc8287e53e564e895e16c98669530ea5901c880194bb77013271bbcc0d7913c27189b0fa8a09242a8
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png
Filesize9KB
MD51a9d273fa1e0ef3ff587d3ffbde3a48f
SHA1197e1f4bc67a7c092e3c3f82036d1781c0de60cf
SHA256fdd0228c1fddc563b437060393724fc76421b68246aa6ca6da5e246eb1501b50
SHA512946e5c605f0a07b992476194d9c8839b3c0c82e49daac137d058d71248b9b0e815fb9907f4278970cace57d52decb0b39c151e48117342bcf8094075b054088b
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif
Filesize9KB
MD52ad7dcdb72bbea027455cf169c4aa05c
SHA1461fb57123d0527d9b5d709dc97749c5219d37d1
SHA25662740966ef8cf430bad2174ee1f3713d1811a4398c84cfdc74c988b73858843b
SHA512c3d7172eaf764ede1917fc19b562b7ba208e6e87947601f9ee162603c720a2e9dd82b768dd748ec432f18eb850ad46b47acbffe1507fca9e3f811c414fbae7d1
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png
Filesize16KB
MD5e00bfe825e41a4354f56ab4c375bf32c
SHA1f50f534346242d9c05b2f8b3f06b670a4fce65ea
SHA256e524a315f9faf103621037f17eee801652b719815cb34194068fa7bd454495a4
SHA5124b1438c6a2eafbb07c779575fd252a9f24bde002597d4e99da2c7f0006aa7a9fa835ed0610712de3e733ed9f8c40d12d8d0da0173a22887bdbbbd51266495c40
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png
Filesize9KB
MD5be050cbae5f1d5fbe246b2f95ae597b5
SHA12932b87bcffdb4476f6c180b3c290db192f46d16
SHA256564edeeac2d68eedf000444d05a7ac473741ee5a2f140505555fb91fd4c6c1a5
SHA5123ae71d321e952a68e5542edb04e26e022e835844cecd331bacc7e1fd7fa20b12233192748122fae64a0b000ec9b67800c7cc2b8f171453978ab332b3a9796002
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png
Filesize18KB
MD5f751edd4ef642518b34bd2c116a4b450
SHA1ae458de3ec5970463bd4669bca55d902ce719269
SHA256dab00652f990165d10e62655c760daa2e7c7bf49a62455ba31f152550e54723b
SHA5127cb5f3259ca7288b35689c8e98f842c0b0edb466c69bf49bf321ab81caa4df58cf9d5b7376749545040dda35976bb68dbba9c460b56e72f878a0fff977aeaee7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\ui-strings.js
Filesize2KB
MD566f74f62af32dcc3ada0fd38a4ca31a1
SHA15894ad48016d93ed1867db396e9f0e879d9a2b78
SHA256622d5e7709c45af6e725a30f984a464bbcfbef5d95dda7a41bc69b94be52222f
SHA512e9ced11c73e5ff7054817a3ebb2a5a23950e31a21b29e9368ea5399e6a43ec7c811fde006ad485fccd2bf05faf8220c379a24d225ceb0a3ef9df028d283d62ed
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\ui-strings.js
Filesize2KB
MD58a1d87a2eff5f52a60c47b8de25d94c2
SHA1671f7ae2a25606dce02a19fdcc99d9ee837405c8
SHA2560291aa4f2a6331a61117a6fd3f1a58fefa6f716419d6c0dc9ada2ac168c01c8e
SHA512e0f4511db0d8c985ef46931e95d33022166555edbab71b0905e406815fc74449f651552c6536891e6a5e881e94e46a7a9c44c28a7527eb96ca2493b05467aedb
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\ui-strings.js
Filesize2KB
MD59795c50c147d037b3fa04361675dfc70
SHA16cb6a3afea02d755c66c0fb634d907bc5649fb8e
SHA2565246fdfc749dd548247ff8baa9b8235feb76e011d5e7af148a426bc59f89ea31
SHA5124b874c27bb7b16caf1728dce875035a41a14686769f98ed3859ab1904722cc3ccbbff33e0d1422f61d332341fcc503b3cde647069061ded7e698f0835b572fd5
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\ui-strings.js
Filesize2KB
MD5aeb3328a455a9a33dc2e261227d6a8bf
SHA193c3f199437a732ac0536e441cece1f997ec68c8
SHA256820b5a70ea99c0934414aab117affb3b85c58ff3c88c84f05bb405d4ce3a102b
SHA5125617ea8d60efa47bf3e317c1f27ffd239899067637e8b35a8527c10ae989859e3432da0db7e8574caf89d52b02894909b71c09d40fa3e46d42c24f4987081a80
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js
Filesize6KB
MD559d386e3fbdcfecfcf121596f9407c66
SHA1213b0b8b7d205ebb2556397a94361dbbabaddd40
SHA2566711203a1ea2279e33234de6a15e17302edb115d88dd508071fdad89a0a17ed5
SHA51241148e50919d58e8adfa05c1b7d50b86126ca6bc30651d28e2c1b619c2c31b6f5ccbae38fa461c062cc50b3fa6e52f9e5a0b7f05bb3d5ac1ad64b33651610e55
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\PlayStore_icon.svg
Filesize6KB
MD54b518527d847e1fc32b3595f026a49d7
SHA1eabd99642aa86bc399838221d6c3405dbc88e6a1
SHA2563626b9638d07b804fe195f73c556dd981245d907e4a0151455f26721d74f804f
SHA51298bb576c5ab0ac32e31f0718a7b93b2d7174509379b2cdadf9c8d9161b3fc26f75dd8e3ddc9083fa002d3a90b69393efe73eaac19ef9ac8e9f756aaea0c9b04a
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js
Filesize14KB
MD5f538fd12613902bfc095ade08aa6d6d0
SHA143f379e6c9e57ab1637252fe10a5e070d96c99ad
SHA25646d31dfddd5f99a0b6628a6d11b98af71679aa7bce04f50c30cfaff456ad2725
SHA51232c94fff949893cb49f1af7afca391826d35cc659dca0efe6c9b20cebe822bf216bb136a221e69c5bd54168e8a938ac56e675ea5e177bc7678a16fa3cfde28d5
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\ui-strings.js
Filesize15KB
MD5a74bfad234d5544140bfabe0aeee2e5a
SHA18311392de7bf91ad7898c5230428212e4aee622f
SHA256b6060ba95ae909106f783a9b330ab8ce5c4673dacdc515bb53d07be161b79a8f
SHA512a058a8e0ae9815b993e04764bcfb12344ab718291bd4daca61040cc829a381b857ad13cc44e4485de08b82e92b7fc97c20c96ed091d1e50e1878e08fb7811968
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js
Filesize2KB
MD51d5c0656a14f100d8013772e9b558ed4
SHA18dcb2567b1b828073ad6aa7210457deffb581034
SHA25617fe2342293d566fd0371d64522f41660bf4dae10438ea753799372885b1241d
SHA512a7c6001c3f3c266cdfba070230df2b3a367d4ecf3d3d80f7eec61960ab0db3a4a1e6eca10d2a432d9372f7b0dc7c2a3a5ad2d1b3937bd85a698fb8b946bb4f4c
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\ui-strings.js
Filesize2KB
MD54ca6f5f394600cb5e1a67317560e1813
SHA12de1fd405e62fc8ba992cfed84b799a3c1edf8b7
SHA25695aa6528851fdc44b9db7c180b80a2e0cbaf84eb066080b4672231dc9b82430a
SHA51237c926907d1ffe761a27e6d4b5d55785358aa1059753e8f1382e083b607d7d366dc7e614e45c940e0b557ee06295ab9fa8da0447558b6a76e7a445b28dca58cf
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js
Filesize2KB
MD5afab08d873240cb85cbefc35717245d8
SHA14c94958dd17a41a1b5fa52892f7b4c109d15e8b3
SHA2569a005e08de396a6bcbc2b56e248136b55964345f2d68b2480909daa905ea298b
SHA512f708b19e3542c68f6ec0985a9612e7d7b072191ab45a6ec7709c77ad9c1bcdcbf028d1acf8d2be81c6d4f7a86fa03ef5a947111a9bed59c5c0897b5bb2f1b8ee
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\ui-strings.js
Filesize2KB
MD50926efa44949f43a73e406368ef33111
SHA199b20702fe7cc8d450edf6f624cc8b1bf5d4a52a
SHA2568b531f7be0fadb89fe446dda702420c7140ae1ed259480bf1da0a48484dba161
SHA5124ddfbe93071b76c2945685780b747073f4a179ca229b577a3575220c1dbd7752a18323d9589d1a349d146aa64b4a83449df41ff9a67a59d76828b65b889f4500
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js
Filesize9KB
MD5a78392542b9d4216e1e074f0522e6144
SHA13186e9acb304c3c06afe0ff5dd68334bd4f56f3f
SHA256a35b7387bcc58ac1807c6f208867d278bd29403383a53ccc0fd0780d38c882cf
SHA512ab7df6fcc75165923f651d5206ee1e3da9b77c170336e52ac5bb634ba094d8c6b4c7ce7fc1af529f8d7b062d26cef186a2c547128a659f7902426d46209c7690
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js
Filesize5KB
MD5a0a4f9a55334515c4004c0a63129fb65
SHA12c1ac5fd19a2f2551e77db72559da105bbc1d0f3
SHA256cdcdb89dc47eb1fd55ce76a05a28eebfc49956ada8d92f659c38cb2df368b464
SHA512907fc24c5f93d68df0ea1710c1d82f615aa7477efcd37229371d31970b703ffd96e122f2b42fb46f10b332eea7bbf2791905e7cd0912238fb70bf38d810aefd6
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js
Filesize2KB
MD53cbc6624c692dcaaa5db3d56b16d3cc6
SHA1026273a9ee6a4422cb6a54ede5d29cac41742d20
SHA2567f16f81a42c57a1466ad8d929d4e40144313920b5fe3dcc483a0af552cb7cd26
SHA512eaab42b2e1e4e5b8107a921826fbca9c9b425eb87dd918682650622238665d601201f66c39a6da8dcc8c46f562890d164fac41a87859240068869fabe75b04b5
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js
Filesize15KB
MD543be07a66830e88dcae2cbdc2ffafa0e
SHA118e1d466581d2d6c93004a799dab0231192aae7f
SHA256b52c98d19541fc3429511b0f947e879b4574043fde52d8a983b75b6bdf69cdc9
SHA512b912db67825c533e8c76ca5cbd51c8edc96cebb949c09db0dbf1b7754632f87f2e00ad53ae00eb9811bbcbd57268426b2a16e9c2552e1dcb1e3c89cafbbadf02
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\ui-strings.js
Filesize2KB
MD5ccc382535688d022bab4a76daacb66bb
SHA10d7546e956f1e2eb30dbcccc2151a741da9bfb7c
SHA256d820d6f3336401e6996848fec4de3843db8824cdfa51af841571f10f618e561e
SHA512e7b9a62fd5f4aeab4ee3b2b8268c1dfbeceb739cd732cf4e6d70be907c09b282395a0fab36f6d896978cf1bd7b5dfcb38968197746b8fee5f576095011e2dfe8
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js
Filesize2KB
MD57f758ae53a27e94a6e00f9ff55c5cb19
SHA1441a6fef5c92fa163d6791c80cdb505bff3b426f
SHA2569fd2901aee7f6b2b83c38982b4a92e0f92cb079c46e4d4913991988eab42653a
SHA51204cbd0256864cac6eaa35d573f4189c9481a2233a0278a1fc30df098e1e5a27f45b221ad6e4fa74b0c3ec1f361bf120b1edb69f30bd4f3d5287ae763e56e5dc1
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\ui-strings.js
Filesize19KB
MD571bc37bb49e3cd440ce98e50780fa7c1
SHA10fc4e57632cde0254519595db342399f30784a6d
SHA256781284bb95f2624a9c4efa8ef95edb693692bf7734b47fe885753b9cec22cd8f
SHA512afd76969b5b31790b83955cfd0fca8f2c3d125bad3b768880ad9d944043722d4e90a4cdca3bf8ac67816716a597e5ed23744e251f790ae5627177cb43fb35d44
-
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt
Filesize34KB
MD5d862b588444bd18a2423a3fcbd496b8c
SHA123194ca1f464a0c0450fc2e1067f152e762045ea
SHA2568a792be7cc8f3e7510efff7a120189bdad15fbbcc982f436f2abd45281fc32b4
SHA512dc9205d95b0e2e208b8e817175ad834535129df23d96a580815c13d3996b5001a7cd8589d1d1c25c232f61632eb4fe06293c2e1fc95c56624908d72749f88113
-
Filesize
7KB
MD538302a58e32107a80c7d1036ca85d9bb
SHA1e7ae91d92e2f3dc0409b3eefacc10b8b2e32dd32
SHA25650a4e89ca66fa606b9685349efe332cb14153a36ed91cbc40496ec6772bb82f8
SHA51216d9a4de161f9e7fafef8cb313da386c48a9a5f794ce4cb5d7c2a00e7046bdcf40a2a61a843eb25582c5195387697a4ceb7a589f8625b9dd293f9687c0818efb
-
Filesize
1KB
MD528412b22821c501cb485beb5c7dec23f
SHA15ae6904f2aa2deaa51509d257160041f0c1809cf
SHA2565d04e7b53501a1aba0632714177f837cabf3f00f31e399b38d1f275a2bb970d1
SHA51241a39279ba2acea684a9b7227c378254a074d5ed05a979eaf6203256b2a0336d11dda61ecda079c1e70b4d1ed9d349dd73dcbddc770db7fdce0d0e89571246a4
-
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize13KB
MD5e76b5c5de787a14b3620bff6154d8676
SHA1073a966aa41cdd64bc762911610d599ce7655d62
SHA256d3f9c5aed417bb16bf740a1ab7b7e179a6e4bfd4ed4ba365bb3692da7f1f1b43
SHA5126435b460d2506a032d0b2fbe3cab484ae1d728eb0e82361503d44d8dc530d1051bf9ba2e271fd5c638e5507cb072ced5a0191c28c86c2f94c905ae385f35db85
-
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize10KB
MD549579874182233cf9cc3da6c925ad651
SHA150f05ff8f0d894369aa7bc50fb30e583f60eb287
SHA256379d130dd436b8360af22abb1323827bb94a0c8aed547054d109b8abb2663cfc
SHA512ad51ae9216adc355520d3c1b5e8cbc5dc2e2217e0324fac6fb487a6e2c48fc33002fcb5c5c8193131b8195cbee02fd31a6dd6de17e64e710c97ffe0c1f29b397
-
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf
Filesize1KB
MD5ab6e50187525f5c0371cb1446958ec60
SHA1c0eba643e7560deb42625ba56a5e960cf71640da
SHA256ee75fedc5dcf074a050a66aa83471f4d8379fcdd11545360b6e339dd4e4a49ff
SHA512c7dff1b899355c93a0172ee9fd261c9504fc0bf33d2de5d54e9498be66fd425c13abbfa71c783384ccc4baea5a4f07a28ddb774a0c2ea74b867033fc015cba12
-
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA
Filesize9KB
MD5608839ba31e6f82789cd2bc085fe321a
SHA1b3cc46cb95bb02f154393be0f4afb5074d5c9069
SHA256815ce5936896c3cdb05da9c6b1b6c8ce251bdb156735f2eb27d59dc89ebf9061
SHA512e15c31fd9a3ff008a0fc315b1e5aeb5b6699949bc03fc031661df2277536c7eb45b04564fb3d9fce108c4861d8b932ef0fecc0383a1fc8f925f9f53ca36caf46
-
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize12KB
MD5dcc60efdf2e1c4adced1f6916a6b85f7
SHA1e2949293baca7d4bea42bbe7d3261404e95ca40c
SHA25675fd82fee5be5d8ce96c61894fa26fcafc1e2e6b4ec557cbb79c9172ce777fc0
SHA5128795f92338b8601fa0ef73b9b9a72a235a82f8bafbb7f3350c4301583a404ff4242040a65ac77b8739898d1243b090ab219911f22550368ad5559c445748b4c9
-
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA
Filesize9KB
MD598d3ada2cbdcd6f7798a3f3881c1625f
SHA1db4a38780cca85216fca897fa83fda1ce77c68e9
SHA25683f2038176901cb72ab70540a9064f8726d65f8362f5494e93064b0dc85413e5
SHA5125dc18a47e7d570b31626b15fb86952072da5be461a3f13b2866645a86a8b3c11391b6e1581e1e521b2ddcdf3e4836131046b1019fcc6e9d59c277bf12bac5665
-
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html
Filesize13KB
MD53f137991a24a127f52454f8ca758a71b
SHA144b25c78bdadcfc1998273283957044f23aae140
SHA256aba7b9b2383b5cf6d870e496a1457e9aaac14507d4a69720911b179b6bc6b212
SHA5125618569aae62daa175b31ccd797f5ee828e85909347b953feba072256e5155634f6136b0dbcfee9378884971a5c270267853a3422faa4aaa658fe85eeb9d0c11
-
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html
Filesize10KB
MD5bdedcf02317e0da548c0948433cc3218
SHA14a6f541b662332d75b5a32ec7c94cd333edf423f
SHA2561a975d5242fa7a9563486cb2858481125a742e2edad6f78f8608b38c6834eb27
SHA5126c625514223c09c9a24b14135a67366683bf62e30b6a050f36d3d4ba59b2aa6538358d0bc62b12e2e03515292d277c4f68db73f2e40f920dfe516412e2805917
-
C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden
Filesize1KB
MD57164212c8c8c26baddc903e6ee1a13f9
SHA1885945f774b2fa2ce9a1cf2d1510cc7edb7f2da6
SHA2566705ae7111e076841cd8f92906a100481f43ff188a13beaa860027db1616b248
SHA51213f1e62e0f5c056db1f50ea7b5cb6df96aef29b138e3eb72a81abe894fdb16440505ea157e768ff837ad5f28f46b019d6fa24620ecbeddc2ec140259578bfabe
-
Filesize
1KB
MD5744e62fa16f6edcf559bf88e6549fefe
SHA16a32195f9bdecab6bbe2bc037cae034154aefce8
SHA256e91e1d194750de1239e63341eaf2c4cb12f7699b9d5caadbe99b6824a8f6092a
SHA512b02fc9b53a5a210aad9f707edf1a61e4fba73cc4159a9e0ca21b327aac5d3548a40a0d9a731c4207c9f766957b6b8a83333abc14d92b6c51ba2a096dfca972f9
-
Filesize
1KB
MD5323c24a9b1f513a1a235d44c86de0a5a
SHA14ac98cf5f9c0306ac49dff7004abd6292b9bd713
SHA25612d8281047ff59d8939016159b90f8c178d25017efc68472e502149544f3d675
SHA512d7bc0dd4fb4584667d29d4b481d189f71bc78f33c975d19cd8b1dd6bb673894b5f4292d1f6f8f431f8ad6ac291f5ac52b08f108a37e594ff5be9877788877cf1
-
Filesize
1KB
MD5c553cb689be2000e9d4ce70b44aea1db
SHA184cf6c30e8ad7ebe40d608cf1016af330fc435ae
SHA25637ef7581ac13fa540f2cf27d470c857fee46c40c074701823b85ea27cf308353
SHA512e6783adfe484c4a342e12e090c912886187b5b4f85e6b4f6d83dc4e4b287e7103583b43676e68abebf019a2ffa297f2a9f20f17b3aec2fb4bc38b5a1ec815999
-
Filesize
1KB
MD500ea486782ccc733e4d00ec20d36fc74
SHA1da62c34fbeec4f7fd38e2150072e6ebf2e4fb3b0
SHA2562e74327123278cbe493c5754d490fd7a32934cd137801e7af53608d8a6da86f6
SHA51278ffb40543b14bd1fdc8aa4f6c17f08b6c1e086f49a17c99d5fb6ee033de8b2aecbe6892e6f4ca029152e6b1e09ef6d0abd84ca118ba29ee5379ad37b6cb2005
-
C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config
Filesize1KB
MD5d72bae85cac515b035156532e3c125c6
SHA1c721ffe448a7379fcdc800fd6a136017040de5bc
SHA256a5f847b7c148fe09c489e7cc153232e87a0e2c1a3b07c7618ef3953db2291178
SHA51269fc3d5fc305326e291c62ad69f51eb554a078d030d5e60c99321a39730ce0ecc3f7a0c3da99b291b068f6368d6e0a45412c3ab94ff71c1c39779843e126a1ca
-
Filesize
246KB
MD5726a592b13926ee4e28f2832eadd4209
SHA1cb14e49a6d336d9036dbd781d6435d0d3485c946
SHA2560b0930f95d6b72fd05d61ff359c55d4d674299d8598ece67a79bf21aab52b14c
SHA512697f7d31ddd07dd58959b683cd2a0a87aeae6a1799f825ee7fbf1687ab76e63765db5265d21c9f5fb208a7eccee783dffa8f172e38d9557f1a06bab5bd861109
-
Filesize
1KB
MD5538c9ca76421e8ab2435f5e1cec7bfb8
SHA186f6087ebeabc64fec828f024c093957f8bbb4e9
SHA256ed4a9dcb26884027ed4e9760e2d63636d2a228aecc9939fe5c461b1b6ed78639
SHA5127dc441b84f51a9f90c4031d0b401389fa2447183e458e385d1e668940882ed0c73a5e8599cd14ee3146753805bcf4c088393864d5ac1266b862c7e002a0e2e67
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi
Filesize3.0MB
MD5b9af1bdf33ed7ec3bd45e36e364c5c41
SHA1cc9f0b7cdc916a0b68a9b6ca439a74f8ea2807a0
SHA2569577db5ab2fe8939acef5df86e507e0a52600ad6abbde18c6a80a777c4d7851b
SHA512812e43e94499ccca2a20ae6f3cca0d84a3918ac44c36b3d64c806a5f7dcc5252ec455b87ccebdbededcc2505d753ae68d677ebf1051c4d204fa0f6fa6cf6a99b
-
Filesize
609KB
MD5a41b2b8510ad00bc59be0b01eabb07e8
SHA138134c1e9df9fe2459b965e63126d92897a23c92
SHA256539cbd5176f111a578c85abcf9cf9d37efaf52e85bb98515e14d404f153181cc
SHA512eb6c7099b8edfb1db851947c68cc2662dc2cb273b4d95f5af7d27dca3d1742e4ce1ac4ca23de5886412703d297962b6721bda400a5df1dd9f79b960b02856a00
-
Filesize
587KB
MD5496291a735eca37b74c7c5b523c6d73d
SHA1c5979b79819a206847f5ff932be04ea3fab4b8ba
SHA25655a968882189adc1716346430432e4dae6c686d56d2a5ab682a1591ce036251f
SHA5128055cbcb3b90917bd2cff8d570f31573a283ed2dffe95d93024bd01ae53de0d5c2c075516c4ecc1a4a032e76b684be4f741a82fe6f77273bb323c3e07400e62b
-
Filesize
545KB
MD513036de44dba9b1fab398445267756a2
SHA10f0e12cc719732259a1efd10ed9bd3964e925e58
SHA2567fa32573937adc3b299d51a4e83eec85bcb6a6622ee5372e4ff5ec18feccb844
SHA512fa46e84c8a6de397d470fd4553f6d714ad037924251565a002d806ef316be3c9e92ef0c9eede09b942aba08e475306e3d59e5725e91d80821fa9c366a6795f3f
-
Filesize
1.3MB
MD56e9ada6d446d1ab3d2e5f446c45dc036
SHA1e78e5557be36222f2ce6701f63f71e6bcca16ea2
SHA2568d57e143b13e3f585fbadd56ee65b114e00487b34ea64d3849fb7690e288f5d3
SHA512a24fb7b92e7237fe73bd8f45e3212a6970b50a3811a5f858230cb44e39679944d35f1d4c57b28d2b653c75578485d47e9c8383f53d03b2f3b6864bf71c19d01f
-
Filesize
1KB
MD58bbf924037fba92d04a4471c64ace73a
SHA1ed6fb65145ac077597f04cfa63bd02e21a37346c
SHA256bb6d65ede4b8f93da899d4172bfb453031f1e340cb22aa51fd59d89d8e9d9d38
SHA512a68896541db40a0ff9520c75a9bd2c47c378b2640b8448a17751a2b6ff8bad764ea86f06c3886f277a94fab9057ecf662d74f8efa2b3d0179f2a60838d458355
-
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi
Filesize181KB
MD5341e561570c6121568d7dc8abe7f5eb7
SHA1c77ecc01ea007502d5065c3401e7d9cc76dd557c
SHA2563a1a5114df5aa9dd8e1658ea6837f48badf331bc9e444772ba6f3261cb24c94b
SHA512f9338cf2a3deae79de8ffcaff1dc3609935b9393ade783b05cfc9d96faa43652c3e913bd85bcc7fd54dd6b66bbc10381bd2321d7d63df6c9f2db9cd4c9f2f495
-
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi
Filesize149KB
MD5c6dc6c5b1287db41035e0552b8dc56d8
SHA13adbffcff85681702068762245473f4040e36727
SHA256338085a6a3ce5de5aac29ddcf62db488d0498b2e5389de81f1a3f28ddf7dd2e7
SHA512728d16a4243ea3ecb40250658d91317a397fde255bb5961a6a8d2fa584145efcfe4dde795fcfbffded849000459af7406b2b41cdb3636cf8f4da9a62c763c994
-
Filesize
1KB
MD5caa0f220190daf7bddfa2194aaa1b4e6
SHA1c94bf734d15238de928e89587235bf098cb4480c
SHA256b790697e80ce2929ed7014fce3a94f875021dce6e4c42f90f703a4526944cbcb
SHA5125223e7b16ab888a79833052dcba0dd3bff01dd47cea362493020908b07efa3089354bc7d1cebb7dbac1e503e693f36d5463948de779b677a4006b4753f056cd5
-
Filesize
4KB
MD5e327546f3c31078aef4ca5e1df292345
SHA187fcbd3e83160c9774dc168d04250179c46ae6e1
SHA256068ba00e8bacc3ae11b8bf9add336707c2d9fa0983b92a029e841a77ab28e8e8
SHA512af0326feed5706645c8cc86ed06517d291fd6b09fe879c8cbf7b66f8acac3e5bd228d1a6da890b338a9aefd9f7081b1ebbadd6c1cf483677f52d6fb64fea1ced