phobos | b609555a43a2e1151f9ee7b028d0141034bfce25487ef2ec826d2af714e15ee5

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2023 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca960a5f89e3d82dc4dec752e912fdc3.exe
Size

56KB
MD5

ca960a5f89e3d82dc4dec752e912fdc3
SHA1

04b7b4939788b1055c0909eee3bc0e96cf483127
SHA256

b609555a43a2e1151f9ee7b028d0141034bfce25487ef2ec826d2af714e15ee5
SHA512

9615aa809568cadc119f415cf159ccbf835fbd62241293cdef9288a42c6c57c2a416d0b68f21e160432a01895eaf406025b3bd9bb0c9ae7e93ab934008a34689
SSDEEP

768:EvrNNeRBl5JFTXqwXrkgrn/9/HiDKGwRj4RcTdyH4pYT3nPKVU1EwDXEkMd:ONeRBl5PT/rx1mzwRMSTdLpJwDzM

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1748 bcdedit.exe
3848 bcdedit.exe
Renames multiple (360) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4880 wbadmin.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

3376 netsh.exe
4528 netsh.exe

pid	process
1748	bcdedit.exe
3848	bcdedit.exe

pid	process
4880	wbadmin.exe

pid	process
3376	netsh.exe
4528	netsh.exe

Drops startup file 1 IoCs

Processes:

ca960a5f89e3d82dc4dec752e912fdc3.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ca960a5f89e3d82dc4dec752e912fdc3.exe	ca960a5f89e3d82dc4dec752e912fdc3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ca960a5f89e3d82dc4dec752e912fdc3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ca960a5f89e3d82dc4dec752e912fdc3 = "C:\\Users\\Admin\\AppData\\Local\\ca960a5f89e3d82dc4dec752e912fdc3.exe"	ca960a5f89e3d82dc4dec752e912fdc3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ca960a5f89e3d82dc4dec752e912fdc3 = "C:\\Users\\Admin\\AppData\\Local\\ca960a5f89e3d82dc4dec752e912fdc3.exe"	ca960a5f89e3d82dc4dec752e912fdc3.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

ca960a5f89e3d82dc4dec752e912fdc3.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1114462139-3090196418-29517368-1000\desktop.ini	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1114462139-3090196418-29517368-1000\desktop.ini	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\desktop.ini	ca960a5f89e3d82dc4dec752e912fdc3.exe

Drops file in Program Files directory 64 IoCs

Processes:

ca960a5f89e3d82dc4dec752e912fdc3.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe.id[4353D37D-3501].[[email protected]].faust	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.js	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-48.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-125.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-100.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\ui-strings.js	ca960a5f89e3d82dc4dec752e912fdc3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\policytool.exe.id[4353D37D-3501].[[email protected]].faust	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\REFEDIT.DLL	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalSplashScreen.scale-125_contrast-black.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSmallTile.scale-200.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Design.Resources.dll	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Lighting.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteWideTile.scale-125.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-100_contrast-white.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	ca960a5f89e3d82dc4dec752e912fdc3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png.id[4353D37D-3501].[[email protected]].faust	ca960a5f89e3d82dc4dec752e912fdc3.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\logger\libfile_logger_plugin.dll.id[4353D37D-3501].[[email protected]].faust	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleMedTile.scale-125.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare150x150Logo.scale-200.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100_contrast-white.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-lightunplated.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	ca960a5f89e3d82dc4dec752e912fdc3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\ui-strings.js.id[4353D37D-3501].[[email protected]].faust	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\RHP_icons.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\selector.js.id[4353D37D-3501].[[email protected]].faust	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\ui-strings.js	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.dll	ca960a5f89e3d82dc4dec752e912fdc3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms.id[4353D37D-3501].[[email protected]].faust	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\classes.jsa	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\IFDPINTL.DLL	ca960a5f89e3d82dc4dec752e912fdc3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem.id[4353D37D-3501].[[email protected]].faust	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMEEXT.DLL	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\bbc_co_uk.luac	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\WideTile.scale-125.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.id[4353D37D-3501].[[email protected]].faust	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-125.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-200.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-64_altform-lightunplated.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\selector.js	ca960a5f89e3d82dc4dec752e912fdc3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.id[4353D37D-3501].[[email protected]].faust	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\mfc140u.dll.id[4353D37D-3501].[[email protected]].faust	ca960a5f89e3d82dc4dec752e912fdc3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\ui-strings.js.id[4353D37D-3501].[[email protected]].faust	ca960a5f89e3d82dc4dec752e912fdc3.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat.id[4353D37D-3501].[[email protected]].faust	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui	ca960a5f89e3d82dc4dec752e912fdc3.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.id[4353D37D-3501].[[email protected]].faust	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyLetter.dotx	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\Newtonsoft.Json.dll	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\ExportConfig.json	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	ca960a5f89e3d82dc4dec752e912fdc3.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-file-l1-2-0.dll.id[4353D37D-3501].[[email protected]].faust	ca960a5f89e3d82dc4dec752e912fdc3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo.id[4353D37D-3501].[[email protected]].faust	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-30.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-100_contrast-white.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png.id[4353D37D-3501].[[email protected]].faust	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-16_altform-unplated.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\View3d\3DViewerProductDescription-universal.xml	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_contrast-white.png	ca960a5f89e3d82dc4dec752e912fdc3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlMiddleCircleHover.png	ca960a5f89e3d82dc4dec752e912fdc3.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2400 vssadmin.exe

pid	process
2400	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ca960a5f89e3d82dc4dec752e912fdc3.exe

pid	process
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
3936	ca960a5f89e3d82dc4dec752e912fdc3.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

ca960a5f89e3d82dc4dec752e912fdc3.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	3936	ca960a5f89e3d82dc4dec752e912fdc3.exe
Token: SeBackupPrivilege	1832	vssvc.exe
Token: SeRestorePrivilege	1832	vssvc.exe
Token: SeAuditPrivilege	1832	vssvc.exe
Token: SeIncreaseQuotaPrivilege	416	WMIC.exe
Token: SeSecurityPrivilege	416	WMIC.exe
Token: SeTakeOwnershipPrivilege	416	WMIC.exe
Token: SeLoadDriverPrivilege	416	WMIC.exe
Token: SeSystemProfilePrivilege	416	WMIC.exe
Token: SeSystemtimePrivilege	416	WMIC.exe
Token: SeProfSingleProcessPrivilege	416	WMIC.exe
Token: SeIncBasePriorityPrivilege	416	WMIC.exe
Token: SeCreatePagefilePrivilege	416	WMIC.exe
Token: SeBackupPrivilege	416	WMIC.exe
Token: SeRestorePrivilege	416	WMIC.exe
Token: SeShutdownPrivilege	416	WMIC.exe
Token: SeDebugPrivilege	416	WMIC.exe
Token: SeSystemEnvironmentPrivilege	416	WMIC.exe
Token: SeRemoteShutdownPrivilege	416	WMIC.exe
Token: SeUndockPrivilege	416	WMIC.exe
Token: SeManageVolumePrivilege	416	WMIC.exe
Token: 33	416	WMIC.exe
Token: 34	416	WMIC.exe
Token: 35	416	WMIC.exe
Token: 36	416	WMIC.exe
Token: SeIncreaseQuotaPrivilege	416	WMIC.exe
Token: SeSecurityPrivilege	416	WMIC.exe
Token: SeTakeOwnershipPrivilege	416	WMIC.exe
Token: SeLoadDriverPrivilege	416	WMIC.exe
Token: SeSystemProfilePrivilege	416	WMIC.exe
Token: SeSystemtimePrivilege	416	WMIC.exe
Token: SeProfSingleProcessPrivilege	416	WMIC.exe
Token: SeIncBasePriorityPrivilege	416	WMIC.exe
Token: SeCreatePagefilePrivilege	416	WMIC.exe
Token: SeBackupPrivilege	416	WMIC.exe
Token: SeRestorePrivilege	416	WMIC.exe
Token: SeShutdownPrivilege	416	WMIC.exe
Token: SeDebugPrivilege	416	WMIC.exe
Token: SeSystemEnvironmentPrivilege	416	WMIC.exe
Token: SeRemoteShutdownPrivilege	416	WMIC.exe
Token: SeUndockPrivilege	416	WMIC.exe
Token: SeManageVolumePrivilege	416	WMIC.exe
Token: 33	416	WMIC.exe
Token: 34	416	WMIC.exe
Token: 35	416	WMIC.exe
Token: 36	416	WMIC.exe
Token: SeBackupPrivilege	1292	wbengine.exe
Token: SeRestorePrivilege	1292	wbengine.exe
Token: SeSecurityPrivilege	1292	wbengine.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ca960a5f89e3d82dc4dec752e912fdc3.execmd.execmd.exe

description	pid	process	target process
PID 3936 wrote to memory of 1092	3936	ca960a5f89e3d82dc4dec752e912fdc3.exe	cmd.exe
PID 3936 wrote to memory of 1092	3936	ca960a5f89e3d82dc4dec752e912fdc3.exe	cmd.exe
PID 3936 wrote to memory of 4568	3936	ca960a5f89e3d82dc4dec752e912fdc3.exe	cmd.exe
PID 3936 wrote to memory of 4568	3936	ca960a5f89e3d82dc4dec752e912fdc3.exe	cmd.exe
PID 1092 wrote to memory of 2400	1092	cmd.exe	vssadmin.exe
PID 1092 wrote to memory of 2400	1092	cmd.exe	vssadmin.exe
PID 4568 wrote to memory of 3376	4568	cmd.exe	netsh.exe
PID 4568 wrote to memory of 3376	4568	cmd.exe	netsh.exe
PID 1092 wrote to memory of 416	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 416	1092	cmd.exe	WMIC.exe
PID 4568 wrote to memory of 4528	4568	cmd.exe	netsh.exe
PID 4568 wrote to memory of 4528	4568	cmd.exe	netsh.exe
PID 1092 wrote to memory of 1748	1092	cmd.exe	bcdedit.exe
PID 1092 wrote to memory of 1748	1092	cmd.exe	bcdedit.exe
PID 1092 wrote to memory of 3848	1092	cmd.exe	bcdedit.exe
PID 1092 wrote to memory of 3848	1092	cmd.exe	bcdedit.exe
PID 1092 wrote to memory of 4880	1092	cmd.exe	wbadmin.exe
PID 1092 wrote to memory of 4880	1092	cmd.exe	wbadmin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ca960a5f89e3d82dc4dec752e912fdc3.exe
"C:\Users\Admin\AppData\Local\Temp\ca960a5f89e3d82dc4dec752e912fdc3.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936

C:\Users\Admin\AppData\Local\Temp\ca960a5f89e3d82dc4dec752e912fdc3.exe
"C:\Users\Admin\AppData\Local\Temp\ca960a5f89e3d82dc4dec752e912fdc3.exe"
2⤵
PID:4308

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:3376

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:4528

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2400

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:416

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:1748

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:3848

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:4880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3560

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:312

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions.png
Filesize
1KB

MD5
eedd2d13e3671d589714446755b78b38

SHA1
2fdd23507187a259f5a7edb01611a37b6b09f4da

SHA256
467082e15a8ddefd51088e12a6189f9923dadfdf363ac1b0448ec43dc483cb3d

SHA512
ef47a62ce6ffb0c5b34b2c6d72f5874dbad4109b98aaa21f56b8b2d83471f5ebf983f6dfd889399abe4fead6296cf2ca3f409a4aa4badad8cc3c48f688323837

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\remove.svg
Filesize
1KB

MD5
b651e9101be833e87337050028831efd

SHA1
ee594ba38a6324369ffc7b4dc89407d3436e34d9

SHA256
4717e5fb82c0ee85a7c97d022f410990a62efa2492070e42385cfeab67afd619

SHA512
3552858c2a688c95a76c0bb8a6a76b119b744b2e8ae7e7f30135ccd8a145318762faa52c1783a639fb179056317caeaed20c15f211db1d45bc957bc3ce591aef

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reminders_18.svg
Filesize
1KB

MD5
3f16cc51cf788a50e6cc1ae60897bbf7

SHA1
e5a8c8f5227ca6da79589192892e81b6a3f43686

SHA256
30f1d12f90b61f22130b22667f722aeca0aadd59ba3e19d866d72a99a3f0ce3d

SHA512
17686bb9e01aa108b9b62b33bb70bb8aa35e4d88199281aaacbc8d8da7d54f1f353bf31a109dc22a4e404780ece4cb3d23f0ec81f80e9553ef060011e568134c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg
Filesize
1KB

MD5
1bf37c0336c12ccaa1c62386acacc858

SHA1
f1e187c79588e4e9fce931997443d7e5cafd1db6

SHA256
a9044f3c6877f4fa6789bd90f11813a22696bda53e0be17bf52229b70fa87673

SHA512
f75100874b1dd43c49f54a9aa4621e8bd1efa84359ce44ece2444b639c7bcbddf6564f6c4be089f5d656550c7293b9f5ec4a4b20880939fbeb5ebc21e30866b1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-default_32.svg
Filesize
547B

MD5
81cfb9735fea15ca8791a3c34a78d992

SHA1
9b4962166a47f5edc62e5fe3c4f8772446db9296

SHA256
3d89171c24a889bce28f04adb60f08a141584b7c345b158536a72a8070c252b8

SHA512
f6ac853f4012ddcb29e5079ec00bf058343af1a6d6cedbc9613056db0575c77e964b0864c9693a6e02a525d5e13ccc54e0e7fd938ea39c3d2c6005db959b346a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-hover_32.svg
Filesize
642B

MD5
55215e8f92d35f26cca06fa9d5d221e9

SHA1
994838c8df5921e3828749a7703ebfa8383e43b6

SHA256
e94ac27227c8a25c3f8ede219fd80ace01e7176a12111125b31ae1dcddd487ae

SHA512
7972d3fb8c305a1b41f3ec4a618c9904c1e655fc757f1dc83f9d9041433f3c30e6708ed3d4fb3166cc41d9773df3f159aa44333f76fdde28f317676046bc9c67

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder-default.svg
Filesize
552B

MD5
2807924fc18c958c38a7004a5dbd4091

SHA1
85534040543c3306284e6a475999c46249a35e4b

SHA256
0345bffb28f80f4d0ded1a2af09a337b18ab3a80c68205bc8321a6ad4d409500

SHA512
264d29c6b920b3005ebda1fdb0e0ee6e17059c69d63969c61ea4b5c5464022166ccc04b2c1f69b91052c3e3dd551a087e8e5379d2a62c452184a12b278a8ac3a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg
Filesize
711B

MD5
cd5d2472a2bf9ac7eb4e15146b30bd2f

SHA1
bca600423f99b87df44fde9d96ff874017037afe

SHA256
038589c0f8f0b9fbed7fe7835de0237de4a28ea404078955a78c0b8145fa323c

SHA512
dde83047b85cf0afd4ac77c9f4e850ebba48a1e1d581ed78c30733f58a9d5e2e22d34a2b2e57e4527f3c314f84922c3aecd6366052d46e0d6157990ed888a27e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_hover_18.svg
Filesize
783B

MD5
0498cfb8aae1383c049e8ccdd85f3abf

SHA1
c5fbfcc70b441e91a5ecd23295c745aaf076aa4d

SHA256
ad125b854735c81b5782a65b5b006c7c991e28688b6dd8e5998f432976b9223c

SHA512
113f19bf726f79473ae2b4406a76676ec0bc4709a26f374aaa3bbd9d0b5790ee4fdd8ebe1a3ab68995973923ae33df7c1c6798e93bf060643c14acfabd4e9302

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_hover_18.svg
Filesize
979B

MD5
30c9bd1aee3794fd46bc99fc2a359212

SHA1
9817640da0b98babc461d277a39b323dc9a76cd3

SHA256
4b10fc416763ad7b65a6d6fb3c0016505ec5aaa7a117021a26e4dd6d11fe7d1d

SHA512
bae367b7555f5f7f677abbad1dd548225c2580ffe21bcae5022f8eecf8c97cfe8f7813fd86c31a7f9052c174610ae9d2ae21ac22b381701975492e2386f67f94

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right-pressed.gif
Filesize
56B

MD5
e3c4dd21a9171fd39d208efa09bf7883

SHA1
9438e360f578e12c0e0e8ed28e2c125c1cefee16

SHA256
d4817aa5497628e7c77e6b606107042bbba3130888c5f47a375e6179be789fbb

SHA512
2146aa8ab60c48acff43ae8c33c5da4c2586f20a39f8f1308aefb6f833b758ad7158bd5e9a386e45feba446f33855d393857b557fe8ba6fe52364e7a7af3be9b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\ui-strings.js
Filesize
3KB

MD5
0d3a12fd3f68decc694da04b57e61d8c

SHA1
f73d4d591f6ef0b2b04fc90d2e840329f7590743

SHA256
ee0352f75df1009fa6f5eaf323a1ed55c127cc679ac6b9de70b1b3f8dc9ece76

SHA512
2c58a879d4022b441056c85c301ce26401da5f7bc9619debd35fa3bd98b5f1cab8f21e2ae5a177865c64e741dae18f39f99fac1cf00c468ba0e281037d5e883c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ui-strings.js
Filesize
1KB

MD5
68b6f0644d50595a97c9fd60b8d8e697

SHA1
a4d0edf9264ce1922dc419c7f3b3cedb2814bea7

SHA256
bf9b3f1f9a3a163d41b1b20a2c410355e6ee72ae97725a7bad97ad23993b0b5f

SHA512
d1a26cc27c302f06419abf97507c0a4d06729aeadab615acaaac0c3fcec6d7715e10642121a4d773ad3d5f613030728e49fb3d07303fad05f7a342352ebad003

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png
Filesize
388B

MD5
65c9f3fb24b80d8c470d518f901b9c60

SHA1
b9521c39944357d4b55b91f9f3739575d1f3bef1

SHA256
8de76ee7eb6b32c307d4a46a43ac55bc15b917e2a24d36c3d001878a97fd39d6

SHA512
6572d65abd587055a69980558b2568266ff76555faadf3ddc93fa65bdd7a009a2fbca10f37f44c27ae889d3de99a3673c2b9ba6e6456242e951703fa32d9c636

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\ui-strings.js
Filesize
1KB

MD5
a778c47dd8521d6a12093b3e97ed8474

SHA1
2099d940cc672373884e1c622bbb606e9e9438b9

SHA256
d5343776747d802d64faedd9954d2a4bf555a6cd85396c55c39a8fce4c5353a6

SHA512
7c9c9b406c1b79b3298e975abb3f64927b6beb9e8784b75927e19ba649936c19f04d958d07499a5d5c52049cf2d3600e32f6f437c98b2946a977ca82c71e7224

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\ui-strings.js
Filesize
1KB

MD5
dd24e91615f1963a5c64bc9878a0a8d5

SHA1
407ece3322d57d16a448b5522d4f29229f80b8b1

SHA256
4cf9816ed1062189ff0c8d427fba5e912cc68fc9af76cf7f08fd255977de3b33

SHA512
a88d5e6fcfd998b0abe79b5b314f3f83f424be9447dca01e1a64a3e7313eb247baa894c10c5758c6788cad27582c09207d00d2e7bc41515e7f1751e05aa812ba

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png
Filesize
683B

MD5
3f7323acc829bc8b3799148d439b3d47

SHA1
3d3c540c4080462a8013d6db9383ad69606779e8

SHA256
d9de646d51650572b66a6cf8a52ad1efd46b7a47830fa7972da0bc05baa2fad0

SHA512
09e2a175dd874ac369331fbfd863be20c9ecc005bfd6c7eeadac071804653265e4f7195d70058f2f73951a6a6e202fc96930f2ce71c2d815b228edf01729b559

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js
Filesize
1KB

MD5
fb4aa89fb89bf94d0590a3174d1193ff

SHA1
c3812f2105099071c24141a994a9d5087199dbf7

SHA256
655a3ef0465a9f30fddf25f4dde0c19a05c6f9069b83961800c1944165955273

SHA512
a494c0d9faf3defa9ff320421d0c00e4e39845f7e998c6a06c50b5e7edbb1ed7a948dda23ace06a3433843615553d2357f1cb04acb4ad1155ec43f1d07511524

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png
Filesize
1KB

MD5
7ab2ac51d33778dac850c5dd8b4ba45d

SHA1
b3f47f20c438aa488fe835e0145c014853ee48aa

SHA256
ca17d6cc1f7ab317c34a7cb767ad017163e71726ac648518679c6b1c59fa86dc

SHA512
c14ac0ad209625e0acb2ca9e0afc5f6c98901b01f92b675d073b72929455f47ccf29cbfdaa248c602b02fc2bce484c56753b1a54e66f6ce9df2ea57bed88962b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\ui-strings.js
Filesize
1KB

MD5
07bcf4e882ae521ec6ddfd0bb2a608db

SHA1
88e2ab25dec6ba9fedced9bbd21da03639da9409

SHA256
bc9df2774317cdca8e5a702f249a6994fa3b63852e7749124e82ef1f37b89aa6

SHA512
ceafee63fb03e94b418bd87c6af91a53c9bef53b86eddb51a7aee77d8ad5e6654045da12c3c28f3ab4486d2f6f135f7f834790991037708b0301085f62e22fa7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\ui-strings.js
Filesize
1KB

MD5
0ec670fd70f5e89c3d2727df9f2a5398

SHA1
d19c88c8e11361d4f29719518b8543e0ecf5ff09

SHA256
8267479623714339b61159b2f8235b15a38ccc1199eff859e5dc13359f8711c3

SHA512
a429234afdc29df1276238d3e329299a6fb5b1ef6044429c1acd8abb95c0b76a14836b47805c5d464cfc95978f5e3b10eceae6c26a2964e2c352fafe1d7dd6f8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png
Filesize
445B

MD5
2a78f84427d1d591409740722e60d793

SHA1
304f17d9c56e79b95f6c337dab88709d4f9b61f0

SHA256
4eae979bb805992739f77e351706e745076ed932d3ef54dd47ba119c4c2fb5c6

SHA512
d687c646bba8b801511a17b756f61a1209ea94938940fbe46d9e4893f14606f9e1e5ff468ba4a77474603f5cdbe0cb9df3d24767e5c9ac81a0b373dcf4a4f3ac

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png
Filesize
611B

MD5
c7fc95def1d53bd3e747248ecbd3cd5e

SHA1
1b251f02465f9c7dce91aac5aa0679a3c34318e8

SHA256
4049b739e6322c7d7caa241ac41c8e0b1f2893957204a910c9708c7731a7a8b5

SHA512
f4b90435a3b250c1d3dc8df9bb4d331dfe9b1c0212eeb1768073afb81b3915fe61a7c4af151c8090565f778dbdf1f4fad7b5f545c9a21b7782cd7671be2ac96e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\ui-strings.js
Filesize
1KB

MD5
1ea3b76135bb4a589027d6243075a936

SHA1
2951fdafcb862ef53fcf213572368bd5e08094ad

SHA256
c960c819e997c1c9d080235a5e24e65059b63cf66b95ff3da9a44773ebf81c1b

SHA512
3c10075e71d2e44535e19c8660bee7071a110d07dbef67ccc4cc94c45f93afd72f8ce6b24be31e6193549823b7db204e20950e5c1a075ae159c39682db295d27

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]
Filesize
162B

MD5
6cbbe3240a203b0ff387d9bbdadd49ef

SHA1
2c65f6ea9acd8d164ece87edf2f142942d8cdb42

SHA256
7b3bae54e7a2931a1957c1ca23189cdf913f567e92af15089f033b99e33351f1

SHA512
cdd8e32fdf610a0c00f7e8093c98d421f6c60bb75be67fe0a22ca1b5144351526a2b56ffd955f350039e4dca823e45a3f1f4595c3f9f209b3de28cab972cd140

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\line_2x.png
Filesize
550B

MD5
b513ae819f7d8d10fa4f6cbfdf055b22

SHA1
b4228971cceadd4a698f3c206d8f4bc24a37f991

SHA256
25778f162c4243167f8eaa876f1b0619e67afc158de7805600471a563ec5e8b7

SHA512
c11266406d79494f7d74f8f8a5f955e2bad14b8924877e882fb3e7cc7442998cf6e7a9be3aa7f1a945af8bb2add9dfcdec0ef54239f6ee80748d77444dafe6fe

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js
Filesize
1KB

MD5
b17a6a8826832fc2e1098d0286242861

SHA1
8ce2bb5944d61be2b628fc80ebabc769768e0b48

SHA256
82a1cc52037ccd1ee4a73cc41b86ef4c9b45db28025d56105566bbc9f06bc41f

SHA512
688757cebb6aaf1a9948ce1dd30318ac2b7afb7a47938e6eecf1bbbc1be058ba78744c208d71a9747ae514242b09322489ad314119cf612a7e4a717907521962

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.js
Filesize
850B

MD5
d3e4c2fefeea6e6c467df305f7a8f3af

SHA1
a4468bf4d5abcb4d720b0fefb396dce5864e4717

SHA256
e9288289beec2fe3b6ac24c1311451c8d079786a09515b95cbf2eda7f87f0b22

SHA512
b81a9d38a4a6cd54c2081289192ce7aee3e34d71f834c9b94eac8cd79a5cb90a0dbd3ee0da89be68e4fb69a82903c658addc272a9d70d8f8f8f8cff5c2c18f10

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\ui-strings.js
Filesize
857B

MD5
a3f07671642038caece41ff2a52d8673

SHA1
53442624b01b79a3729a23d4f12efc8dae4b1002

SHA256
088d391d696ec15140e7b4dbe6fe17e95296af9d09c7eeff17a0a9c241925b89

SHA512
5d1ab4b072eec924d13d760da6aa958cc81fa58cfec3de8ff239d131d37b31cdd547eac0fa5ab34c060f0f28a2295e071a1a9573815541c5b92cf0c63f11bdb7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\ui-strings.js
Filesize
856B

MD5
74ca2c01b07af0dda4bb39ac330fc49c

SHA1
7cc7781cca7798ce0940fe9be999e85f8b5064e1

SHA256
ab9ac8d62fd064748c921e6bd4c123f5cc8910a384d1804bec33ffe27da27c4c

SHA512
cd71201d364c7cfc9d317f091a9dc318d77bdc7340ec4abceee2fa23e3f58cfb1a8f45b5216f5ebb40b3738fef28eeb37717b2508aa1369316da6b7c82c510fa

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js
Filesize
1KB

MD5
df3b4d35decc08d05ef8ee0644ab7274

SHA1
6b0381b9ee40dc8470a63218e5cc5feb579f7334

SHA256
e27e5eb93a24a2d866e30bf027e4f0c3da9fae8968cf5eb69446e7f668356164

SHA512
257c770416a94f5b79ed837fa0f5e7926cede3ce06c1a9b819c1ca77c645f37bd366564cb028b0ba6afc5444aa5ac774c3af36cd7c108164d1000254cf85c94a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main-selector.css
Filesize
802B

MD5
651bcf535ed50ffa7724c8751bec1a66

SHA1
5758c4862740517ba28026c298d1b3a61f43716d

SHA256
359f38eef400e2fa3924a3258652e74ee19cd46cb92e47bce91f1194fce25e9e

SHA512
492b73f1622e8a1a064141a2edbac9fb29e5f604b629b063fc7251289d237e50721e1295b4f3450322fe72f01b57561a79f0ad4b3a20290cf3214ccf0204d372

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png
Filesize
179B

MD5
bec4473fc43b77e28e60f89da4e29c00

SHA1
d5dbc7c6642a8a23da14f952a0f64fe874e8191b

SHA256
5e06bfa9ebccfa3d8759270620b6860f0b92be9d69ef7d7802b78ee5b5f07f96

SHA512
ff2c101c1172e64481be5e98b2216d5eba93b81210a1a67adecfe05bcf37c3d965c06b368ddc1ffb7e4187cda0373720f6a27476f036a41517762d5cb3729aea

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png
Filesize
703B

MD5
39e7048d412b94bb2dad145a2daa5875

SHA1
08778bbd84d9411f2e531867dffe45fee5d60d24

SHA256
4985216f1f370fff03c45d4a711c18b3f49165f8278e6cfc231bb38b920095a7

SHA512
65803d69def3517f0021a291748b55cb5bb2e8437732e6cb9b99b1f778f766fbff2c484b664d16ccbedcd51c14f89e99cd5f977cf97d680eca78a9d4f8b87fb0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\ui-strings.js
Filesize
823B

MD5
92f1f77de0ce17e9486d53787f69618e

SHA1
41198fdd6a18321c15c3d4647962e687fc036af6

SHA256
4ecb5e390829b5b11dd02db2f22ac1349e32a24e5bd3a8489f6fb5fb0f07eeb6

SHA512
b389c8364936fbb96a407fb1a848254fd8b7bcbde05637ac1acfb48ba0b30e887dd44b2447e1e3eb75a902241d67571584a819927cc8d0a91d325f5df79f12ce

Download Submit
C:\Program Files\7-Zip\7-zip32.dll
Filesize
49KB

MD5
2f244a56091c9705794e92e6bcc38058

SHA1
3f2b518be764f29c66ba8564d1be8f4309cce747

SHA256
e322feefa8d4c76d8749f88c9b877e3e119418c4ac0b18a8cfb7260638cc588d

SHA512
3ee3835abfec9c2db4ba1f33b5e59db2400e712d5dd7cde82a12889ea1beab8ac85b923ec0447e81b3d2ce3ebd14922882653f5bcdcc81a29f225acfa4872572

Download Submit
C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md
Filesize
2KB

MD5
ddc4cb14453391bcb5f4d645b2916a6c

SHA1
c4738d174c90c285e17bf51a9218256f45f96ea7

SHA256
0c19ba9eeecab3cbbdf38da08c3fa0266f10ce8166e056715931efc543335eeb

SHA512
34a32b92ffb2945608439653b5ecacba49fd3312ba5487ba14796c75b07655f0d8f735453dac117d46d204d3f810126f8a189f82c015fa8bb6ea37d9b8e0e30f

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
Filesize
190B

MD5
c5b7a97bda04c48435a145f2d1f9bb42

SHA1
bd94219a79987af3e4d4ce45b07edc2230aaf655

SHA256
07ec9bf950252d0254d4d778698c2e4173f36dbc3f57f51f34d1b85a07c2eab0

SHA512
7eb1a26cf8ef725ba6d1934ca4802f70cc22539017334c1d7a6873afeea6236bcd643b52630f7fa9d8a9e692f718ba42cc704ed5f8df17757028be63c3efad80

Download Submit
C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif
Filesize
153B

MD5
d13b5ffdeb538f15ee1d30f2788601d5

SHA1
8dc4da8e4efca07472b08b618bc059dcbfd03efa

SHA256
f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876

SHA512
58e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46

Download Submit
C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml
Filesize
744B

MD5
809457c05fe696f5d34ac5ac8768cdd4

SHA1
a2c3e4966415100c7d24f7f3dc7e27d2a60d20c9

SHA256
1b66520d471367f736d50c070a2e2bba8ad88ac58743394a764b888e9cb6f6be

SHA512
cf38e01d3e174ff4b8070fb88ead7e787143ce7cf60b91365fafd01cacc1420337654083a14dfb2caa900141a578717f5d24fa3cadd17c1a992d09280fd8dc44

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK
Filesize
114B

MD5
301657e2669b4c76979a15f801cc2adf

SHA1
f7430efc590e79b847ab97b6e429cd07ef886726

SHA256
802bbf1167e97e336bc7e1d1574466db744c7021efe0f0ff01ff7e352c44f56b

SHA512
e94480d20b6665599c4ed1bc3fc6949c9be332fd91a14cef14b3e263ab1000666e706b51869bc93b4f479bb6389351674e707e79562020510c1b6dfe4b90cc51

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK
Filesize
113B

MD5
b9205d5c0a413e022f6c36d4bdfa0750

SHA1
f16acd929b52b77b7dad02dbceff25992f4ba95e

SHA256
951b1c95584b91fd8776e1d26b25d745ad5d508f6337686b9f7131d7c2f7096a

SHA512
0e67910bcf0f9ccde5464c63b9c850a12a759227d16b040d98986d54253f9f34322318e56b8feb86c5fb2270ed87f31252f7f68493ee759743909bd75e4bb544

Download Submit
C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html
Filesize
1KB

MD5
3be680b6a8edfdeed37bf5068a37dccd

SHA1
75bc261fc558634731e683e431e4a31c5b463107

SHA256
1777e4f7955cb5900c97d92081efc4b11704ee3b265717a7d7152972b49a36c4

SHA512
a3c8a91689105a14c49b020826944d32540353c56fb9e9a011639ff5107d25e1d3466f0fc487ef953c6bbf0c006abc5204e3a8f0093e1c633013a547f8ecab21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db
Filesize
24B

MD5
1681ffc6e046c7af98c9e6c232a3fe0a

SHA1
d3399b7262fb56cb9ed053d68db9291c410839c4

SHA256
9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0

SHA512
11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

Download Submit