ee65e9d7a7bc9d17e894e0b775fc0bbfb35e72c65c3d768e34bfe059d521cc16

Resubmissions

21-01-2024 14:52

240121-r8syqaeac7 10

21-01-2024 14:51

240121-r8k8waeac5 10

01-01-2024 13:55

240101-q776kscacp 10

Analysis

max time kernel
144s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2024 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Size

333KB
MD5

db88a1bd11ca3aab7a0890a10a10f45d
SHA1

0e01e118613962e364b76869bcfb9d26cf0a6505
SHA256

97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d
SHA512

b6e374ea42e023d973baa2c8c3ce8c34a7c8ffa1aefd52f787eb51f980e1e1f8c2c6081d90cd0cf1b15166b86ed57dc2d7b9adde5021dd00cc629f8aae8df023
SSDEEP

6144:YemY9cZrt2pF+M9htFl/1M0lpj9G/OaZE8ABInatk1:/9cm+M9vFl/1HrNInatk1

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\odt\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">dC2mgcXgpEPIw5IKcY7vnxx+e5za/Ka1O3uE5isFVzLQWBniInp+rv+Y4DoevTzKAvlQ3uNBj2/DJ1iL+hZxtamL6ArgPGoKpRq8heztciPoL3uQNW4gOAxKQCsZjW0kvm/rfK+scEMeKwmvh/8PVBw3e3G9idht43n344BBFKJLvpGm0dSxgg4zfydB+TNgahR579xg29ivfOFmwi2ntnoP2Ugb4QViutEDPanfM1STmsAxP+Z7NrqEalekxNxnobf3fIgxrKcMngVv7nP3WlWCGu1sMv+f8OqUIEMVoomdQPYjul1sDurdOjODrErDYsdQ004rBhRmfl0fc5omkK5HF2DKyoWDGcbOrNBU/VDkhsTwRtutnv0GE6fxY6WGqhJhZ6vXiqTZ/mRCDtTBAVEWjghzjwyFz158b/XroOs1l4m0twjGqYVFpw1S0slLh3MAVjSMYKN82NXyeAFXb330Sq1GgUQzoy+cD6hCSYnPOxdmiNEFpAK/6qSAeO+xkc8lXCwUVE1y+e27ugL4+YaI7TilnNmZgRmUhAN6vASVO8DdwyyK6mzOEqM9IsAupOi7QgMjhGXhCXJ5HqpFdQYJhcDcjx5wab+nkfl223tE13j4d1xTdcYw1fJP0N+Ig8vGIT/iba6DtI5soGaE/0A/tdvrnTsU/huZGCeAMIRk3n2RDO3Y0tC9d1N/5xLELBCTMPkYTtZ7fBCx1dTJPrHnw0bo2KkiqqiamCttTlRq7uXuWc7r19sp75cP7ki8csD3fqb0uB9orzdSu2aP1A4IvzOmtVTQnD90EELHTPrvXLkI71FoXT8s547fgMGGVnU5taRgV3EQqpf3cXHKw2tKC5aUDzIeVvBxVXSy4ZXIEx6TioCtS8mDjcouAlnnMxbFys/ESneQcMSqAgQPm6pRpO+PNBp7Wg0kfSVA6PO2liSEzLOlIvuRO/irVoRS+yLmEpcxHhSVjDFVUYRG+ZbqEQaw6z/fWPNFtLz0eZ/c9hrONaPEvRPzW0+j/Ic/lKcHWEg7YDG0hniF4UIzlfLQVUXMOBzTpGI3/h5xebB1F3xFfmO/BpVo+O1WNfYV+DcmZefrtFmIQSUUqSgJn5zI0r4krXtJVp+yKnserb4QIy0IDaiDAceJkCNE0BbFZwd4iFgJ/vOjUjxVEIHcy/jo1Blsr8iuqqZuYJtAYespDwLmkmwW267QAmvAM5C7Hn9Rfvc4vjwPraU9R7lEIiPQbgqY17JSBftVJxeZ2Agxxqc5ZgqjlVkoESbEPHVMpkvZ5+fRYz16oroKTSJ6PgRfre5xNB8ZtRQQiCn0LhoimoFP33rT6ByuT/0Z2+av5yreyDzzMC+U1IXV7osG3Mfj/x6UMo5gFduhB2+9icDtUVEJAzTi3LIC3kpZPPrYpx0XE2G1Ex6S2PygcGJdEP4C95hY2Z+1i8PF4BOngacQ0UaEcVIf02oN3lFXmN3bov5yiier5MllSmyubTe9gScg9PQJI60UdmGKGpSw6AaUeGiqEq+cYI5AzPFyEDK82D1wn3w4XGwvWOK24dUIBlJj3A9Sgy5j01897myc1Ycdkpv3aYoyWv/cS9zF0MDf5Z1oYzjeq+0ZV97cKEJfq0+gZvXQdqc8ZCIMjYjX7nsbsdFyQB0IdY1DMbOPIdhGym160c1wiTG9SDcFr1HaAj0FGKm0LzlEM+yl2u1LQvQ=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4124 created 3232	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	43

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3112	bcdedit.exe
3056	bcdedit.exe

Renames multiple (6548) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4452	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4480	wbadmin.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\K:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\Q:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\W:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\F:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\M:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\N:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\U:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\G:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\H:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\L:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\O:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\T:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\Y:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\Z:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\A:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\B:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\X:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\J:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\P:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\S:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\V:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\R:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\E:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\F:	cipher.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\ui-strings.js	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-FR\View3d\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_01.jpg	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Folder.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ArchiveToastQuickAction.scale-80.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\README.txt	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-200.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-20_altform-unplated_contrast-black.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\share_icons.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\29.jpg	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\telemetryrules\hxcalendarappimm.exe_Rules.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\InModuleScope.ps1	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\bun.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Microsoft Office\root\fre\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.tree.dat	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\10.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinPageTemplates.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\TinyTile.scale-200_contrast-black.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\VungleSDK.winmd	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-32.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\ui-strings.js	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\AgentPlaceholder.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\LoadedModelShaders\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-ae\ui-strings.js	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_103406\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ur.pak.DATA	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\0BC38F05-20C0-4D3A-8C7C-72786C413F21\root\vfs\Windows\assembly\GAC_MSIL\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Pester.help.txt	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_2x.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\s_empty_folder_state.svg	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-72_altform-lightunplated.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-72_altform-unplated_contrast-black.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ja-jp\ui-strings.js	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.dic	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\wdt.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-48.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_scale-200.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Internet Explorer\it-IT\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-16_contrast-white.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\ui-strings.js	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\34.jpg	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-200.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2928	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
4368	taskkill.exe
1196	taskkill.exe
2260	taskkill.exe
924	taskkill.exe
1844	taskkill.exe
2092	taskkill.exe
2504	taskkill.exe
544	taskkill.exe
4508	taskkill.exe
3448	taskkill.exe
2736	taskkill.exe
2928	taskkill.exe
2884	taskkill.exe
1636	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983843758-932321429-1636175382-1000\{6B842AFB-9079-4228-8A49-C82174826271}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	4368	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	4508	taskkill.exe
Token: SeDebugPrivilege	3448	taskkill.exe
Token: SeDebugPrivilege	2260	taskkill.exe
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe
Token: SeDebugPrivilege	2504	taskkill.exe
Token: SeDebugPrivilege	2928	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2920	WMIC.exe
Token: SeSecurityPrivilege	2920	WMIC.exe
Token: SeTakeOwnershipPrivilege	2920	WMIC.exe
Token: SeLoadDriverPrivilege	2920	WMIC.exe
Token: SeSystemProfilePrivilege	2920	WMIC.exe
Token: SeSystemtimePrivilege	2920	WMIC.exe
Token: SeProfSingleProcessPrivilege	2920	WMIC.exe
Token: SeIncBasePriorityPrivilege	2920	WMIC.exe
Token: SeCreatePagefilePrivilege	2920	WMIC.exe
Token: SeBackupPrivilege	2920	WMIC.exe
Token: SeRestorePrivilege	2920	WMIC.exe
Token: SeShutdownPrivilege	2920	WMIC.exe
Token: SeDebugPrivilege	2920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2920	WMIC.exe
Token: SeRemoteShutdownPrivilege	2920	WMIC.exe
Token: SeUndockPrivilege	2920	WMIC.exe
Token: SeManageVolumePrivilege	2920	WMIC.exe
Token: 33	2920	WMIC.exe
Token: 34	2920	WMIC.exe
Token: 35	2920	WMIC.exe
Token: 36	2920	WMIC.exe
Token: SeBackupPrivilege	3228	vssvc.exe
Token: SeRestorePrivilege	3228	vssvc.exe
Token: SeAuditPrivilege	3228	vssvc.exe
Token: SeShutdownPrivilege	3176	explorer.exe
Token: SeCreatePagefilePrivilege	3176	explorer.exe
Token: SeShutdownPrivilege	3176	explorer.exe
Token: SeCreatePagefilePrivilege	3176	explorer.exe
Token: SeShutdownPrivilege	3176	explorer.exe
Token: SeCreatePagefilePrivilege	3176	explorer.exe
Token: SeShutdownPrivilege	3176	explorer.exe
Token: SeCreatePagefilePrivilege	3176	explorer.exe
Token: SeShutdownPrivilege	3176	explorer.exe
Token: SeCreatePagefilePrivilege	3176	explorer.exe
Token: SeShutdownPrivilege	3176	explorer.exe
Token: SeCreatePagefilePrivilege	3176	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3176	explorer.exe
3176	explorer.exe
3176	explorer.exe
3176	explorer.exe
3176	explorer.exe
3176	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
3176	explorer.exe
3176	explorer.exe
3176	explorer.exe
3176	explorer.exe
3176	explorer.exe
3176	explorer.exe
3176	explorer.exe
3176	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 5084	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	89
PID 4124 wrote to memory of 5084	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	89
PID 4124 wrote to memory of 5084	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	89
PID 5084 wrote to memory of 3804	5084	cmd.exe	91
PID 5084 wrote to memory of 3804	5084	cmd.exe	91
PID 4124 wrote to memory of 3588	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	92
PID 4124 wrote to memory of 3588	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	92
PID 4124 wrote to memory of 3588	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	92
PID 3588 wrote to memory of 3528	3588	cmd.exe	94
PID 3588 wrote to memory of 3528	3588	cmd.exe	94
PID 3528 wrote to memory of 924	3528	cmd.exe	95
PID 3528 wrote to memory of 924	3528	cmd.exe	95
PID 4124 wrote to memory of 3612	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	97
PID 4124 wrote to memory of 3612	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	97
PID 4124 wrote to memory of 3612	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	97
PID 3612 wrote to memory of 4708	3612	cmd.exe	99
PID 3612 wrote to memory of 4708	3612	cmd.exe	99
PID 4708 wrote to memory of 544	4708	cmd.exe	100
PID 4708 wrote to memory of 544	4708	cmd.exe	100
PID 4124 wrote to memory of 4684	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	102
PID 4124 wrote to memory of 4684	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	102
PID 4124 wrote to memory of 4684	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	102
PID 4684 wrote to memory of 3224	4684	cmd.exe	103
PID 4684 wrote to memory of 3224	4684	cmd.exe	103
PID 3224 wrote to memory of 1844	3224	cmd.exe	104
PID 3224 wrote to memory of 1844	3224	cmd.exe	104
PID 4124 wrote to memory of 2876	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	105
PID 4124 wrote to memory of 2876	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	105
PID 4124 wrote to memory of 2876	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	105
PID 2876 wrote to memory of 2248	2876	cmd.exe	107
PID 2876 wrote to memory of 2248	2876	cmd.exe	107
PID 2248 wrote to memory of 4368	2248	cmd.exe	108
PID 2248 wrote to memory of 4368	2248	cmd.exe	108
PID 4124 wrote to memory of 4728	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	109
PID 4124 wrote to memory of 4728	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	109
PID 4124 wrote to memory of 4728	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	109
PID 4728 wrote to memory of 1224	4728	cmd.exe	111
PID 4728 wrote to memory of 1224	4728	cmd.exe	111
PID 1224 wrote to memory of 1196	1224	cmd.exe	112
PID 1224 wrote to memory of 1196	1224	cmd.exe	112
PID 4124 wrote to memory of 1676	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	113
PID 4124 wrote to memory of 1676	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	113
PID 4124 wrote to memory of 1676	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	113
PID 1676 wrote to memory of 1640	1676	cmd.exe	115
PID 1676 wrote to memory of 1640	1676	cmd.exe	115
PID 1640 wrote to memory of 1636	1640	cmd.exe	116
PID 1640 wrote to memory of 1636	1640	cmd.exe	116
PID 4124 wrote to memory of 2056	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	117
PID 4124 wrote to memory of 2056	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	117
PID 4124 wrote to memory of 2056	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	117
PID 2056 wrote to memory of 4732	2056	cmd.exe	119
PID 2056 wrote to memory of 4732	2056	cmd.exe	119
PID 4732 wrote to memory of 4508	4732	cmd.exe	120
PID 4732 wrote to memory of 4508	4732	cmd.exe	120
PID 4124 wrote to memory of 4040	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	121
PID 4124 wrote to memory of 4040	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	121
PID 4124 wrote to memory of 4040	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	121
PID 4040 wrote to memory of 1016	4040	cmd.exe	123
PID 4040 wrote to memory of 1016	4040	cmd.exe	123
PID 1016 wrote to memory of 3448	1016	cmd.exe	124
PID 1016 wrote to memory of 3448	1016	cmd.exe	124
PID 4124 wrote to memory of 4520	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	125
PID 4124 wrote to memory of 4520	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	125
PID 4124 wrote to memory of 4520	4124	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	125

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
"C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4124
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    PID:3804
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sqlbrowser.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:924
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sql writer.exe
      4⤵
      Kills process with taskkill
      PID:544
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sqlserv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1844
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im msmdsrv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4368
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im MsDtsSrvr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1196
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sqlceip.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1636
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im fdlauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4508
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im Ssms.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3448
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
  2⤵
  PID:4520
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:4312
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im SQLAGENT.EXE
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2260
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
  2⤵
  PID:3192
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:4036
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im fdhost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2736
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
  2⤵
  PID:1112
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:32
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im ReportingServicesService.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2092
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
  2⤵
  PID:1980
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:2932
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im msftesql.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2504
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
  2⤵
  PID:4452
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:5080
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im pg_ctl.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2928
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
  2⤵
  PID:884
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:3608
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -impostgres.exe
      4⤵
      Kills process with taskkill
      PID:2884
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
  2⤵
  PID:3528
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:2108
  - - C:\Windows\system32\net.exe
      net stop MSSQLServerADHelper100
      4⤵
      PID:4708
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        5⤵
        
        PID:2208
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
  2⤵
  PID:696
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:2176
  - - C:\Windows\system32\net.exe
      net stop MSSQL$ISARS
      4⤵
      PID:5028
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        5⤵
        
        PID:4684
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
  2⤵
  PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:920
  - - C:\Windows\system32\net.exe
      net stop MSSQL$MSFW
      4⤵
      PID:3648
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        5⤵
        
        PID:1596
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
  2⤵
  PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:2960
  - - C:\Windows\system32\net.exe
      net stop SQLAgent$ISARS
      4⤵
      PID:4728
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        5⤵
        
        PID:1560
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
  2⤵
  PID:4540
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:3460
  - - C:\Windows\system32\net.exe
      net stop SQLAgent$MSFW
      4⤵
      PID:3136
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        5⤵
        
        PID:3248
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:3620
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:784
  - - C:\Windows\system32\net.exe
      net stop SQLBrowser
      4⤵
      PID:968
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        5⤵
        
        PID:4904
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
  2⤵
  PID:748
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:3980
  - - C:\Windows\system32\net.exe
      net stop REportServer$ISARS
      4⤵
      PID:2116
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        5⤵
        
        PID:2888
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
  2⤵
  PID:1544
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:4644
  - - C:\Windows\system32\net.exe
      net stop SQLWriter
      4⤵
      PID:1808
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        5⤵
        
        PID:4036
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  PID:4656
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:1624
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:2928
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:2572
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:812
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic.exe SHADOWCOPY /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2920
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
  2⤵
  PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:2896
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} recoverynabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3112
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
  2⤵
  PID:1768
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:4876
  - - C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      Drops file in Windows directory
      PID:1816
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:3824
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:548
  - - C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      Deletes System State backups
      PID:4452
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1696
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:5100
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3056
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
  2⤵
  PID:4980
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\F:
  2⤵
  - Enumerates connected drives
  PID:3060
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\C:
  2⤵
  PID:4312
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\A:
  2⤵
  - Enumerates connected drives
  PID:4936

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3232
- C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe -network
  2⤵
  - System policy modification
  PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
1⤵
PID:2568
- C:\Windows\system32\wbadmin.exe
  wbadmin delete backup -keepVersion:0 -quiet
  2⤵
  - Deletes system backups
  PID:4480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak

Filesize
1KB

MD5
eb72ba6d84417fc44ae7f150a7e82e0a

SHA1
b32a258f87b5f0837e0f678b9b9f8fa4e903e602

SHA256
52bf1b49eaeeed5572f758951e1052f1b081647277ae4f3e0f7f9ff1cb379954

SHA512
a03f8aee04686732086604a248000e10667aaa6cd85a3ac145ec84f4c3a03d821795e7f91ff6d013a2e7b89952071f4878feb4a541d3186965e7abcc0766a675

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

Filesize
52KB

MD5
1766bd0107048961d33e0c2496945563

SHA1
973201929459125531f7ea5539d1863afd5f83d4

SHA256
5667a1dbe1a466419dcddf0f6d06a70f4315f07863f0b7262e02ed2cbd5c579d

SHA512
f1706f15ff3f0ee713f6a8291242ae5ff4afaeb59c832e36a4fa67882004b7c9fa9e0177af784b728129bada0b381b28f25be6a47ac6f5fe1602e51555abe613

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_remove_18.svg

Filesize
2KB

MD5
219612fff6f1aba3a4a249caf399d927

SHA1
90408a3228ad43948727c09e5a17e4af1d9011bb

SHA256
e972ea4eedf0a432154d5a12d7a3b3911deb9e29ff2b333cf350ef1095d2660f

SHA512
5e64d411ab14ee3bef58df7e2158ce688078c6a4370a4a6c29841d1730d7590267a093de67301a58d5e33c3cf5359151643cf727bcab111666bfc5488237f6be

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_fillandsign_18.svg

Filesize
3KB

MD5
53a245e8bc3ab62c7c813c702f058e3e

SHA1
2f99b6b10c7d8c9b9c5ff53e03e423720a168cb5

SHA256
a93ae8121968787cbffcfc5b21547a75dd2373e2e1ff98f047eabf7727dd2c3a

SHA512
701f261316eb0ebc0bbdddec9e49612e857db7a39a5023a2c842344f12c635bbd0ecbef6e2634b09499a4fa24e96b70ca538595b5fc8b04dd1eb7bdb178ea2ac

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-default_32.svg

Filesize
2KB

MD5
dd8ce3be472c8524d54f7d35daf42ee6

SHA1
cc01421242080aa3f93c170714266e7f19132ef8

SHA256
bd9088f8c4d1f6e2cf5232979aaa81af7658fe45e2663fcf05b01ce38e164e86

SHA512
1df99a7106a636a6b213c7ace3097cd2c7361f3904bc8d66ea04baf06dcc1196da2c343fc445fa7b799437febfc972e0c86f427dec8d0f198a47d419ec80feca

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_move_18.svg

Filesize
2KB

MD5
0d202ba3d0e769ca8e7bf48c39ea3cb2

SHA1
0da2b92e9c97b3c84aacf9999157360151159802

SHA256
a25b1d28a3a44b4dd558e0dba629a174b4823c86f67b2d7e258dc439e4ab263a

SHA512
104d44805fa29c1fd6adf0593014c303291ae14c2617a8e32e87b75c331f23c18ac1e471fbb6fb554e659e2a54a9ff17d100e8ebfb85355e3fc2a9fac2d719bc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nextarrow_default.svg

Filesize
2KB

MD5
40bf50567089e0da0706429818d60d4c

SHA1
0712c42fdb99b86077c1615269cb00c1bf8ddc78

SHA256
1b121e241e3b7623cd0f7719beb83eaf6ff83c1ac88b5b6cb548a69d795e9478

SHA512
1bf633cc73faf73328b9282492ad0465cc601fcaf3d7f4f47d35a7cda09bc094db92dab8d1829c37727f311db225e08bc318111b39bcc10b9566a9874fcb6a3b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_organize_18.svg

Filesize
3KB

MD5
7311ac7cc245a01f05d9362ee029ca79

SHA1
f012899793162a5e000f85ebc1792cb0155b2364

SHA256
1fa7f5ca36de559c00f74cf27d1e4fbc871d02e5bc096673496d25b296dd6dd6

SHA512
b10d6d9540fe6151e839e4ef9cb312e4dcd66a769d7840de89cb298cb1f83fab3d4122b063b0421e0228b32f606782c67548c95bc45a66f780690150759dc48a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_rename_18.svg

Filesize
3KB

MD5
8b22c585772f429627f2e62623a41305

SHA1
6163b4f0ad86f3c9c7187bb09836010380c7a228

SHA256
a0d60fbb17470402afed0718625902386483b91f55d48dffcf3e6ad9f7c3237f

SHA512
afd9d1028f97ca9bd9b176d145ea3f5a87bc6e4836c59611768e35afdb31a5d0826b75eae9a82364c6bf9777f2e6fa3e0379d0cf61d1392f6d0a11d21cce3beb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sendforsignature_18.svg

Filesize
3KB

MD5
cdbf1394de28944dbcac70a2b8ad03f5

SHA1
7ced29971a18d70bdc1d60cb25f6438dfee13e24

SHA256
69029a868fd314aceab3e94be092ad8d1c113eaf4ac07c99e6cbf588c8012850

SHA512
ec7d56377da089687c6f71c38bf1ad759e8f57158763d26b6c06000988994960f103748deefd7ffd2a5a24d062c8cb19db1d6b102ea4e668ed8b5e378493e61d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_share_18.svg

Filesize
2KB

MD5
7e7f2ea16133bfd9cb9ef33878d86981

SHA1
4e939bbe2c4902c45e80a94c936e2156539e201d

SHA256
30ea7a410f37dc0b4d9be2dc97c02829355973bbb7823b8dbebbae5627fe8cf3

SHA512
27de8b99df2beee176bf3c2ccd1d66b808cb5de5c1c093399f031dc5d08f1cb8fa08905f090ff1b8a10284393469889fd0b4980bd7b35e9a565e734c736f37e6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js

Filesize
5KB

MD5
56a38f4c533b44e164e39415c4eae440

SHA1
79df65b9687c2bc9b096703bd25218eae1a67045

SHA256
3d4ff20bcc47672738a4f66cfa5fb46cc464bf54116d6ee2dd576cc81476e8e8

SHA512
7127e65ee006a8e8a0663b9dccf3aeb5abcedb100ca9c8a059124c4afb5ebd488ca77ec374bd4e488c064376ece15b2d3a1b222ef9703113dbdf7678af727ac7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.js

Filesize
9KB

MD5
ac17702a99b1cb1590b9ea7cc9111aea

SHA1
3353ba429517e5b56496ead3e8b574d3db225965

SHA256
17e7c94a576cd1d4303a8df7de4c9d16a728f88a95d1052ad7d83616cd04312d

SHA512
f688ba1dfee15f73bd5889bfcc5cdc73332b509c12442fb5baf79ca7a90227b6ee4714032f21ca9455bbb7268f67136f5612fd20221dbdd6a195698c31eeb944

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
4693d92ea64f3a9837c1642f387fc586

SHA1
41a5cd373424a896528f89e354323811369ca12f

SHA256
ad357c48ad6aca35c5c163a340f066ec7a7d122e4a8310cc53c36702a9254f33

SHA512
f3366121aa8f1bd5103966a292457c6989e710506e3b7159d063b1536e9cc6311841761491f976ec427ce9e23384b2cc0150cfcf854661e5ab3c1d910a4b3479

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\ui-strings.js

Filesize
5KB

MD5
09878e73f66d8723652321643c6eec17

SHA1
2deb530a3602cd7cee8912bac4ba18ea0b3596fe

SHA256
21f83e9e3eecc6df13ecb4f6aa7ef94fda4964a8f7ae243317322ed4cec5cac8

SHA512
3f2262720a664f33ca6b0d0fbdc9db6becec28c3a4cc0bed1daea604af4fec7b8050f68ef905c54050a09c5462124046bec5661e32fa9bd8aa43c9ea61a65c6b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js

Filesize
3KB

MD5
f3b5ed75de521b637c387560a53dddff

SHA1
1875a3a0e6e7eb7cada07b8d5f69f32786d9af5d

SHA256
c9dec56748339dccfb9418c6c30df34f2277ad44949d2f5975415d045fd1b847

SHA512
6dbd8ebb45d5adcbafee260ae527e273f37627d39a429edcd27ae225f8c3f377acb1de409ecfe47e45b99a542cf34591ac11563bb4dd08014424c27612cbdc41

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js

Filesize
176KB

MD5
8a1f3032f8a5bdc8e0ca7c64fc17684a

SHA1
ccc6f203d5d4a9ff3149bcbb8220f0ec795476cd

SHA256
65cc56507069086a46d9c35b78ccfe3fcc3709d48ee8e11a5969b0fedaa2732f

SHA512
a1bd3e1d951ab3ba8aa7e13022671a95c5873a8345af932e3e8c126f56b1c406be9b50bd5ea1d30c5d98b1676fe0cd093a8f3481043b0cc0a94669ad1de83283

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js

Filesize
377KB

MD5
dbdf28e062a9209d583dff9bdedee6d3

SHA1
db01a63826a9022600207d15b8eb38e5153bfc57

SHA256
a254d9c8df925bf4149632b06003c17798366e2cf51d2786cc34f4961297d1db

SHA512
9d9ccc2e46824dd3caf3c30bbb78ed2ff8e0cdc881f1f7678972800d9740c686d5d46e6ce46a27fad334469557e44d647f78693e8a72b019670f093fe0b115c9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js

Filesize
4KB

MD5
7c4b78eed5b00f4bc2af23600f40322d

SHA1
387a87c69fd260073281b9103d3bab6b078ecb7c

SHA256
59088efb8deb0f1483ad9a30816e501ae0b66c264a4092b38a4acba743717517

SHA512
1c56453e3757696ff198e75c6533d13cc46bfb9fe2e1cb26cead5056bc2bbf95b981bcad3f3cb7b5b2bff55281ea2c3e559cf94c2d9a9cd50aef79a552e50b20

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js

Filesize
2KB

MD5
3e58f9d42ddc764aae687c265438dbd3

SHA1
f7fa3ab5c16d298cf1dcaf7b8c751884302b33de

SHA256
4a23771ffe1f541f54ea5a2ad2cd16674ac5756b3c9225c50afcb000c553ea4e

SHA512
be8ef3e2be946182bac3c02a85ca51a82b7d93c5f847e4a25d70dd55589f221ef061ab915a05438aafcf98b434a1f9ae2fdc8d375ca82034fdd8e52fa2dc9190

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

Filesize
2KB

MD5
e8cccabe0a818729731aaa46b418c01d

SHA1
ddda9bc1cd8a255f2832fcfc9c117bd9fca04df1

SHA256
3ff1ce24672701fadc1c85b6587fc78cb6500961a6ca4e172e7a7ca0622c6c26

SHA512
5fb24f6c40271c54996083a1650107e326d89b55b13868dc2a5624842df0e3bbc4e6a193d9696838f03f79fd21d95af07db3a8a8dfa3887d5ff33637b75021f5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png

Filesize
2KB

MD5
3dce4950c3aee953c9abdf0c5128e8a6

SHA1
95ad88d639556c3b04b49b1f6ff5439b8d3bc8ff

SHA256
64305e4f18daffe4f725b10293c3908304ad81627192eb34518377545b2a573f

SHA512
58b41ae6d88cc45a65b2374e98379cee2a216d5db1706301284a5045feab9f8fb05485aa1ce8b88893613acbbb91bfe8277b58339db5fd9a0f88216daf9643e2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
f7a39ad145ba357250a16763fc31c1e0

SHA1
68d1d2f339cdec2be7ad62809a12afd9495c345e

SHA256
16cd6c86dfdc2e074bbcecd61a64c25abb42610ae38cae89717bb0d4c6db3853

SHA512
3509ec4e9b85af282de1c95778861bd160a2ed65f891445b73f67dd9722bde662e667fc208673002ae8e888292e45b8252761a6226febb1d93b010cbc51f27ce

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
93f7b337e0158a7d02726a03847b5581

SHA1
ca7bb5725705ad3886bf9a70fba1ef5a8d1337a9

SHA256
b54c31e4d5705bfa9f7dbd3dfc717723408ec47261fc2cc265f90b83a36b8127

SHA512
324d9a28aa3e49a8773af41776545352d89ca62d663c17b89373c4d9e5788310625759d40195323903f0b4995fdebeb7c5800a75a0caf36bce8e2c82d78f6b17

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js

Filesize
10KB

MD5
94b4ee5412a916255534f0b61add98e3

SHA1
e904e1124cd42ffe60d4790c6bb737a5c063fe39

SHA256
953a3aef4be54301cd7770ad9a74c0f6859828acf5dd69a08e8e4b0fb4cac5a7

SHA512
713573a49314ee222603d5c7ef2ac25a781cb96c8238c4fd8b234bb449118f8a081b50371351483e9980281603036e532250e201e162b2f2e8fcecaa6ef6b11b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
974120ba846f46d598f02c54c4933962

SHA1
e1e9569c64ad9cc0d0d069b9bc38040b9d6d3b6f

SHA256
161ccc7e44c75e3e58ef9ef91390eefa10fb36c8aae42e7c29ac3ec0a0abbee4

SHA512
d0a11c3b5b89a476e489ff0bdda1b57ddba7e3891e0f6401703743d3a2d8ca9d32bbde4bc14c5c3c91003864c171310ccc5a5adac1bc55bd231d07d76a6dba38

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons.png

Filesize
2KB

MD5
39d6fb037ce72d966018ec0d6f6886e4

SHA1
f70b5db954ccfaf6185ff5db042d87b4ba9eff43

SHA256
67d079aad9d11ba399863cc210ab1c0bddb3addfae635344864de4ef92027ca5

SHA512
476180a948d86582efe7e19f68c91b19050ddb0af78b546e070ed546e4e06212481f9ba5b30e539ef8e1a5a6dd50901fedba70529f2d1c1e7ad17cc01f0ea659

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons2x.png

Filesize
2KB

MD5
3757a1e917459ddf13153a5fdb0c98be

SHA1
510baefe6719fa6a809e4abca5791c1a2650d1fa

SHA256
1d8b45444844535c4b45c21d6ba38910db6fdfea56af9d7eba668a346454c43a

SHA512
23257f5cb78acbff457d435c269b269cc45968f20cc61d16faac4fe2d133291fc6ff68e18689e4289ff92e9cd55f124d58c3bbcbd5b821e846be53ed44a214d0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
0cc2a4518e3fdf8ee510819d66f6f536

SHA1
84469b9ce5aed406a193f1979ba4f31d57e5cadd

SHA256
9bb26ed6e2f93cffbcd65304f4cb18789831f8ff8b95bdce7589cb0eda25b2e6

SHA512
a166626f44b7b626f931f43d99e7ed64127a3c0cd76bb84967331c4e4930380acc7d97223d39cfbe78856a9d92202dc6a7dac315f48723ba409688b07753bb27

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\ui-strings.js

Filesize
2KB

MD5
741cb88290f609f58dbcb1bb9b4fb92d

SHA1
3ea9734371eaafa75563adfd3bffa3ea8e5f3111

SHA256
1aca10030200659d07fa282bf64cc084405e1cbf55b872cc9f7d8b0ebbe68153

SHA512
0551e153bf9eda7e3ea9aa0503796e3916e0f097cbd67fdf3324f80dfed07ea7de8759e1d26d6fba574e18e0a7bc15038918a7d32ea4861bd33d5e0f75e417be

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png

Filesize
9KB

MD5
8f45a36e394c6946ca9ec53fdb534689

SHA1
9852778bea5d8932e5baa7e2efcd34ef5f38a389

SHA256
0038b32f25ec2409975dcacfab7d5a181d993e95988f63fc77bbdc584bac5baf

SHA512
ef8e6afc200928886f8361545895254131456cfe3364ad8366c86e2778ac2778f0053251648f2915959e8480bac35299d5dce8331110f1a58fc12f67cc47eac0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif

Filesize
9KB

MD5
bea1607c453971299b262b13d8fa9f18

SHA1
93841f00f38c660e88caca47db8f600eee661ee1

SHA256
b7c3c55430316eb0525816c76d5229f0cb67d4a221ac38d8cbca4a74eed5b2c9

SHA512
75fcf77c194e7ff996f2e7fae1aca934a6ec5d0133ff030c6f9b8f83a12a5032127fa126c68e42d2f97def89e05b60e395ab2031cbe2d6e6390b76892a643e5e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png

Filesize
16KB

MD5
cf3b8ca762f062844d7528bc0ccfd53d

SHA1
27a9274bce79b75004aac778a5dbad46feaabfb5

SHA256
bfbd38c14ee55f2b0f2f7efd8ddb6a319a710aabe63ea9e9c5726200bf562975

SHA512
8437dfd754a8f1f5520213272673d81ddcfe85dd09e02aad10f20523e40316e08b0beacc953a825522f54e13afb18afaf14a364523f4728fb348bae6b0adbbc0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png

Filesize
9KB

MD5
71378439167864da532e03c8e88bf3b4

SHA1
9db0d6c0bd98044ef6a8bd2af8c21a9c5a7b0ce6

SHA256
0f4b17551996cc9cf853c59091c8e91a375778681db46ef71a2e8b99d6470f6a

SHA512
3bb89b34dbbecc108eeebc33ea6351b18455070260e318dab4c18ca596964e5de4a901a92551ebdf67d268018f2ed5f0e2eef40a7e6dd4dffe9b7b223fc5e9cc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png

Filesize
18KB

MD5
7a5734438fec7b8d48661ab696aa1270

SHA1
b8ba39472bb89d6b2a34922ff16fbe2c0826445d

SHA256
13a5e4e628a204e8faae4e0636f65268d64d6d061f2aeb1254e89c7c3981e999

SHA512
ae85fcf861129692daa3acbf7eb04af9ec590f372f4a73d983c22e490bce51da52ac5824338ce68e8ea0341fe58e075ee2c1e805203a36173615279b6c2b4b77

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\ui-strings.js

Filesize
2KB

MD5
37db038059acd0d955ecf58b68b69acf

SHA1
beb4b62f232017b25bea30f12ce54e940ecffb38

SHA256
9ccfab85f4e4e754fa4e97a211b4e2e8e0901af1af6c3de14d4d107d509763d0

SHA512
2b12e2edcf65a7086215afbefff361f4ed96ade8cd20c51592ddbb5bf482ec19b13553f7193d67bc316bc6f73cc80cf444182323871c8e2e3954d2e520c6028b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\ui-strings.js

Filesize
2KB

MD5
1941488ec3bb3220d59314ba462635f9

SHA1
6bc7a70d87cc7ddbbf491edcec27ed35e2b646a5

SHA256
7ca49eb20fb6dae5732f03eb5685abc04c3bca9ff52de193898cadf7a30a98c1

SHA512
c3cd6cdd0aee58f5b972ab838cad4ff4ec588193ac45cb24253aa20f0c8c10c08a706b7c1bbe4e3c21a143cd678e07ff3e5cf08eca47e92b7137c322470db0e8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
e8a8e694cbe0dd62f54dddf5858fb41f

SHA1
1238d66235e44a7d279a0e762db6a3364f40bfa9

SHA256
2f280738b4699c8e9c0322e31991f5f3655f235e5483f0b6a2b466d4aee46331

SHA512
fecd0e555612ec8229e95553cb81ffea924168d38da54909b2af17abbb4eb50a63fe9688d7844c63c28ef6304bb64de4443bcce059d11f84e2b4983ee3a7ef1c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
a33d8f6f1e8532bed43d818f6fd7aa85

SHA1
782898490a710d0a4aa510f0233560698ada3dd8

SHA256
c4c49bb9eccc6b5873aefa04e994095b6ecf9eb18887be30f20c7adc44597b50

SHA512
d6648fff819a912d2225d6502537e8fb945b95f4749671c0a1394ce775bb997c051d4d0b2db541e3d73a7c940b747439ca5fb7d3e3b5c4e872a015bb0a78c4a5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js

Filesize
2KB

MD5
4f9cbf68f0f69b0d1f3f72ca8c8f4499

SHA1
33a8f8240c8251817df0218e69ea84221493e5c8

SHA256
f0e9ce07682f1d6c36252f65412bd77a9b9d3c26a56f53df3310675b8031c197

SHA512
f3de254f5d6270597b9b9a2132e25397861485bc184a37084f51b3f57d16c2751c8c589551f7dd73ff98fba41c67d315d9111741d6994468642f57578cde59e3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js

Filesize
6KB

MD5
0086b42621e4f532898e7febd1cc00c9

SHA1
c57cfed8cac11434c4ebf96599419e67a466ed1c

SHA256
2cb7ad7ec7874809373b121168d2fb4c97037539405aa5c04ed5089ad79540bb

SHA512
ec225ecc52fd68e161c267c8e69496dc1c103035a2d1612227365fb3e4a075d5b5be1e35ceb765c8a5aa3f1f1a739cd65c5eec4d677df337c260f3b78d1b342c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js

Filesize
14KB

MD5
56691fa596d2e5d340eb43d6f63a9bd9

SHA1
82d1740a3ca45da26313d6ff0cb40eee7d066f5f

SHA256
17b88e9bd63e2de36e76687c90aa17d45560825c9a761041fe6365dd2e72122a

SHA512
dec7236482b282e87040e0b3a80f1196f17459e3c80348edd7e1b37919f30c21154c9b315da8d950e36d0245cbe5244048ff2ab3e98805f1eeffbb431f94b9a6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\ui-strings.js

Filesize
15KB

MD5
9426c4ab7d1c27e9cf0b6f3e34e0d07d

SHA1
0a6561d0c2b623991ff1414f3dda9cff33a647af

SHA256
653f6d14febec40dd72d12589f0617a3643622f8a3f1e87523569f11740b7400

SHA512
31b12df223c39c9d225be98c22251db5eaad0aeb5314e4e5dec1af9cda78f9e266e3cc3c1e605065a7326b651c6709398e65e066005a2072c397bbc5f42d539c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
cc02cdd84916b6e42ee7c10b0ddb0155

SHA1
506f9198b49f875d1e77a731c57a3d3519ee4bfd

SHA256
e117ef2af016349af278d3f491a913abcc1d67bee3cde4a7ef49a5adcb9f29f0

SHA512
7d7edbe11c45d5bf16350b1334dd8621c0911703dec54765af92b185a2af4c90217221623d8760305b5611f2df697572fc743e55e468998edb612d2d72f5892a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
a1507373bedb19997992bd2e11b53f6a

SHA1
cecdea691394821551c6d2baa8edc6c18c1ec67b

SHA256
4e90ad1be43971c70c9a7bff04b46774ec4a6950e492ad93617a517e51f35ab4

SHA512
8ccac12aead52236fb7bf14a9ce73c449eb7d0b4f831009ff7098a9c3be2aeaa250cc6f65b03c8377ed1ba1a574629a0ce917fcaa87464dcd9ba65bfcbea2823

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
c52c2abb57bfbcdc563560b773b1ec7c

SHA1
e5b74bc7bd6ade318b44475d93a04d117e9ad720

SHA256
b1c36a347888ec139876ebc0ee6b40e74d06e9251434cd2c27ae636aeac57621

SHA512
cdafa446e8085a54536355ff6348cb467c58fced3a925ce06c38b28ac17972e0fad0af8217bf7f22e772519d241b44bf723f6cfed7d0864cde0e3072d3c51c7a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\ui-strings.js

Filesize
2KB

MD5
5863108e58b627b8ea3532035510a9ed

SHA1
e5f853c6bfd578b1b72cc22ac85150239970f385

SHA256
05c89e59c91fe382456baad9ccc2000004735f0babcedc4ef8d354a5b1073c76

SHA512
a2d6f9defcfcc2c94f47677ce98cbc4746bd43cc650147270efda8012c77b08e6a25171f326bb65187015988873b553e7941ecce49c52e3bdfa70c17ea629901

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\ui-strings.js

Filesize
2KB

MD5
e84543d9597d0f8da78b2592e943faa1

SHA1
78df49ba7dfa62d42cdcdffd4ecc97bb1ec50e6a

SHA256
1718381e5ea3f3de6068f607f774a1cdd09eff012d943c46551a42b266741a7b

SHA512
2c418c0349cdf88586d16c1fcde8fb6c377778622937921f4c47dba1ddb3265d159c8cfe0e06d6246135f507ac78458737c5b03aa5803f6c98c9deb9b13b6c8f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js

Filesize
9KB

MD5
b9b0450d6fa3076fdfd291ab33ac7c23

SHA1
85b243c16b39377486009247606e597471c7723a

SHA256
90a0b32c9745685caba6b54c72bcae4ebdbb163aebff30162198dd50aba75686

SHA512
d06be1451b3aefe56bf3bc6b8bfa0007d07f2fbc70cbee30c99950cbbd15b22a151d817b29f458baef75d17fd6d859410b10a8fc970861c4e1cec26c28fe8c9d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js

Filesize
5KB

MD5
1f6387b5cae5b29155f290a89ff2d077

SHA1
8835dabc53fcf778af9a8f902319ab068af65e9d

SHA256
fd15d53a8ea81afb0a9c9077ed6a0f41909e3b740205a8c520918c1b8f0c1c51

SHA512
fbe30db37b8b825069406815186aad56ad33b28a30f6f40f83d569d0a8f7e0077af0d84d7d8767e4aa1ee44ad9efc55fba00ba45da45ac7b7fdb13736cea8156

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js

Filesize
2KB

MD5
3bf60128510896cf10c2de6e2470df12

SHA1
f8cac11b4d1b87ab7f874940e6f125d87d5f4a8a

SHA256
11c2b7c22ffba15622173280f403f1632833db14195d8c5eba63bc57a294fffe

SHA512
7faed279a3824b64467258a1ff16e9243f4e1df501c533d004fdaa98cc7acce7849311a6379e0ec31fb9a99687e168caa46db2dddb992c92a418a33ce57bd691

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\ui-strings.js

Filesize
2KB

MD5
898f2ae319ef1554b87f79e635b8c897

SHA1
20deb39d1dbf02a593c3dfa1831415e95a143245

SHA256
016c9f8431ad946be5fe2621807876d55261a807d858c20b260151a7c441159e

SHA512
6a51c1570e0632810682da00b6895afff8ffcc81e091404879bdd85145a11141a26c9261a787ceb2bb74c6f43e4fdbabbc3f96512a6d426b0a14f57e5bba7831

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\ui-strings.js

Filesize
15KB

MD5
7c898d73a963067a83afe53a791027af

SHA1
0be62126c5e396dba86bc545ea571e89e37dbe91

SHA256
a5803b78b45499f1a6d8ce7f815f25a976935afdaae0fb4098b380f90f16687a

SHA512
ec2f93c4fcafa0f6f564f05a4a064caa22620d176926c272cad3a29ddb165dbda3e9fbbd808a45b40575c735f1fdd84db73eeb654d700b2bf20c12cb62d48ce8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js

Filesize
2KB

MD5
0b4139c784f65500c295ad0997668fd0

SHA1
5babf9eec1880cd6d633939e2ebe335f1f85cef0

SHA256
33f1f052d266611e3de30001f790e5b6203b9cfb8ecd4e139d9126748702cad2

SHA512
62afda6dfae514a6ce25104189a66eb33d085a645034b7d863fa2b72d80b61b768110fab9a6c7acfd4e1c5d49b4081a4f5d2274aab30b9855c2363603410c0c9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\ui-strings.js

Filesize
19KB

MD5
d499835156b7b0ade648168ecf7e3da1

SHA1
33169a7b0f3d7eac30061846c8fd03e2483c20cf

SHA256
3f10bf9f9c347be9bf744ddd346506d3d33b32542deef6f061b4e5fc97f4f048

SHA512
f24c6849ded2cc52380e33bae361927891f2f5a81c8c9a8b4792e61e7340c57dfe274b9522167fb6f003538c44aa7a45e7238f4668dd86d4f0e756a848b1c3fd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
c734c78c1b429b086be88622c6f451ea

SHA1
68ad1602e6bf9e44a69ce4f9693204bf5fc5a7f1

SHA256
184399913dc1d8f23ee4108cd33f6dd952ddcaf4744540759bf7e50850d7e801

SHA512
7eecd764ac8adb6a5eeaf120dc03fb60429876ed09e5007b89460778136ff3be4acc162c829069c57d34427726727b9654c1bc020a19f534b7f476e1b78d0b14

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js

Filesize
3KB

MD5
7ed85a7a74ef32ddc17301841212d689

SHA1
eea22c88ee762dfe2d842b7e40c3f028ff4bff89

SHA256
47411b17e1a9c57b90521b60ac1b38b99cd2759c698887aa8adb92c58df4aa16

SHA512
50ab045fe7bf2fa4b9f21377432fc63f7a1b5f768a1a94027199b08ac69a0f9616b3a7b291bfbe9d2d73071db1036ac6bce8e6f515d67f923fd062ed180011d3

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

Filesize
34KB

MD5
0be78e11cc5f6726f8f8afae9481d6b6

SHA1
5e9133ae05393ee401628cfe911120d8619dab03

SHA256
b0cd938d959585a394a942b1450e1b216e13f160e3c3c7f1d23e3b7a2e99597a

SHA512
7de4a264cdb4a7e23089523079f3a545bbea0a9bd53497f927ac5eb89e4f2122e1776325f9575cf374906fcb1e55130d61e76792a12cb561918d979088851af5

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
3b1cb46db6cab65aaa9fe119320893b6

SHA1
aacbcdd8370e987a05528da025cca8089b8b59a2

SHA256
6b1f6bbc4acd0ab5be48c584bbd78dce9db0875c1584f9837e0cf86231429234

SHA512
f08623b2abeda3188b19b3b645bf3f3cdcf31489c947dce2b2221cc362c963ccbd961649a023378f6ec540451a5ebd6ad52a7106e23a5e2b45e81c8eca103006

Download Submit
C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
be46573e34c48b5eb367828c2c70909b

SHA1
fb9737fd20fa10f1e817b14d589d764ac3858885

SHA256
3a7ad9da727b32c67dab54003ccfc7c0a30092902c2474014ad894554a7a6867

SHA512
17b40dac560e513702fb75a7fb843bf30ad9c36c012874e582583e9443fc21423bbe9c5b92163614a2459ea05be63ddac3f6c5fafaea1680af4da8dd09d18a12

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
1KB

MD5
1cdd848c7bc76388af19ed8c5cdec5db

SHA1
56013e635620bd852f3e565a492797598847ab69

SHA256
8b429a4d813871bb15238487483a25ea51ea254a3a29ce87dabb5e78eb6ddccc

SHA512
dcfb7d8a9c5da473f69213dd81c9f7b7dd5454511c8532c8bb7a585c37011952707df12cd7b7f5ea43555ffc75eca7df060b314b71450bbcc77c0b33d82ccf72

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK

Filesize
1KB

MD5
f800122e3bbfc7afefee08414f23afca

SHA1
00df719e97776b02e922cbe10a43b70b6e86867b

SHA256
8cb1bed1c6a42a2980751c69828f79740b310600be00629c4bd70d09f28faa99

SHA512
8d147e2b9c0c4155dc3213f8302f2acdaf51d2cbe77d0833807a5ff4e806fcb8d9d6e7017f803682cefcddd951f1d7932350a7c6d9a0c8a2d032b66cf77be7f9

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK

Filesize
1KB

MD5
73bc29a808820b6699b9c6cb73b8c91b

SHA1
b18dad53bc7a50e6104ca024a13ba8bcc6eb6351

SHA256
d32dfc22b0d9784ab3427bee497508c6f5d1bc50c13b7a4f01fdb3fa935b1f41

SHA512
67ac6714967904adb35720171802db4c51f3e2560108cd5d3a5d00d0bcfb3c531cb6f332b3f5312b5161965d0fe9e52b52c7f215a7119b896e1578399eb9e95d

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK

Filesize
1KB

MD5
94410ada34b86c6d8b936f65f0e831b7

SHA1
36118e8384f5742dec4d02356c885ceee9af2593

SHA256
0eed93cf470a7aaaacafc0b5051dbe1f9294e6719ee8ef860e19e0fb9802b10a

SHA512
a5d2d6575f92e7cdbcaff4c8467492deb95fcc7cbf3e55a07d54f3baf71d70db4a1f9c7dbcba018915463ab2a15a2d03a3d1910c834252c97f6051cce3b26d9a

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK

Filesize
1KB

MD5
090a5f140daeacb91ba4e5fb98d157ed

SHA1
c9b98e2fcd76da6b341dd1a9ba7c8e956cf98734

SHA256
f9a32c597041e8f88ccba5d3ce5fb3c27dbdbfc36ffa8a663990cc757294b04f

SHA512
be6fd6c105525cad8f788363c6f6d1fb4ce313374b51365f55fe2a3136ba66d900896f1663390ca6530b0a4704f09d5c474902e90762691839f8c3d426f8a696

Download Submit
C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config

Filesize
1KB

MD5
17b52023dc1ba9906c4e891ea586bc52

SHA1
493a21dec46f9ad812ed4496e025f4432d827108

SHA256
cf61225480e98cc687608da24a5524201c8c61c3ed0d27cd6cfa5ac5af46d381

SHA512
a82055e893a76a406bd5ca06d730d4c27f6603818286ecf8e92ef9b8dc41f05f0196ecce6799324403b51a4c55fe810fb1644bfcd3c73c03399155df2de3ef71

Download Submit
C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL

Filesize
246KB

MD5
60dccf9e10c8e399e9903571d81f7133

SHA1
1fa4312301b9fa437f3a147e8e9087b1c5c620cb

SHA256
222ee6482e419498a33baaaf5f8d68127c24457786b6b98dcce37a20cc8eb76c

SHA512
c4a224aaae1d1ca96bebcddcc23ec8c2e23865e96439d53c3cfb99ccba2149b38462417d57d381af8fc96476a6ca353c55fc225a57c6cb26a887f4b9ff97cd78

Download Submit
C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub

Filesize
1KB

MD5
6ad2be5df5ed687637edcd308bd3b707

SHA1
659ba4e513f334842af034cc1ccd8437dbf0cac0

SHA256
004a78c8f36ebba89b6e7a845ddb29b1db52837ed20510c2f235dc5356fec5ec

SHA512
dfc6a67c9aa42042a38da38445fb211a3c4cc448b8d268a8394291c9f910a6c0b854f12e4c07cbfdacd1ea8b650988cc3ef49a78ff8462d04f84547e40a7e528

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi

Filesize
3.0MB

MD5
1ab812ca49bbb4f845ba695a70efc58f

SHA1
ec447a36c3df293646aa783ebccbefa518cce994

SHA256
da225de46a1dfc50f784c4e2bc263ab3cf179de00dc8c599be1c1358848a9def

SHA512
66c2a194ac2f1f5d6462c9ca025b30637280c07227acc03348c7a787738d340bf9e9d51707445b2ab1a34a6c9fa2bf7eb16e0e063a636b290f3502b4c69f2fe7

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
a4bd0e866e825e26b39014d2686b3e7b

SHA1
80f29587cde14ff91871f7d0edb810c8179fb4b4

SHA256
860eaf1daecddf2114c4df7200bdd6af40972d1915b760eb196965b3bb819e0e

SHA512
7f4effd6ac178117e6cd587cf312dac8e9ab10f9478d5cde8a280697cd30e4fc787f9e4fabe9be62b2da6587ea9eecf614fba4b3a5d6c7393ad6b3f5b985edcb

Download Submit
C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

Filesize
68KB

MD5
f8865d8af42fe1b618bef47702df4f92

SHA1
df2c50750dc0ca224eff8f672219648fc515e312

SHA256
63594cfff73e90d50f967bac649d15e1c54d8088fe8c6088527b10ae419ef6b6

SHA512
326d38b53f6fe4e2104e201f24835b13b28728c95c10de23577052ebf8adbd839fd151c3e0114d232d405308211389a92f67c53b5a998479b5f7dc071fc6012c

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo

Filesize
599KB

MD5
4ee26ff02a5908859d7c7d71cdd519bf

SHA1
ce5c5be3963051f6a19175237c0b67ee45f5ca1d

SHA256
6de3a4e6bac6a56b8d8f0c03b7f457ccfb7dd5fc66a0e6e9978013173840b1e3

SHA512
aef37c339356fba6e17c673ad53aebb7ef24ae0884600a28bf6d77988ff66c75d4c99f98d7c1d67c2cd62652605f9fc1b0fbe80a69ea3c233f02323f207b6f33

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
d1ed71f4bd9ba92b0fcfdb296b17bf08

SHA1
bcd7e0a0e4fc886ec028daba468f4c52ff5f860b

SHA256
481a1429c988c4c7317e498601a406636b4df05172fcc27de09952cd0c514fea

SHA512
f4e6dce85edcceae97dcb3148682b42bd87fc732e0b0816fee99869f2c94e9817ece9fed5ef32d28ad68f1fa2894df4d3335ed09e07d59028b40f685a3146891

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.itlock20

Filesize
624KB

MD5
3496c0dfd79b90858cb30ad68905ba44

SHA1
4b7c0fc5a1cf388969fd0a22ae9916b27d92e262

SHA256
1b766db27d266af8949596fffec49cdf9810b02553a08ed5b9cea0ebc5173757

SHA512
cf517bf0fe3baf8d4dcb6df76fbc55cd8a14fb0b1b0abfe6d22ba08ed8e6ced842f4dd2764769646b528c7fc6eedaf45dc556ff6d7191beb4bba8ae93969aa7c

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

Filesize
181KB

MD5
a1ac743cf9f23f16e69e68b95275ef11

SHA1
05b8fdbda4d1c7c10dc82e7ed05b8498acfdd65a

SHA256
1f38c9f74c505fa53c3f5787fb4135486b99e3fe3893580ce6e6c1068b360338

SHA512
192e9aec9803c0acb27392da20e367323a87ef83a8b2a8f067de974359c52d424f2988b1e8bd9de7d34df17675e730853f6162832eb05281a384407213bb111d

Download Submit
C:\ProgramData\Package Cache\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}v48.100.4028\dotnet-host-6.0.25-win-x64.msi

Filesize
737KB

MD5
5fab8639b65e6fcc70796e2f5b7952f7

SHA1
3d0618df0edf3695bc7a9763976cd535fada4c6c

SHA256
78e61a5c39725b7aba173118669e0c3f6a5321fb974b92b2a260da8bd930ce7f

SHA512
93155462f891d7a937a6514588d4a57540b1a5b1b4fe5f9b1565663557768a11e8d09524de2211525d53fa0416420e0198906d3ac95b5e935f65699c58b0e6c5

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi

Filesize
141KB

MD5
5e37f6ad94eb915f0f6f227e3d9e54a8

SHA1
1b957a61657d61dd31e2be07bacde00330b517ea

SHA256
c433cc55f88845e830228e2339a33457c3c17d84fba936249bf392969ce0da6a

SHA512
c288c750d7218b0ddcbe376e9ea6db830a4b63531b7596fc29c7ff232182d339ad8f1ed9b45dff21b58623cf12e26aedb875c56b808f4c521fae09098401ec77

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOCK

Filesize
1KB

MD5
05f420ec2b2bf1d1fe2fc91692a3cd4a

SHA1
caaf1a370ab5b029aeba10631ad739119aef7682

SHA256
4d2ce478b4d1647fe48a7eb5d7b106502b921616999ad530334d86760697857f

SHA512
9ab5858f7379883615e2997d138699fd94b7a95ddf60e13560b7784b907c4832ac1ddca8439af95eb6ef6f004cd4a59bbecf99fb046afcd4050fd7284f2fe5f5

Download Submit
C:\odt\How_to_back_files.html

Filesize
5KB

MD5
f145e4f4d5a974158ea93d1c1ee609a5

SHA1
46d0b1af19cdf945d95206bc9405502b533d054c

SHA256
a488030283834df84c64ead0ae1a62e104d5dc164aab6caefe409d24d100acbd

SHA512
3b8ea096e3d738a6d019e62b7c7bf3e4ffa2f2bc6040fdc6b38a3309b5a8edd737e212703ddc676c3c3cc1c3ce507c813bfbe38c6328c1ac227a1ab5528d8af4

Download Submit