2d06acb71440e4c8f46cf347fffd14f5162542edb3fdcc69b089588e3641723b

Resubmissions

23-10-2023 02:59

231023-dgzqasff43 10

23-10-2023 02:53

231023-ddrwaaff34 10

Analysis

max time kernel
805s
max time network
493s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2023 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
Size

340KB
MD5

714870c33ba84e744b84b32e6e114ed9
SHA1

840f442d4466713becdf72b88846871330ac38e7
SHA256

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51
SHA512

270c584cc9f696de3421429627a07bfbd7829a033cfdc16280e7e233e8ae09e2f1cd0341537a6b050811683d93a14a1465aa3ab96e9577c98ebea521faae65f2
SSDEEP

6144:PNs9prB0CnszdPZxMzk1ukSXa9bnuDOeFdGpBP7ENf3zcfUE:y9RaPZxMzk1uBXa9bu2JeAfUE

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\odt\HOW_TO_BACK_FILES.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">{{IDENTIFIER}}</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

description pid process target process

PID 2912 created 3476 2912 51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3044 bcdedit.exe
4204 bcdedit.exe
Renames multiple (6550) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2528 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4460 wbadmin.exe

description	pid	process	target process
PID 2912 created 3476	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	Explorer.EXE

pid	process
3044	bcdedit.exe
4204	bcdedit.exe

pid	process
2528	wbadmin.exe

pid	process
4460	wbadmin.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe\""	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe\""	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

description	ioc	process
File opened (read-only)	\??\I:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\K:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\L:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\T:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\G:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\O:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\P:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\U:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\W:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\F:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\N:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\V:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\Y:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\B:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\E:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\H:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\J:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\M:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\Q:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\R:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\S:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\A:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\Z:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\X:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

Drops file in Program Files directory 64 IoCs

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-60_altform-unplated.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.ce48eef1.pri	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\WideTile.scale-100.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-32_contrast-black.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\ui-strings.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\WideTile.scale-125.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\wmplayer.exe.mui	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\View3DConfig.json	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp10.scale-100.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ar.pak.DATA	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PIXEL.ELM	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-gb\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerpivot.x-none.msi.16.x-none.boot.tree.dat	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-400.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotsHubApp.BackgroundWorker.winmd	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlMiddleCircle.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_hover_2x.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es.pak	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\questfallback.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\cs-cz\ui-strings.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceYi.txt	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-32_contrast-black.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-150.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72_contrast-white.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-150_contrast-black.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Generic.xbf	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nb-no\ui-strings.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nb-no\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\jsse.jar	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-400.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_contrast-white.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\LargeTile.scale-100.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\1.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-200.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_SplashScreen.scale-100.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\az_get.svg	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-150.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\Windows_Insider_Ninjacat_Unicorn-128x128.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\SplashScreen.scale-200.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-36_altform-unplated_contrast-white.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-20_altform-unplated.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\vlc.mo	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-100_contrast-white.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

640 vssadmin.exe

pid	process
640	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
452	taskkill.exe
1032	taskkill.exe
4020	taskkill.exe
4200	taskkill.exe
2916	taskkill.exe
1556	taskkill.exe
4444	taskkill.exe
748	taskkill.exe
2768	taskkill.exe
232	taskkill.exe
2208	taskkill.exe
5012	taskkill.exe
3448	taskkill.exe
3564	taskkill.exe

Modifies registry class 2 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1873812795-1433807462-1429862679-1000\{16FF3CAE-13D7-4CFC-AF4A-5BC5E5FA9221}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

pid	process
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	4200	taskkill.exe
Token: SeDebugPrivilege	2768	taskkill.exe
Token: SeDebugPrivilege	232	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	452	taskkill.exe
Token: SeDebugPrivilege	1032	taskkill.exe
Token: SeDebugPrivilege	4020	taskkill.exe
Token: SeDebugPrivilege	5012	taskkill.exe
Token: SeDebugPrivilege	3448	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	4444	taskkill.exe
Token: SeDebugPrivilege	748	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3108	WMIC.exe
Token: SeSecurityPrivilege	3108	WMIC.exe
Token: SeTakeOwnershipPrivilege	3108	WMIC.exe
Token: SeLoadDriverPrivilege	3108	WMIC.exe
Token: SeSystemProfilePrivilege	3108	WMIC.exe
Token: SeSystemtimePrivilege	3108	WMIC.exe
Token: SeProfSingleProcessPrivilege	3108	WMIC.exe
Token: SeIncBasePriorityPrivilege	3108	WMIC.exe
Token: SeCreatePagefilePrivilege	3108	WMIC.exe
Token: SeBackupPrivilege	3108	WMIC.exe
Token: SeRestorePrivilege	3108	WMIC.exe
Token: SeShutdownPrivilege	3108	WMIC.exe
Token: SeDebugPrivilege	3108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3108	WMIC.exe
Token: SeRemoteShutdownPrivilege	3108	WMIC.exe
Token: SeUndockPrivilege	3108	WMIC.exe
Token: SeManageVolumePrivilege	3108	WMIC.exe
Token: 33	3108	WMIC.exe
Token: 34	3108	WMIC.exe
Token: 35	3108	WMIC.exe
Token: 36	3108	WMIC.exe
Token: SeBackupPrivilege	5088	vssvc.exe
Token: SeRestorePrivilege	5088	vssvc.exe
Token: SeAuditPrivilege	5088	vssvc.exe
Token: SeShutdownPrivilege	5744	explorer.exe
Token: SeCreatePagefilePrivilege	5744	explorer.exe
Token: SeShutdownPrivilege	5744	explorer.exe
Token: SeCreatePagefilePrivilege	5744	explorer.exe
Token: SeShutdownPrivilege	5744	explorer.exe
Token: SeCreatePagefilePrivilege	5744	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

explorer.exe

pid process

5744 explorer.exe
5744 explorer.exe
5744 explorer.exe
5744 explorer.exe
5744 explorer.exe
5744 explorer.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

explorer.exe

pid process

5744 explorer.exe
5744 explorer.exe
5744 explorer.exe
5744 explorer.exe
5744 explorer.exe
5744 explorer.exe
5744 explorer.exe
5744 explorer.exe

pid	process
5744	explorer.exe
5744	explorer.exe
5744	explorer.exe
5744	explorer.exe
5744	explorer.exe
5744	explorer.exe

pid	process
5744	explorer.exe
5744	explorer.exe
5744	explorer.exe
5744	explorer.exe
5744	explorer.exe
5744	explorer.exe
5744	explorer.exe
5744	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2912 wrote to memory of 4120	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2912 wrote to memory of 4120	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2912 wrote to memory of 4120	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 4120 wrote to memory of 3964	4120	cmd.exe	cmd.exe
PID 4120 wrote to memory of 3964	4120	cmd.exe	cmd.exe
PID 2912 wrote to memory of 2820	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2912 wrote to memory of 2820	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2912 wrote to memory of 2820	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2820 wrote to memory of 4892	2820	cmd.exe	cmd.exe
PID 2820 wrote to memory of 4892	2820	cmd.exe	cmd.exe
PID 4892 wrote to memory of 4200	4892	cmd.exe	taskkill.exe
PID 4892 wrote to memory of 4200	4892	cmd.exe	taskkill.exe
PID 2912 wrote to memory of 2924	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2912 wrote to memory of 2924	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2912 wrote to memory of 2924	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2924 wrote to memory of 2232	2924	cmd.exe	cmd.exe
PID 2924 wrote to memory of 2232	2924	cmd.exe	cmd.exe
PID 2232 wrote to memory of 2916	2232	cmd.exe	taskkill.exe
PID 2232 wrote to memory of 2916	2232	cmd.exe	taskkill.exe
PID 2912 wrote to memory of 2528	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2912 wrote to memory of 2528	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2912 wrote to memory of 2528	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2528 wrote to memory of 4204	2528	cmd.exe	cmd.exe
PID 2528 wrote to memory of 4204	2528	cmd.exe	cmd.exe
PID 4204 wrote to memory of 2768	4204	cmd.exe	taskkill.exe
PID 4204 wrote to memory of 2768	4204	cmd.exe	taskkill.exe
PID 2912 wrote to memory of 1824	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2912 wrote to memory of 1824	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2912 wrote to memory of 1824	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 1824 wrote to memory of 4272	1824	cmd.exe	cmd.exe
PID 1824 wrote to memory of 4272	1824	cmd.exe	cmd.exe
PID 4272 wrote to memory of 232	4272	cmd.exe	taskkill.exe
PID 4272 wrote to memory of 232	4272	cmd.exe	taskkill.exe
PID 2912 wrote to memory of 2064	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2912 wrote to memory of 2064	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2912 wrote to memory of 2064	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2064 wrote to memory of 1528	2064	cmd.exe	cmd.exe
PID 2064 wrote to memory of 1528	2064	cmd.exe	cmd.exe
PID 1528 wrote to memory of 2208	1528	cmd.exe	taskkill.exe
PID 1528 wrote to memory of 2208	1528	cmd.exe	taskkill.exe
PID 2912 wrote to memory of 3732	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2912 wrote to memory of 3732	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2912 wrote to memory of 3732	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 3732 wrote to memory of 900	3732	cmd.exe	cmd.exe
PID 3732 wrote to memory of 900	3732	cmd.exe	cmd.exe
PID 900 wrote to memory of 452	900	cmd.exe	taskkill.exe
PID 900 wrote to memory of 452	900	cmd.exe	taskkill.exe
PID 2912 wrote to memory of 3924	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2912 wrote to memory of 3924	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2912 wrote to memory of 3924	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 3924 wrote to memory of 4108	3924	cmd.exe	cmd.exe
PID 3924 wrote to memory of 4108	3924	cmd.exe	cmd.exe
PID 4108 wrote to memory of 1032	4108	cmd.exe	taskkill.exe
PID 4108 wrote to memory of 1032	4108	cmd.exe	taskkill.exe
PID 2912 wrote to memory of 860	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2912 wrote to memory of 860	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2912 wrote to memory of 860	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 860 wrote to memory of 1812	860	cmd.exe	cmd.exe
PID 860 wrote to memory of 1812	860	cmd.exe	cmd.exe
PID 1812 wrote to memory of 4020	1812	cmd.exe	taskkill.exe
PID 1812 wrote to memory of 4020	1812	cmd.exe	taskkill.exe
PID 2912 wrote to memory of 1068	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2912 wrote to memory of 1068	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2912 wrote to memory of 1068	2912	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3476
- C:\Users\Admin\AppData\Local\Temp\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
  "C:\Users\Admin\AppData\Local\Temp\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"
      4⤵
      PID:3964
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4200
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4204
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4272
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:232
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1528
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:900
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4108
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:1068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:3168
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:1116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:4960
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:3888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:4964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:4344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:1596
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:4660
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:748
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:3528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:2916
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:3564
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:4044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:3076
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:2528
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:4448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:1648
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:4384
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:3292
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:2324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:1120
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:5088
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:3840
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:3060
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:3336
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:4832
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:4396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:404
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:1812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:4032
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:1348
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:3976
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:4180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:2300
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:4480
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:1028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:4948
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:2724
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:4548
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:4168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:2788
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:640
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:1856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:2916
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        
        PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:4920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:1508
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        Drops file in Windows directory
        
        PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:4332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:4436
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:3280
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4204
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:2828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:2248
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:3964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:4136
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        
        PID:1620
- C:\Users\Admin\AppData\Local\Temp\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe -network
  2⤵
  - Adds Run key to start application
  - System policy modification
  PID:4772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
1⤵
PID:2884

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat

Filesize
1KB

MD5
8d1dc3cf9bb311340bf7ab91c5aa9dab

SHA1
ecece92947231607db64c8bf152cbab8d38c8fdc

SHA256
23dd2b3f363e91396ffc02337149274268fce6162281b0a78f34baf532b8b43f

SHA512
a87063033a3ebcac63b679a22c08c4d4fe5108fd8ad1b2f215d9f2113d515478e25beb12b608ebb3f13f25cc9c909c74916a101f8bded03ad5f30dbda3a1ea7e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

Filesize
52KB

MD5
95c2808f30511bbf499ae97afeebbee5

SHA1
816075105b4a179e5db940b332451472b2274410

SHA256
30fbfa06132e2a143fc01326bc12f173c34f76588b9f91e5e42487f6c8c5b343

SHA512
8d503fa5a4affad64ac54a28bcb106577b2d7a77ea03cfc98b538b3c3e8f514d6431b472e8948864fb1d60ed50a9002251ca5b8e0bc0c980060f1f7a7ddb40c2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_remove_18.svg

Filesize
2KB

MD5
c4d1c673f75f35fc445eecd993ee45a1

SHA1
4ca60ae21ed2bfeeef7a04f27f64278b31e6c49c

SHA256
2647787d5068a52507ec818e0e2c7e576347d6d98cc2d49efb16a2a341e6c637

SHA512
f2fe0eb1696d762889099a4c622b06fafe9dfb016ebf5de432546a77e164856bc54458c0e9e049a539cb698f686fa9eb5de2cb0a2f065d6d0c7d80ab88ad93c0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png

Filesize
3KB

MD5
49a013fac5847aaa2240007c7ebcb5ff

SHA1
ab0fef51353426747a161477078fe99394df59b6

SHA256
38d994ff9d837840c3a2557f98dda2602430e1efff454ec341d7f90b76fc3279

SHA512
3c2cb45fc22eaaf0fa2dbbc8c442cba798ac1fb0a27dbf14b43afcf34cef1f994c2c21ecb576c7489103c1451be76adebf3e8ff286bf7d987f8dc333e851b17d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png

Filesize
5KB

MD5
83ad0013bdc49ab722aecd9c5da52124

SHA1
45d814b8afe622279df41fed8ea9e583faa6860d

SHA256
1bfb23aa4836e4f36f1e71289c80e552d1edc1bfa4e95e5948af18eb134d7621

SHA512
6018883ae6c220e15ac293ea2f4853f47b49cc0c9a4c5bee8b62e395125b6cba422d5f8d95c2d2496dcd12d367487b2de9a9a275b7039e287dd8588c0def297f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg

Filesize
3KB

MD5
2ee6690751092f45e76907a62e86d837

SHA1
36756d5f85e08149759bc8c513932750a0c5c1ef

SHA256
ad9ca7bbae243c74313a46c82f26e41ee3c5d2e57bea21c84d015349a25217eb

SHA512
caa2989c9eb258bc7eb76e58fa7772cdca4ba696a0056ccf0ec63a2dce5098d050c4ee9a24d603b251a3816546ba8ea6414c6c2f2b2752daa0f4111c1c61690b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\remove.svg

Filesize
2KB

MD5
4908aefd002b4abd295f24db47249cb0

SHA1
0864c24ee9e47770bdf508507c79e4ab2e2d3aae

SHA256
f918e57c219463969756f6f742937c28c9912494bb28e60f258307533c71fe99

SHA512
38b0a94907adc82c6a0ef377c27c9665f9e720c3db738255552eac51c285c73dcc2333ccabcb632238e992424aa3845c32bb650e68fb99a2f3894571c1aef30d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_backarrow_default.svg

Filesize
2KB

MD5
33356663f0d2fb079943832413159169

SHA1
adb10da622590a7d3345ad236900d1b64782314c

SHA256
03676f0052f4e3e442844bc3de751b96881f1c6d1b9b8b1b798f8081e5e28c7e

SHA512
3db79e5218441eeff66c72f190ba65343fd98dad4c799570750c99072eb2deced261ef504d1d11f7daf658cf97b8f26c7e737745525aaef43e7eec605adabdf0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg

Filesize
2KB

MD5
ba459037e744cb66182c8098b7eb990d

SHA1
462cb778f14ffd7ad3d37ab37c1ad6dd4389a15d

SHA256
e83b0ab53241045aff99e4a5e3d991e217a6a593e71161a1e49ac2cc9de41871

SHA512
6d33ce9a43356e4259e86dd4f8b2224403023047ab35aad6939792b4695b15c77a6da9ae8fe7bd786b7eda9bd73102039ea0c0c63ccdbeb40178effe70bf6728

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_editpdf_18.svg

Filesize
2KB

MD5
726a563114686f716a08aec1374d980e

SHA1
864be9f6accb8a0f50ee180bb11de4f71ffd66fe

SHA256
274c449350c3cb5c6803a1bb8d3b62d70d13580025400e1ca0af0add4094cf0b

SHA512
4d25e0241401bc62d71ccde2f88508aae6f5a0b9b820277b7c91fec0786d14ebb88b3532a7c1f3e783fee6f9def9461d9754d376fcdf0b763098fdee3559d694

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_export_18.svg

Filesize
9KB

MD5
62002c41a2e22b29bba83a42c5a43e9a

SHA1
4880fe75e8b34c0491bfe983d06ac0528e1286b4

SHA256
4024a1dc9135b987e186d7dc7096387ea113814b25e173500dae99b9fefd40e0

SHA512
02b171cb4c70c615532a4c30cb4b75ae0e886a3a1e5b2628bacd2df2fe0cff087e539e67175a729081ccd2a4ef3fbb97af7f89cb04430f3fbfb2763b0f3c8467

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_fillandsign_18.svg

Filesize
3KB

MD5
f44b94e3d9735ccc933669acf2109079

SHA1
7f3aa30fa1b94b5c0da297e7e4ca707b03b893b4

SHA256
b8c4f89ebdda02a46cc253b8da3fb2e4c65bfd18b9413407063bd4a7487504a1

SHA512
1586759a8da35be651700426d311064525dd4661f44cded3799f04ee02eac2326cab93a5b879393b6d108ac7db106699a6429e0b6466c1b48ebb4bc1c2750775

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-default_32.svg

Filesize
2KB

MD5
4df54342317dd149b5e2891c33b891f8

SHA1
7b193c0ca7a97002c7429a236f9b2ec8a2256d95

SHA256
98ab84f432f46baef68f2018f7fac8173d5ccd61ba72158441812e0b6fbff780

SHA512
b61e12c7e03623aa1fb6cbdc9bfdf6d1c9a6418adc86b4b75e75ed8d763fc69337b853b8ce884708d9a6c3070486894fad912bb78943b0a2883d1d9ef893b70a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_move_18.svg

Filesize
2KB

MD5
1a1681904131da715813e154bd9dc0d0

SHA1
246d9f35ff56e960dcc4e2f1a88a417294096e8e

SHA256
e19f6cc9430d180187ff4ec628cb31898fb052d181a0ae8d91c54fe5e1f41784

SHA512
ab63a926353277bb6ae2afbbf7d40c84391d0477db5ce33aec6fe24133a2c2ef8f9c544196162d9ecf9c086f2646c0114c69e54133ef7ae7c2457edae6b31f70

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nextarrow_default.svg

Filesize
2KB

MD5
4ab799c9466d225e14736e7980bdd0fc

SHA1
41070e86a77538383fec1e5af1188b4a02021cdb

SHA256
b6d2bf408610234bc420090718b34209b5c419a1fde1a346dc25ab52627b6e76

SHA512
acde88168fce3e388274dfca5cd1e55fbec2b7ce9bdbda167209407df502927a3f2ad326dce91f0f3795a0103263e0993d98e5a60225ea37f1f6289a33aaa026

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_organize_18.svg

Filesize
3KB

MD5
ee5a1ab916d7db38c033043faf5db561

SHA1
ab96d037fbb7c1b255ef36a6b1b77247eb4986f2

SHA256
af366ee2c7098a2bcb456eafc60cddd9419148ae4185d1009de8662d3989838d

SHA512
5a9a11d7485629c76548a470f42ac0b4817359c5a3185623e24d8e84fc81241856b0190f1eaadd806fc52264acb445033acf02bcd21738c5b042f33438ac8184

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_rename_18.svg

Filesize
3KB

MD5
18cebbf8715af92e80c19b41f4096289

SHA1
8a685e7fe6096f75c95400041ad29aeb55e1c1ff

SHA256
9439b792c7c933cfdd17eeab5eb038e5c33ba428e69ee8d9bddbf9cd8b1e3cdd

SHA512
5401c793b63f04f783e50bc6b637cc6827bc09dbb923634ecf04bbc42e00bb3ffddf0553de7ebff4ca09add7a5bb8a48a1ac0ad853bb8ba18121e9f8f729de8e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sendforsignature_18.svg

Filesize
3KB

MD5
65671ccd3c62923f59004ec7dab1f083

SHA1
68860ceb9194c5b8724d649bbf2b53c24e5391a7

SHA256
150d20b7ad79e59f8c71064d1d5376af65def48c6d5ce94531007acc2fa1d779

SHA512
0488fae73de283ca61bf5c20b0d190a3a074c936aeb603075b4b4f49263003bfafcc10d70c93674c59760768a4bbbb16a0df94e740aac56dee1545ad1266f28a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_share_18.svg

Filesize
2KB

MD5
9ebee449040c5db8efbe22d42eb3add4

SHA1
12cde9291cc2e44ed14fc79532b2ed29abb54b8c

SHA256
24fa33c5cc201e0508407dbe909f18e1aa75f699748d0eb6581fc83b464c752a

SHA512
5fc1ee437c6850139a80d13bb3877addeecac750cdbbdc3684c01b30cc90ada585054aa5b68e3d8e273e76da5f0cc5126d96fc3e2d35f78c2b746d2c3806b591

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js

Filesize
5KB

MD5
bc6c29a1236781f8ec2d3ac8e9b53fe5

SHA1
79911727c0e9211aace7e865ddd99418d20b3489

SHA256
d6d9014f3fc36d46fee4e629d97622603bec32a5688cd49c52bc40e24420d358

SHA512
845bc97e6d8dcd35ae5a5b50f99f6b0c739a7a6649ac6bbffb89835aa9b1ac255892b5c3fad971356a88703192707db5fe30eaff58311d88409ecae94e42252f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js

Filesize
29KB

MD5
5b4e22598f6c9a805465cd4af8f5a943

SHA1
2d5a2d429e0dc92f1abdefb4d5b7b4307cbf1f81

SHA256
e52ad9cc3f56bfdf3b91c6d03ad9507cb30f4ec2d2563ee15f9b6948d294949f

SHA512
c0fedf0d47c1657fbb17618cd57f8104ac5288822c0b2b2bb7f52f2cb5b6018d3f637323339ad8f51436b542fb60f4ecaaf89f213f9a1b0c52b70e9061f985a5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.js

Filesize
9KB

MD5
77d250554eb1fc7b7c311060fa0244ba

SHA1
9da3804f188dcbe9aa2df0786f643f9f6f800e43

SHA256
b0151b6e14f94744ea81cbf52861fc410a6411d02f31cc89dbfdc9558f3a620d

SHA512
80fce4a45a12406cc529a564703b6be2d51b5b5ebc4ccbb6d39e8cedeba6eb01b55b0b996330d0d9a2b34cc8cf2c6d0e3406f98d33348e8b5cdbec6177ee8cca

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
a5aad00246b0743270d8e7bf5f1351a6

SHA1
10415a7f587003c28dad1265d129d4e43df76219

SHA256
ca50530e01e79d85275fadaac935fec570dc6928cf3e907baa4824a0572b297c

SHA512
a2c99b0fd5e23f36047d5df2380733d063f182d020bb2d2032cc2a067df046d657c88d0d0ec215e9d254a0b45e3da8aab3da331c40400e07758162eb7fd6638e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\ui-strings.js

Filesize
5KB

MD5
331cb2c9f281e0cd98518c8182f59dca

SHA1
2a242a936ccae2d736bc86403d52a188dffe3baf

SHA256
1b360b72b091110e7d4a3cb9f4a25b462ce14dabdb534114fa771dd7093d4e3e

SHA512
4030dd552541bed04a555f5fdc0acb9d99a238284aa95e83f622c1c72919198448ba522d48e88ccfd59ac280dd8672c8315633caacc67a7d24620c008e700d30

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js

Filesize
3KB

MD5
a1359835fde56d7e61ab336b0ffe97e1

SHA1
8f45575b105b5624d6c021f55b353d7188cab624

SHA256
918fdfc26b6215c8a546ceab69d836d2bcf9ee483b0ccc35969a6eefdafe4cb9

SHA512
2956f8cdcfe5c4f2bcc32ccb6d155c65388d0af5b5770a28311a97eadac60713a1e953928ab057ae05e63a45b42bc8cde28fc4b09456b21caef5df541d3e6a5a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js

Filesize
176KB

MD5
ba04df4357630f57209ac3004eb2a549

SHA1
7d1cf55c8484bc7a423bd74b15a7f0b109655e00

SHA256
cdcbf91d2133bb90c6d794f681731b8c5921a9a9f2b37d88d76d5590737d1241

SHA512
32304dabd8212af6299e9abcf0ab9ad851a9eaf22898b92e9fcbdcc18ee6e7a4b80de02b6148ab7d415f25ac8b057807de4e50a7979f4339d8defc1925b3eb0e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js

Filesize
377KB

MD5
97c2c65c8d515a9af59e597f8031867b

SHA1
4df7ddad567c98a037218f62f702be76874ec527

SHA256
25551ae390daa8edd137cbf4fb87b5a40c0b874539a5808815456977df059eb9

SHA512
05eda6fbc5d42c416593184604d731521893174fa5fe627cd498e70fd81bbbe20aef9946824fca194d715f08612858bc42b8fa1bf7ae6c833459689673977387

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js

Filesize
4KB

MD5
0c8749235b2a273a86491ec86852a762

SHA1
5859016222ef5647d07f116f8809edc7156af827

SHA256
6345990afb3ad8215f8de2f76cf013cd6210a525d8c92b5387ca7ff01be8433b

SHA512
7b4542a7e78105d35e02efd75a4fc01a86fbb857c6f7d1021d80f01bdfed6230f158ec7711a5f0b3a06f6e178c374a0a001411e851194c937b759da2176f9b33

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js

Filesize
2KB

MD5
e03dd5161e7a69927fc0994cf6abd043

SHA1
badcb1b22e5ab66d092ac1bf8ee65c08e9d471b2

SHA256
cf8718c418c684f460149f05ef4583cd2bbc56ef8929bd2d69ae13da80a870dd

SHA512
95f7adbde3ec85623c70370620ea6efc91ca7912c401bf477e521900b581ffe37369d69efe1c265ed24e32408d12fe458d2c9c18799c6f8e5bd0cb7c10b894de

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

Filesize
2KB

MD5
8077a3c72ba2547cc322a3c95e0b1512

SHA1
8cfed38fee1d128b9f9ab2543ac61a165628c35f

SHA256
ff75f76ea9a9d4c42bac818b2ec4e9d71e97577e2c30ab5193f760e56603fd6e

SHA512
e61a8869ca1cf0cd77a6c1059b8882563d5476c69791d4cdda152a989d70c7c72b4bed0bcc58b71865abbd1a91e604875da13319160fc5222db4f3674943c742

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png

Filesize
2KB

MD5
9da08d0ffc2f52b40011b3bf880d9790

SHA1
589012cfdfeffa890276a7ee434f4fe23d3e11b1

SHA256
d26c2d6ee42e0bb0fcd59caa8b67c6345178e5e6fb8d67f5df759641de20330e

SHA512
6e37a320a1252acd32f5e2934eeab22a3838a58db1acd88c33a9bc2630932d347b265b5d11bea2ff1b798737fbacdae54969526f50fe0be736c2792bc48f58a3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png

Filesize
1KB

MD5
82f594ca11cb2b469e916fcc4650c089

SHA1
a5687f1e5ce61f2493dfd489e1c46008c549ed79

SHA256
e093c9e2fa6be9ad59bc0ecae5ad6c8be072bf30240aa2ff453492484bba4a9f

SHA512
d0c38e43fa9169fa67f145dfbc661fc355c15a4645510c48a4c70a9b2cc2f48117449988cc99eb673be16e4520ee718eeebde1133722b7c8146e43dd8b9e14eb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png

Filesize
2KB

MD5
97f7c879b3e1dee4c15c312c032c3063

SHA1
4e83cfa2e80b749603a62a654b1b589473f8cdbc

SHA256
e5e96b88025a38a7ddce566150ec26ff50f3fe989e3f624e422fc244fd90b682

SHA512
f714a23f58d4eb8b1829dcc5ded4b30924ee9a08e283be21b2f7a43527baa4b579fd350e28e4af4e82c4745d0a4ae7c2f4b29835b171cd0b6beb444d24274a33

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png

Filesize
1KB

MD5
d966e711e997350640462c6cf698ecd0

SHA1
7e594cfbdda0eb61653d7e3e7cc2fa14844c8cb0

SHA256
fd30660a0968bfd0b9b179cd0f72ab17af6aa728add50c938d71abf2d5b9658a

SHA512
d186f297c4f820d0f5994cdeb463c8dfdf214eeedeb189de4941a96d7ff2b13d2f144cf38502ef58f496b6d57ac7e24ab211dcb67a5ccbbae16177336a53ca43

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png

Filesize
2KB

MD5
e952086a5f98f32447a7a37d0c54a8c2

SHA1
73ca1b25b75c0bf419b54009bcd19a6814b67cdd

SHA256
7e8acc0e8219f2f110f7c7110e1be8297eec07ba74faa5a5efb9700418921151

SHA512
18bda3c4bf1d5f37a20681b326440be1ca275f1b1b708d72e825eab2026ac229a7c62dfefec40e79d70281c06f170fcc13221e8e3661666dbb29a3dfd1af4ace

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png

Filesize
1KB

MD5
9eaaa9ccb51da59e50d78e6cf5469a80

SHA1
571ae6c66d37a91dcea6f4fe9c39fb5108002d51

SHA256
2ad825283fd877dafbc82e22dcc1c1e0dc9cc4312a483808b632976ce0ae7ba3

SHA512
18f3f8ca935ff14dd151aa4b5d196f8dfe10162b10385c83d528f1aaa5b9e385bad8087cb1fdbf97cbe482c3ec289aeef56bd32c3e216d9c8fcd2d543369fad1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png

Filesize
2KB

MD5
cdc3e1922a8f934a2d9e3fea078ca1d4

SHA1
ead9987aeba0f08a39ceac9fa1c1ccacf2f61d07

SHA256
86b9b38715b749f42223b352082d1c7dc50986acb141cf59aaf42828355130de

SHA512
e7f3f7393e1df73f72808c2143fd4e6079b50b9b3783538f5ba40c12fe8965a49d36cb5f399d68a667490c8ce7c37d518d5156125ce54d12705b23b6628fb5cb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png

Filesize
1KB

MD5
9085644145f41caec6eee5962e2c0b19

SHA1
3456a4f87d6daaf37a6d30ee7f2142a6cde3d466

SHA256
9df75605c9b8ce927be4493502369106ec95257186c379fbaf3e2a1a4851cc9d

SHA512
dbadbd415301a4431d5a1fe8ed2cb5779d681263fddcc392e0f8b067b657891c4b8ef61957fc598dde9ab89fb2f441b298bbc655882fbf73565965e2517f5b5a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png

Filesize
2KB

MD5
e0c14ca086771d58f559527512d5fda0

SHA1
0a3bbd073884e63dff218d3cab673bb753c66770

SHA256
faeab6b066ade96ab4fef7efe5f6935fc8cff36623324019090367be2570c280

SHA512
673b6d1b8bee104d4558339aa4e0a50fe34e1acf331c237c19159c698e0f318bf1787c12d695a458c41ef15ee43bc6cb4ee9016064776e5b5a11de5db9058204

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
818876b977c8a7cadf7e564952afa2f9

SHA1
aefc6ec40c649ef3477e6b5323d6fc7178eb346a

SHA256
700873bc5ab34064def256a7143a2eef20aca987ace58d5b534c8612baadac59

SHA512
672dbe4605cbf0bed6b64a18b3bb1c94f60ca4c7bf61c69f727d2ae3e1226d0bcdb7c19fb34ea5e3634a4ab335261b8c2ea4ad46b5b586302d316e949030bf53

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
60dffb03faab40b9a43c2cdb771f14d0

SHA1
3895648e62f11172407fa5c6b1d84dd2ab2d93ad

SHA256
1ad93b32ad2cc09d4cb09384bbfc344fe63194750df17243a926752c84733f31

SHA512
5d7f20c5d9999b6b9f95c8dfc49644c91e5c352310a6f9447945d67f4288b2e8b5a7535614c60d835228f60f6f06cc10910e304b5adc42fabf02befeec51ef7a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js

Filesize
10KB

MD5
5bf92099bb0e887ced024fc825d3c6dd

SHA1
41c1fd6258e6e9eb77e44e5cd63b1edd5c7bee7f

SHA256
71d0177ce50b27ae151e95e47af0569403f94c6f6fb779b7a5285e6c1fac5119

SHA512
b98b838223441504ca5cb0a052b98b8a7f3531ad4877b7ba010fe488c0b6091635bce7214397adc0e8303d0bdaade35b473aafca6fe47f5b45def384208e19d1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
6f4868c0ff6fda34ddf6d5c842e83e03

SHA1
1ea5476f279c033866edb15332b28a2de5175185

SHA256
9a9cac288393405fa2b62b21720bfeb97d4bd569b858d0ecc796cff4b9a8f7b5

SHA512
7ea7d3226f290df7485088cea8c1aa491024c120db3309f23098c28054c4cd109fbc68db2f9cefebb60a260c6dfc7bbc76bda6263f0f761d189f0ede3128c2c5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons.png

Filesize
2KB

MD5
cb8997f6f6ceaab2cf780ba8914cc0d8

SHA1
90d96d2640692964c4840d1f9bfc6d494782ad3d

SHA256
3ca27f1a20f381db5ff07c472e2b8e7f3f96071ce92f318763ed726e7b338a27

SHA512
64f1c437c8fa4307c2c819305de800536d4c880fc67ead68fc20d2062d308fe0bc709b03bf6901b9a2a7edafb449ea7c991019a2691ccbbf67b18f7f803e26a3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons2x.png

Filesize
2KB

MD5
7624dc0bc6d3d9f9355d959a916a9332

SHA1
00b7ff7fd9c42486a546f51f4d160695fb618192

SHA256
45900f28fce6f33cd03f1655209348c55569e3e0935eccc9a0106f2f27b9e5f4

SHA512
c9c722bf7d78ab7ec663eb1add635102b92845398f3fc3478dd3b7fc90dc33d2d9bc0618e9177183c89a20cbef695f0a40e8969d57a8de02f15268dec81edad1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
22eb6e8841cb4c895ac10f129183dc23

SHA1
890d025f2c904684cc8cbbddaeb68e918e905e13

SHA256
c1867e55262e4f297ab4acf760b3af2327dd79e26ed5b2dc49c2070164a99776

SHA512
d743d5a9332844ef810f0b6841d8f6026aacccddff55ca218d65a2dc8490c6d0227939fb8b995a16cb99e11d4ec637c33f31685a09428262248dac760df62e08

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon.png

Filesize
1KB

MD5
992d66090b6047798092a79a0141b89c

SHA1
8fff4eea066b982b74ff9a5c606a9b97f13bde0d

SHA256
5b6cf073fe2fdadc9d1ced02e5b14b93b101ed067ae7a22fe66cbc2d35fa8022

SHA512
86de71ed71eec4b16df177b1f1ed3ae2778e22e7254ee22b0e7b7f4a69b9819d49c1336173380b3111cf3acb03d081ac410f7a4be2162450d31b8592cc8cfef9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_2x.png

Filesize
2KB

MD5
b1c00d28006cbc1c86366eab430374d2

SHA1
4e7ef3c7775db570169ae8c84cfe77f28519a865

SHA256
86effd6616762cfb2b60961e89c06684bfeb3fb1fae207c6725d07cd8be77a4d

SHA512
7ec529dd52b3b4d2a416d45cfc917c65f09c104a8aa0e819c3621d705128a0c3fc450b47614955d6714551502ae265f1e76f9246c6307856041073e97a2678ce

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover.png

Filesize
1KB

MD5
630dd730f890a20406f572c7553aeb07

SHA1
7c1fcaa4b0d26e8520b7ffd9bfbf956031fb4aea

SHA256
fa475ea53ffd671d21f54be7744ab3b0176ac3e750c44658ba8e9cbcf06e3757

SHA512
60ff0e53bfc623a671a6f3600f60aa6c9e1e4d52984315fb162cdb99444441e80666b000ba68bcf2731d324e2161bfb0b88482579fa28a08287451010b4c003b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover_2x.png

Filesize
2KB

MD5
b9d1f64ebabea9ed1d7b8406f368e882

SHA1
387a3e4e308f274b8e36aa71f2c5f375facb3cf7

SHA256
54e83600582c0a02250dd0684d9b01cce22438912ec7e674e6121f5b4e5a6d04

SHA512
a286188bb5be936838f89b92a29fdf64c8759ae8ec30be0cc251a8e6ff06ccc1a4ecf0124e54297555e26e265da3d7c87a9a1e1735fdb3d8fb27774767d12218

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon.png

Filesize
1KB

MD5
d5ef46ceac9f0daafbd633d97a722f18

SHA1
86d6af1bbd8e2703af3202f9dae97627ecbff20c

SHA256
02b33693d2d6f95294e88fae37e65bd9d22cf5ca13c1795cc0723cc9dfaa2c6b

SHA512
71d0eb510d2b2329b08e115e1d416a752efd7306e2243345bae1a318862e90a321adf1d9d538ddc53e5c5c24ff09cfbf4e1d91161e52534ff15383939d905753

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_2x.png

Filesize
2KB

MD5
41a1f498d7409367a41d19b7b32089f0

SHA1
e6227898559ea056ab5bf9aeb9c38b39bdf25c41

SHA256
cf501c6f024b92c06b6fd53f04d74620f1c392cf5726d59506958d4174f90d8f

SHA512
1b12556e78ae490f47e913a70ae481c7592bb33f74cbaa2372dd9619d2e5e1bacf07bfffc9105d57890f966af05ab444231e7f7c55f9c09a1e8fb2f6d636e276

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_hover.png

Filesize
1KB

MD5
81c1b51a1884e574c08e4a66695491de

SHA1
cf6cc707c4ef8adad3152025861061427131a961

SHA256
23ca118d33a3951253dd974b2f22158c85d7d0147c2e9b6f09b75a93e08c7402

SHA512
545db9c647018fd34e4aa1c3a0fef332be49c48aca74bfdbbebac27c8746fbe86a5dc384aabbea84ae2c795304571125f3eca076bee4b7273a3571d62f229a32

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_hover_2x.png

Filesize
2KB

MD5
e5ec8093e20348ca9ff4e5d5993c6692

SHA1
14842ba0094fc8a431a7880f3e70318973cbb641

SHA256
282ff915cec038e5007dabd0280f30b0b9bb4995661481e15264f38ab8277919

SHA512
686489925e27b0f0a6956b0a5e3d1f34455fc9cce26d360dbfd05fb010692a34e1174c4a2cc8afc8254922e375fdd15216194b53f83cd47667e684636c67723f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\ui-strings.js

Filesize
2KB

MD5
06347c275049419b90bbd1d7ea3acd21

SHA1
63b0b03266061fa2f6a3493f186b821bf36790d8

SHA256
14d12a8d3e4467d2487a26233498c87aadc3d5ecfac3403a6b77c57ebff1cb6e

SHA512
8563417c4e857db7d3cfa260e1557cb8b8bb28cd4039c47a3dfa647294fd1bf40e2d9e052bec2f3a5b7d4fc1b05f4f1b52721db933d8fb53840d383b0bc54318

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png

Filesize
9KB

MD5
a078cfda26d526ad3fbf6fdd731bcc2c

SHA1
535ff125edd3046968cfc09f5369825f3d27082c

SHA256
ad415ced4853dd78d96e7360515866e08cd3ab57b4fcc1225d316ccac3b6851b

SHA512
2581a5df4efbb3e892f3674c6cf814796d3cd0e09e09cba2b09d2fb2a6a9e82a348f4b98fc27a7024298d81789a1882d39237ffafb89fe88e0bcb294c2240c2d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif

Filesize
9KB

MD5
a7ccb1edfaa794cafebb1d895a81a9e2

SHA1
b2813a0fac682c7e8b0af21a0f8acce94e48ac02

SHA256
d2d27cafbcd4329d9c31b43c53145e2a91687b4f8d1ee9ff673d46a4bd970091

SHA512
febcd33d228c6eb4e799a4db97e9219e00de32f76807d96ec31bc6bbf1f267682545a70eb5fc4132287269f6dce42e83f6bf486e72b455e4bafcfe64f517c182

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png

Filesize
16KB

MD5
e277bad727cd25369c618afcfbb89197

SHA1
514b5f2f8e36a802b8ffd2dba680b0ae73bd82ba

SHA256
df49e288d1d42573aac40b9604c92b5875d5e3dadd20aa666c4795eb47206e02

SHA512
67eef955c0d1dcee7da2bfb68cc33950c1b2ff76e47b60a7a6d521105dd4126fd989a4eee6ffd1a73c0e582d1d3d75939dcc01bbb02d62400535b85bbd5bddb3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png

Filesize
9KB

MD5
bbcc30faa7ace7a124f7b210a8213b8c

SHA1
bff54c77e0d9cefd92b7bceda05aebf6329d49b4

SHA256
aa8abac1455629906feab2ffdb5641690c86de1e9230638015289ea5f1f3de31

SHA512
26086c7200ab98919a11bacc7f70f7acb305d50e8a1085b5f7add0b56a2c19e089f6a4edc832d8485d699bcdb4f90646de3017a03f29654bf54c6b6febfbdb44

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png

Filesize
18KB

MD5
487e47d98c7a12148199ec0f98129e1a

SHA1
e08ff4a2bd5a32789de6222aceb6cd3bd3838a0d

SHA256
1e52807a771405de52392727cd43ea4226d17fdbe154e50bdabf780bf701e77f

SHA512
5f88cf02317b432ad44fade5dd0c11aa6c68552b633538f094cc2c16d9ebea33b04ce6f92d3a60e7df3d4fa7ed8b0aaf8d62a03e3e5607db095fe5b12ab83105

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\ui-strings.js

Filesize
2KB

MD5
c6f216c1e4dc003af3f47332d7452b46

SHA1
69612dd261e3379572fd3542902ff53f687b36e6

SHA256
831642b84b8d384d14652e51e8aaabde61a44442b2cb211e96407cce9728c841

SHA512
ba2cc640ca7299b99ba2765bb19e2d0f8fc0062263f82dce878f4eae78be41e194f0ef636f03d4d2b3ce0cddb9746bc0263c3a8f11a8566fd1c9c6532b1c7fa3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\ui-strings.js

Filesize
2KB

MD5
fb010a1b2061006e011f866b784889ad

SHA1
955e2b626f764e244edf3994f6425fbc4a9b3063

SHA256
9eb7300a93fe2cbe71ac0db5564285b7b6c457cf6f815e913a14c2e114582ab5

SHA512
89598ce67142afde1e7683c0ca9342715054c1230760b4b36172dedd401c03c5987befe2195147b32c9e36048a43084ab32aba71de78f5ac959fd8c34a0faf4e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
22c552bd42ee5885158559c2629c6b46

SHA1
06510e10fe4fd619bfc3b3021058fc6db0cc3923

SHA256
3f80d58ade2f146bda92d2669edd54b68d418b4208271940347e49487a75eae3

SHA512
a735d04f028e73604808b85b1e76bc3839137da68664d381e8cc9cadedc67b2a6ddbcb980a3a942d6ee144140d3dd104e11c35ef28f40360e7576316bc82f45d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
339309d18e7cba762c280f39633cb1e7

SHA1
2d0b524835496a12153864990e3c37f061aa974d

SHA256
cef1753175f87d795d5c1073f6211d559eb14ffd5aed7db7c940fb28d4f57d79

SHA512
7cee1bedf481c28db25941f32ccb2442dfb32546f01ae30265771ffc5188cd3cfa3faf655b441a736bfbf81e913f55e7f0d98a1619ae9ec03d53bb084abda11b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js

Filesize
6KB

MD5
b07f7adec0b92ddb8be3e95b73956aef

SHA1
c588ce4d4781fbf38c883c87bfbbd570d9c71c92

SHA256
335f19148da6aa4419bd4dc9751f9a27c236d04d459dc44efc7ca5f8d1979559

SHA512
62adc90fd8fc7cd02205a1242b0d21cd63f11ef0f95265199dfc668f3789e79458a0ed39d424cd3514211348d47fa17f021c0df22b8cf307ae6ed874b72d299a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js

Filesize
14KB

MD5
6998f6d2542405c2cbcf2cbd89401d2f

SHA1
b15f27f96967cb005f0f5a143832ccc3d507e2c7

SHA256
9be2ee493467032cad99f625475ae9b2f72a1da1155e46c873942e6ae3de4001

SHA512
ccd343b368cd3167c19ebac6a0822bb58fb1e1bb2c30c9263a129de86b740af77c462e93b5b53c1e1ad96d27133e0c66c05af9e0d1706f3af984f277813dd4f5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\ui-strings.js

Filesize
15KB

MD5
9761ab7b4230b56cd0a484368e36a180

SHA1
314fa8baa0229caf7faa892cefff04061b63dce1

SHA256
b09ff065f6eb0d5dbd3132244e3df5d03c93f205b2d4d5df698dab03193571a5

SHA512
42688400606df39da93e86e816467b2fa66e0817ee17a76cdd4fc8b50369da9e1940cde9868bef6427feb4cebb44cd039a39561d4c5adfebbdd13a8654c44e4f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
33d10def9492ee7ee54115eed3d3d1e6

SHA1
2ca7f6bfadfaa9c632a3b21de2c0d635a8429d29

SHA256
22f0bde60a7e442aa25e074a6535571f8bf89b5e1053fbd394a059837946e8a5

SHA512
4f4800c26b3e3232f212253e095db2ebb5ed65f9f918c5441aa7b3b3d3c3a5d2ea29193f56c71c8d44bc7a39ffb6832eefe99847231a6295afc5e9fd336c7f91

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
64bced4fc6a69b8ec84fba0f34c94dda

SHA1
b8e3442dc34b28d1fa42ad3eb2be363540e4785c

SHA256
6dcbd1801ed07e9c697e04ced6c538e0844a454a87008f6753e9bf264b1167c8

SHA512
60c2ce034d696bfd70148d9bcaf71283482a8ce8ec7b562b2bc0ffba4e5d761b0d72d6b635b9fb87fb46ac6c59154422582040fc1d48c36f37832ea65c83f222

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
096ae9ca736f19c7ac8e6312e82b7873

SHA1
3d8709c02a12cd7644925fcd6cf2077f814fb31d

SHA256
b41f6b4f3efc0977553e1321b232e99ba459e77720773b0aa4febe7ab621551d

SHA512
0cae0342ba50eab0216db47a11b39cf7554bd5c6db4a2569ad4f85757d8657b8ba43230f0b674fb158fa2313b7ad019a9262a01fbe13f6a4b9180bfefc67fea3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\ui-strings.js

Filesize
2KB

MD5
9e3262a06b8e6102b4ff191042473033

SHA1
1b596cdb4e2a6e2473f9289c8210757ec8da1ff6

SHA256
a0851e651c3f141bccc3d0ce7f0f523eda5f5cbbe4ff59486892f7a4bb181612

SHA512
e81bfd861917440372dacd98011e1a527561a2bf286cda5ce635d66ea8eeca4c33d95c9fe4f842e5e79a0ad4a75b42ace9d5f99327c8d72ac655a92926879077

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\ui-strings.js

Filesize
2KB

MD5
10c4180f9c675d7a168d17e77aef8a0a

SHA1
00b1f617571bf7d5759a61118574aef5c2f23714

SHA256
7dbdeb83716f95451186491c24983b2b04e766df6b6b899bd79e6598f2439eec

SHA512
3ab7453991cbc728ac11bad4fa251b48997c825f51fb827e784b500b3e87aeb7113a20e0b88be73ff28dbe98ef5589c53ba386e20c4b1cf4684eb68ca36dfd1a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js

Filesize
9KB

MD5
12177d76b721cefe0fe8c1ec6cdb244b

SHA1
6c9be4c20c1b61bf44242aaac268c5d3f0eeac09

SHA256
27c6f5444aeddc907bd2cc99c57cd8309e41454efbf9ad8b624c3d49bcdc8989

SHA512
11cbae9deef5dd7fe5b779472dc9842f15a4379b96cf044b01c430b09f1f9d7bd114311fc99187505969f0ceb0437c558a31f4048781d1cdd1feb964988a2c37

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js

Filesize
5KB

MD5
8b330473aafeb03ac84c607ce5b953e9

SHA1
242f9a6c59a3fab287afeff3267439a7c9b54a67

SHA256
5fae4e88a69ff132ab7bd702e0acf2fd48f12a29512ca3d7bff4470ec6dbabd8

SHA512
439a55e592dacd3c60bbbbed1453a785d401b05e577d19843574deb7061f5279d177f655bba0ef2efc261f60cf07ad2ce51de488253a4df22e33a9f28eebfa2c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js

Filesize
2KB

MD5
07197ad288bf1e828c90eaff0baeb08b

SHA1
f5156dc67341844886f6c48c5258d4755ce854f5

SHA256
9c265004a5120697a416a06d6f760fa08cfb75fe1a746935e4688d3ff2ab10f9

SHA512
f1cb1f43dd60c66c08295d77325c2bd71c00e9c8f99efd7f9dc1bf325ea80548dc3ed9a8d94f01cd39ad9d7cec78a13d036cef9a1117ef3ba706611ba5df47a3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js

Filesize
15KB

MD5
db141df7f075fee611d2cb7b96937c17

SHA1
58819fb51898e5aff178ea5c4fa3cc981c47faed

SHA256
80f07ed0b830afc92c93d47c49a57dbf7cb5b1998d8acd435d05526358997d78

SHA512
30a61166491de550b1e3ae2026df7271f3318a3a19ce70366b1c3a04cf57f677a0b83370e56eb2a1e9a4e477311977473df7b012979e8e0ca2cf6b9f468c1440

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\ui-strings.js

Filesize
2KB

MD5
f867f2132122456136bdaaf2effd5a37

SHA1
d041b29e648e5d662b14aead679dd55cf5b13e25

SHA256
dfa097335a2ef6058d82e264fc3d89087856375c476df0b0db2e6a2beb6b5773

SHA512
4fe8198a5712e8c52dec0c1538c126a1e05cf9560b14ba3bdbb5af01a87c7032e0453dca0bc4eb4fdc838ad3c8f8508f0547a16a906636b3b1dc705e785bdb46

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png

Filesize
4KB

MD5
93eb84e2cb99be91cdccbd2836836739

SHA1
3c9c2181320a374a5f261200124bdfe17e74c4e4

SHA256
a9d6bba07098cf107b7b0b931e5a50559c0b45d52f33c868527b0370fda58bfb

SHA512
7268127d29971aa9f00336207ae4f5fccca0a55de15a5bc656901739b69f64595993c2d8071cbc4401e5a7e12d9dcc8ced8d897d07bfc1780ece3b5abd9e5e0b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png

Filesize
3KB

MD5
78246afaebcd5d3c823832ae62587aa6

SHA1
bd980ad7db02a4b09c184bd7192ea12e82448c8a

SHA256
eb634fe5ae4c043d8d37d01f84e16b8993d8b4997d6fb9b7663f0b51e64470ff

SHA512
1f04de44aaad6b512d62cf8e605edf6050263b0e06517d9abc97079928c1fb0c70ca286d456e79e3e8c2a66fa775d60cad2fffe7a38542821f89473df85b29b6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png

Filesize
6KB

MD5
039ed4f848d82a20045862744549437f

SHA1
94b0a4302ad9f504d2d2d56e3759f945ddf19565

SHA256
22bf9d66dced1163b28755d721403e6531ec4849346e26b3e711b71d3344d38b

SHA512
b139c97d792135d0fbff4e80231750343b6089d49c22006ad0ce56f334de6915ae9f86cf3dcaed24eeb318a550816f71aaca22ec75984ab3420b8f2a3678f544

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png

Filesize
1KB

MD5
97aff13d0c4f2e9aa1570534e7699e28

SHA1
aa5bfbbf0bf36e9ed3258b96c7d945317df406ac

SHA256
ba9e9af73aae648df1e84bc73f2871ff69b50a7c773d3ff03b559ab12b5f2132

SHA512
ec6b2fd41c9073669b4b617b52073c2c6f196771a9bc7acc5453de100c363f81f2b624259d977c4a22669941af3019e3fe4920466519342b3b77356154db0288

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png

Filesize
1KB

MD5
1b01b20c47d8f070fa2f2744fba58c4c

SHA1
8bef5453b8a09832e23aa1528cdfdd487e3977ab

SHA256
67a88e92b3db71b80100f7c66d1f38ffbb4016740dc72fc6f12cab9013eeb4f2

SHA512
2d6791efcb1da27cc9d110f5d472f940b19de53ef92b61741ee5e5f675a6f4a1aef0dff7be7ebd6d71d006e8ddc14fbe4a6908dd098adbf42ef2f9605c9edbcd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png

Filesize
2KB

MD5
585e708b8c31a5267b524096e79b6240

SHA1
66f7c33e91d893a1627a1debd8b77c322fa8e1ec

SHA256
389d5c3a06eac2cfa9c78d77e0df154ecbd7e10d16c008b20f6772a29769f1e9

SHA512
60ce697823c598bb6b7be3d1c8452f9f5e2b2db00916b9a7e9235eadbf004e3703d41b8abd33eb24268713b61ea0906c0d0c6c02db4d952e21961da5accc4a92

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png

Filesize
2KB

MD5
744f68c7c4d19e46b95d49f4dbc9ac20

SHA1
b6690c407cec330f058b05b36c4519e92272de54

SHA256
b23888d4d207348cae27d2183c6440819f00a2f726cfdb8e1bddafea400ef568

SHA512
0b9fc9abfb6de6db1833ad0e2bd37fb4cb7c56eb5f7d95417cc8ba25b827b49c3cb1250a5839065737fcb375118d3d98add95ddaf3e7c41f8448b3f794cd7039

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png

Filesize
4KB

MD5
a863448670c6184b7f0e5704c7e6b3a9

SHA1
d310b9fa32a3e2621974c88a9fa9430570108666

SHA256
4dbfe93df2ca9f904b4c1227dfaa2bc1cce61cef0c5f2131d6ac623d828f6f19

SHA512
211ef79e12c25bcbabb78a40b19e88405fba234eb0c6931fbe9e915cb0cb48390ad1c0254d39437ca3e090f1d078a516166c3ddbe4b2f2dc00b133f31d86db36

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js

Filesize
2KB

MD5
3b9415ec9c943e3c3a60199f85b0d145

SHA1
8997e75ba9129b5a9a3f8f4d3e83db436414a6f4

SHA256
4867ffd9016f2da2559a2205172e828ef8b64aff08083cf8aee5f89d0104fbc5

SHA512
746187df7750e628c368f39e2564303fec5b8b7a843d8287e0f27ba71952642f902b3eeaefcbd7ac7ecbacf0a3f02af5dff96116218dcd832f779925e7eb261e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\ui-strings.js

Filesize
19KB

MD5
ded0b3f190378ca71bff8e13eb2bc1b5

SHA1
301e0534d2d5a1de22da4bd51a0654f4a725ebdf

SHA256
210e77c58a87845008457a4b9767d56412f6fb99780cc53989680989b830987c

SHA512
042c87cd77567aabc9639957a03f4414b17d56c6039d043512b0c7807206a1b71becb1912bacffe87c9b0dd87fab18a15af5799fc464f7e43852ec95794c9dc6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
445694c86b014fa9ebefd5e8c3e1525c

SHA1
e355835fa8946a48f846deb5d425b2f6c172ab80

SHA256
62b18aede74b38d8b670cc5c8ba3c1fa14812769a83c7b9da7fb004ebd6ef213

SHA512
0cf6290008ac2f546e0cf6833ad9609328f7c54cc26cc5b428317b669323d6de3150021a7a45be25e3203c318fc82bf1add41d0f3cd0809361488fc940299b57

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js

Filesize
3KB

MD5
15823e9e6b58b59bc7da74c4da7d9459

SHA1
c37792ae36c1560ade3bdbaa9fb594c76a19e460

SHA256
7f5c1b9804ddb07a8543788691013d035641cf8ec6ff6957d15943a90ebd57a0

SHA512
5a3b7416b0cf889ece3ec20150cd08c6ff7f3a9b56260cdef4e3d53888443a40abdbf5ee8a6d5955ee0b24bb12e5c63e48a0cdc0ec50a43cc69e27e37c4f8fad

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt

Filesize
34KB

MD5
16a976a25d315c2d35fb311dcb9e6370

SHA1
d8239ac95b3c4c09cdc1fdabdf4eaf5c4174e94f

SHA256
f98c0e911e559397989f47740d006dba3133e1620a2cb695f100c3566cefe81b

SHA512
88db668d00facebfcc341f9b19ec40a1cf02efba39ee2e719973b6a7b9e4a91929729636a3c6cfdc029b814a3c5b2d10da02a51ec73ebf4d12e4c85435ca34aa

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20231020172714.pma

Filesize
1KB

MD5
b04d11125dc0138b0797aec581a777ec

SHA1
9787ceeea3553ddabd375eed21cfdb25d67d169c

SHA256
bc8a223b5865c00fa1baa9d0d95d71312c106482a7b34fd8a5a5207856a43fe4

SHA512
44d21746ddf9cd4545b1b73769bb69e942271c651c3ab0dcb731ae712f76700a195b015102ebaebd66351eb47d4dbdcc1d5c2e5f2e00feb6b65db4c25d78e01e

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
e326b7b3bbbd3071d3bc912695d705cb

SHA1
5a632e635a884c6d5e75d73494a7acd38777d56e

SHA256
6df36c9b329b41a5a7cdd5293e1242db12420eb1db818f3a20dbc92a3c00d55e

SHA512
ec66b0a8afaf7aa593e1f232a54a0ba4bea38720295b918f3c0fa300485197ea5573e794ce3559e4b8d18930e660cc7bc92472c2cf09cc7e7ad4ae7ce65b3ff6

Download Submit
C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
eb464d2dacb7f21c395573260b71c6f4

SHA1
b823f86d031fa7d8ab682ce065ea27271aed3d84

SHA256
1b695dfcadb15f277662dfdd8ec8bcf1041e531644ab47152ca79e992487a7e5

SHA512
5211caaa8b857a61a95ef79033d0100749706f624eb48fc74f446bfae9086f5c790b5810fe6b7d7471b5c0d20110c669b78b82f024b68de43690775097868adf

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
1KB

MD5
031632237697081abec80894099f539f

SHA1
7316905790fb5c6fde710bdfc565f740226e6477

SHA256
bea064cde1209e7249e46ca6ddf5aae92021de0c04ae8d2019a04f0348fbd451

SHA512
332d84d60584ccaa9a19b35f25569d8bd791d5390ff29f817879cf5fcf8ec592d7e26cf000db130729840021301ffad705e84b5665c5ba4a31f603a4c0241aef

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK

Filesize
1KB

MD5
6ad7bef74ea67ec015ff2882f8c21509

SHA1
6d02ac31e4ca1948dfd701d4fbb0729574f2a799

SHA256
78686fa16830443118ae77cc7c6397b5a8b715ca40106235f9e38e4b1cf83bab

SHA512
454ed9e34b0d4ae315ca92e870dbffcef4bc2e0eb9fa83a65910f47cbf5095ebcab7ca8d07d740c31e6751fb46cfc7bb7359b31354a18b6ad5c50cf1b7d4e7c8

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK

Filesize
1KB

MD5
e73336ac3c8053c2a178c9318f70b15c

SHA1
31a3fef3d04b737422613644e1f2f2d1d703749f

SHA256
56ed51b5618108393fad5616a2e63487247304b2ccb4850b914b68844dd5b63c

SHA512
e0f494bb7644411de632bade002b7323eca6b39db7e3bfec1e49ad703e0a0b7784f9eef9ccf2c4a1d885c965c278a4375ce459777b4a4fb7eb74cfdfa76c1da1

Download Submit
C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config

Filesize
1KB

MD5
9c79fded26af6f0d42ca72a718fd7f67

SHA1
cdab879c6cfe9751bd76b9a8bf11e7dc1a634f56

SHA256
d7074154fb58f5c9c6bde16df9addc19f667ef086d649b999bbea9df821eaa7b

SHA512
bd5f8a6bf9619f2c5d98260cd0ed07cc2fbe9590eb27a59dffb890924098d6ae19744f815fe4031f2db7d02174eb066b1fbc65b8aa6d2a8b7a3238a66ac9c40d

Download Submit
C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL.infected

Filesize
246KB

MD5
6b8e650b9f281639300782a8a0d0b50f

SHA1
5d93a32a5856be0974238f70970cb852ef521416

SHA256
edada94cd720065d279e0bbd6f9c6f413af607394408b1d1beee89882e2c59e8

SHA512
2dd5e732e446b2962ff63be84f2e552800e5a83f8ccbc5ce16db310e4a7cd534a86fa9d7faed5ffa9e7e341ba6c48a0fa23e93f339d10e6a1b166082e4eb856e

Download Submit
C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8es.dub

Filesize
1KB

MD5
c92dc199f38cea863f05f68123961348

SHA1
828e9defd2ccebf15e771086003d5d4af3bd1f26

SHA256
d0887529480edc65b2c7ae141305e8067133e17e3d3458f124fc39167cbd4e28

SHA512
3530c946ba09e89f7cb72f1fdfdb4cd78b50bce99bacbe20c49aac7ebe2cf3d96b5ced3717ec67f0e782660bc6c2d12669a8da7f735425a39287b63607ed7f33

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi

Filesize
3.0MB

MD5
facf91aeebf1f870e3878fbcf5f806b0

SHA1
f0787d2aa88242544e62e9417720a067efcacdb3

SHA256
b0635d9eaabbfeb280a42117d6b02e9ea649698a41ff6a974b9287cea2c14700

SHA512
0febb7f09ccc3cc36ffdeec20ab5eea115e101abc845fa9b83e294e40c936fe138d90c3eb208dbe56de73f52fbc516ea3244c9f7f4b3b3fabe44e6c8cd533ab4

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
340fd2aa9af209fb22557d1cb2ac27cd

SHA1
54528474e62374ecad23114f4337e1a66d2dcc3d

SHA256
8d3cd5e5860c7b9a286d2ce2dffcd72818f23618dfd2bc049058b969ae2a6b40

SHA512
78e21817620ba2b42c78af428b55115d2e72a3e9948affebf17a4511bee83ca5a4bc1ad71dac71525cbccece4ab0335fa629358a7df7f8139ca230c85c05de7d

Download Submit
C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

Filesize
785KB

MD5
05314115c3e88d4c751171378fa09d9c

SHA1
bfe84ece7bccde020bd3e79b0584e1a555456d2e

SHA256
3fe063ac455ab1874874312ba53c60db38e265eaec4e28c669f7f7ba161a7164

SHA512
c3b7de9b8befbbf5d23780115afa5903e1a4350818dfb83cf332d5b610605f9225a8b154de84a7f9fad02bf72729474cbb2a2574dbbc56ae4be88dc715f66dd2

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo

Filesize
599KB

MD5
43f36a9076b6433c6b96536f1d1254e4

SHA1
07b7c178a828bb384ae35a9476d6d966b3756d3b

SHA256
12dba776bd52258f9d951c00a98ff41db3242059f97a2c01220b453029189cf7

SHA512
b2f5d0ad9a5e021b2f54df95e02410eaa49fd7a36c5a69c01cea23df3138b3982872cb33a6eaa93997e54fde24ec916f655dd0063818a3c70a7af06d2eea708a

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
066175c8a61311928fc63f99a93bc5e0

SHA1
4460953022b88c6af81fdb87aac8a8c202012a28

SHA256
2ea9f6f5aeb7fa187c4ace2d03393573e1351c63d80fde7bfaa30cbb8e7ab18f

SHA512
f5e91d88b9a181b0c14a8f0200164b5c429fc585aaa82fe111e90659bba06f682f39c320b81acb1d9a46b05c6d305dcbd642589974e34a4534603a6be8285452

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.infected

Filesize
624KB

MD5
56644ac1558d2117d71251aac3049d84

SHA1
a6c9789e2643941e711e4b90c20593ac0f950ff5

SHA256
cb0780ec58a5b9b12a62c9230d4bb3e661bca86e9e473a8ef9a4eac06e48a092

SHA512
f448b51353924f9574e8a687d5d2588aff7133ed668cc5c40307d119bed68b31849baf80647e0f14db5315bbdbe277133d8517e6ab6405538cd3f551398df5b4

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

Filesize
181KB

MD5
8d2e90c0df85ca10ea9de134ce777ae7

SHA1
5ad144954014ceb8b8dca5cf7a9623ed0255c237

SHA256
d0d142de98b8b4f585e9b4a15995ea0b10bd920a13b48a0f25f8c6f98a971356

SHA512
e0d5fa5ba59eb591c605fa0c01c25dd4bcfd81aadfa9c2e1f1291742261b364322a5f5fff61b1021e20d1f285dd54e27c03edf8429ae9aa37211dabefd610640

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\000003.log

Filesize
1KB

MD5
42cdd1012c22939d6df988395d318860

SHA1
d3a5e30e99f5cb28c92fd2be3a36481bb395a26d

SHA256
b2fdae72aec906d017bf5fee3badf1f6525e53689b03549b40a8cc651e22eb98

SHA512
5e991789ecdde00812737cf2d7c9a3bd7a78a286eab07e9e9976ef50ef5348593f01bafc6a53ceb372f987e5e72715d5334893f2a74793ce228599cab3f55f0a

Download Submit
C:\odt\HOW_TO_BACK_FILES.html

Filesize
3KB

MD5
a8514fd9f3a52ab2a00f57494d03b2fe

SHA1
0e204aabbd8b5d6ee1b36d10429d65eb436afd14

SHA256
056ae301d1686bbf2355fd96ef3363e2b18d593f58f912498d87de3569fa9028

SHA512
6250481712b51d19e13bf148e3cb046fbf669398b06f8ce757a8583a0fec36ca22140cb90d4706a731f27d1419795ff37ec079d170e15e9e2985020c1e6a1d5b

Download Submit