ee65e9d7a7bc9d17e894e0b775fc0bbfb35e72c65c3d768e34bfe059d521cc16

Resubmissions

21-01-2024 14:52

240121-r8syqaeac7 10

21-01-2024 14:51

240121-r8k8waeac5 10

01-01-2024 13:55

240101-q776kscacp 10

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2024 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Size

333KB
MD5

db88a1bd11ca3aab7a0890a10a10f45d
SHA1

0e01e118613962e364b76869bcfb9d26cf0a6505
SHA256

97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d
SHA512

b6e374ea42e023d973baa2c8c3ce8c34a7c8ffa1aefd52f787eb51f980e1e1f8c2c6081d90cd0cf1b15166b86ed57dc2d7b9adde5021dd00cc629f8aae8df023
SSDEEP

6144:YemY9cZrt2pF+M9htFl/1M0lpj9G/OaZE8ABInatk1:/9cm+M9vFl/1HrNInatk1

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">bLlwAHKii/wL4gEdMplyLjRMj75PITHBLIynsBDDURidfvDSmb36koPk4zaXBBZHO40fw28HNTyhZviwzroHydSioGOmmb6zaB5F7qTSwU6tHi0KlVgu/99+uRxWmn0auqgSQ6fHT4AnyBlwHbJjWUtuLgWfB6MsLk7KXw1X950x9q9hV4oqphXWuzl7UqJz/OCPoQXXxtE81QPoWwl4nkiItO52XIzLTJLvwVNKc6kaIXuZk20m+HZfJegAoZ05HS5dLnhiu24Zrn6w7Vrng8sR04jVeFmDJgE+o30ktwVH69e+QSSMBNfcWxScD8uQWtTOmA0SELxVfnfcVldo0vVs7hiWhLEz0PMv3mSlV7LkltCNA22DODQ+24IMPNl2sroY0irKVhx94o7gXcZwth4g9xLFLzKpvdV+/WEcpdBRHvgVUzPlAC/BWo9/Y6DawDGPM1y3p1vu4xkOJLl8zP+5JOaXu6HfUm8cJLYcgP/1MnBKc+vbjK1T+wJrSlM0QnIJYpanCtuy9gm/JlbJWNq1X1cBpAiz1P02dhRnxXECIImkPljfi6Egh+OAeKYweznKULOScojys56CA7guvjs/B35guLwxqioNGPitQ++Mt0QpqvOwFb0pmysJhOh7jiB7hiOlEzgxbKRyj08CJJy4Oqg8Z4HEiuSXYS1b1VCcEd8P/1lMCOxhJJhNfuy6Pk8eEDfYAaRcneXeqDFkNqTiL1i+V7v9mlnDuKucgrfDGjwUwfwTXB9RzDxhp52zdp+Hzg4KsEGZ92aVgzGlpzxm6/TUDxcMwT8PEQQPcZGEtx1A9UaIDre94biFDTyb09DjFHXwgcg8gvorMBsHJ1t8dlbUhBfGijeSjMiYru3nzLdH+CuX0zEpNX2tlqhiD5VdJk2tMlNtVYPnDMlSwy15DVBN5rFtHOwhgGM1bfDgmX91mMv6BdKqarpEKmj5CsQvg1t4WmzQAf6AM0mdTy61GZQHkzBgjKS/CeKM0TqMEyNwT5TJnA/hO1M1wmEsnbHNinESZxZRxv0vccBISSA+yqQXTaGuox7tX41kyqb8uZoURUsRMyy9Q8+zEb1sXtJgOKZw/mID9u2LMZC7gz0FbrggYofwlbxTlq86zwykcHYqQRJCIHAA50pfWid06/+kNanaP9hUmgoOor6fxRCG1M5BLZa0mKiQNsYbR9/4ZDpXQdRNsVfVROEUANW/3EtteLa1VT4trVBQwm9lHMwICWA18DtsrcFoYObVc/MA6G83zAng5Meya0V4TY7AOT49+ZNnrxKzM3ZFqNc7DcfcgEksbq/sMZD3uDzTZHmBPTFE44ocsS9JXyJtHPPOb8bQi6GHP3urtqmc9q761zJsP6rGu7AZJTjuelMVoiKETt/T91XSx9lNKWvjxhftJFtUAJH5uRTJVUR1Sidv4udT29SUU+8Ri/++ThTY+3oMM17aJQws8e7+gy9Ip1DWohDz9gX0lNcvsXAiknqT31o6niUNwLmIykQnUsJsdqjIi4aq47ousPCtatCz/Hwj3FNwksep0I1qbTcCYxGCQcEmkiMD7x6iKgk6mZC+9GasHZtAxNsYqmtnpkoWEwSvMkfkiNXJI9H9ygjP7jP0J7QX1hnFCp9UAAZcfDxH2SuyULGqtDDFdPhV/cInQcF3XYmq1H9BWF1LJ87SMvuxthKFf+pxDVG2iPOAdZldDp4=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4704 created 3472	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	43

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
5016	bcdedit.exe
920	bcdedit.exe

Renames multiple (6546) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1168	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4900	wbadmin.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\Y:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\E:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\J:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\N:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\O:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\R:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\A:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\I:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\S:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\T:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\K:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\W:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\B:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\U:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\F:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\H:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\Z:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\L:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\P:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\X:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\G:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\Q:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\V:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-256_altform-unplated_contrast-white.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\LargeTile.scale-100.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Example2.Diagnostics.psd1	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sk-sk\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\fake_logo.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-100.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200_contrast-white.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-400_contrast-black.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-200.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-300.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\ui-strings.js	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msmdsrvi.rll	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-right-pressed.gif	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-cn\ui-strings.js	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sr-Latn-RS.pak.DATA	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-125.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.efe979fc.pri	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\FetchingMail.scale-150.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-400.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-125_contrast-white.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\View3d\3DViewerProductDescription-universal.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-125.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-20.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Common Files\System\ado\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_history_18.svg	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-white_scale-125.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCacheMini.scale-200.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-unplated_contrast-white_devicefamily-colorfulunplated.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d0.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-24.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ru-ru\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\IRIS.ELM	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview2x.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLogo.scale-100.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\TimeControls.winmd	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\faf_icons.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\UtilitiesCpp.winmd	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.scale-200.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Outlook.scale-400.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\plugin.js	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-400.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-24.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\japanese_over.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-100.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1708	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
320	taskkill.exe
1724	taskkill.exe
4520	taskkill.exe
4960	taskkill.exe
4756	taskkill.exe
3024	taskkill.exe
3756	taskkill.exe
740	taskkill.exe
3396	taskkill.exe
1532	taskkill.exe
3096	taskkill.exe
552	taskkill.exe
640	taskkill.exe
3680	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3336304223-2978740688-3645194410-1000\{081C4DC0-BA83-4447-A9FD-3D082BE805A2}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	4960	cmd.exe
Token: SeDebugPrivilege	3096	net.exe
Token: SeDebugPrivilege	3680	taskkill.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeDebugPrivilege	3396	taskkill.exe
Token: SeDebugPrivilege	1532	taskkill.exe
Token: SeDebugPrivilege	552	taskkill.exe
Token: SeDebugPrivilege	3756	taskkill.exe
Token: SeDebugPrivilege	320	taskkill.exe
Token: SeDebugPrivilege	1724	cmd.exe
Token: SeDebugPrivilege	640	taskkill.exe
Token: SeIncreaseQuotaPrivilege	720	WMIC.exe
Token: SeSecurityPrivilege	720	WMIC.exe
Token: SeTakeOwnershipPrivilege	720	WMIC.exe
Token: SeLoadDriverPrivilege	720	WMIC.exe
Token: SeSystemProfilePrivilege	720	WMIC.exe
Token: SeSystemtimePrivilege	720	WMIC.exe
Token: SeProfSingleProcessPrivilege	720	WMIC.exe
Token: SeIncBasePriorityPrivilege	720	WMIC.exe
Token: SeCreatePagefilePrivilege	720	WMIC.exe
Token: SeBackupPrivilege	720	WMIC.exe
Token: SeRestorePrivilege	720	WMIC.exe
Token: SeShutdownPrivilege	720	WMIC.exe
Token: SeDebugPrivilege	720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	720	WMIC.exe
Token: SeRemoteShutdownPrivilege	720	WMIC.exe
Token: SeUndockPrivilege	720	WMIC.exe
Token: SeManageVolumePrivilege	720	WMIC.exe
Token: 33	720	WMIC.exe
Token: 34	720	WMIC.exe
Token: 35	720	WMIC.exe
Token: 36	720	WMIC.exe
Token: SeBackupPrivilege	796	vssvc.exe
Token: SeRestorePrivilege	796	vssvc.exe
Token: SeAuditPrivilege	796	vssvc.exe
Token: SeShutdownPrivilege	4720	explorer.exe
Token: SeCreatePagefilePrivilege	4720	explorer.exe
Token: SeShutdownPrivilege	4720	explorer.exe
Token: SeCreatePagefilePrivilege	4720	explorer.exe
Token: SeShutdownPrivilege	4720	explorer.exe
Token: SeCreatePagefilePrivilege	4720	explorer.exe
Token: SeShutdownPrivilege	4720	explorer.exe
Token: SeCreatePagefilePrivilege	4720	explorer.exe
Token: SeShutdownPrivilege	4720	explorer.exe
Token: SeCreatePagefilePrivilege	4720	explorer.exe
Token: SeShutdownPrivilege	4720	explorer.exe
Token: SeCreatePagefilePrivilege	4720	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4720	explorer.exe
4720	explorer.exe
4720	explorer.exe
4720	explorer.exe
4720	explorer.exe
4720	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
4720	explorer.exe
4720	explorer.exe
4720	explorer.exe
4720	explorer.exe
4720	explorer.exe
4720	explorer.exe
4720	explorer.exe
4720	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 4340	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	91
PID 4704 wrote to memory of 4340	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	91
PID 4704 wrote to memory of 4340	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	91
PID 4340 wrote to memory of 4820	4340	cmd.exe	90
PID 4340 wrote to memory of 4820	4340	cmd.exe	90
PID 4704 wrote to memory of 2300	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	92
PID 4704 wrote to memory of 2300	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	92
PID 4704 wrote to memory of 2300	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	92
PID 2300 wrote to memory of 4736	2300	cmd.exe	95
PID 2300 wrote to memory of 4736	2300	cmd.exe	95
PID 4736 wrote to memory of 4960	4736	cmd.exe	154
PID 4736 wrote to memory of 4960	4736	cmd.exe	154
PID 4704 wrote to memory of 3428	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	97
PID 4704 wrote to memory of 3428	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	97
PID 4704 wrote to memory of 3428	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	97
PID 3428 wrote to memory of 3992	3428	cmd.exe	156
PID 3428 wrote to memory of 3992	3428	cmd.exe	156
PID 3992 wrote to memory of 740	3992	cmd.exe	99
PID 3992 wrote to memory of 740	3992	cmd.exe	99
PID 4704 wrote to memory of 1828	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	102
PID 4704 wrote to memory of 1828	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	102
PID 4704 wrote to memory of 1828	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	102
PID 1828 wrote to memory of 3200	1828	cmd.exe	103
PID 1828 wrote to memory of 3200	1828	cmd.exe	103
PID 3200 wrote to memory of 3096	3200	cmd.exe	161
PID 3200 wrote to memory of 3096	3200	cmd.exe	161
PID 4704 wrote to memory of 3036	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	167
PID 4704 wrote to memory of 3036	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	167
PID 4704 wrote to memory of 3036	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	167
PID 3036 wrote to memory of 2980	3036	net.exe	107
PID 3036 wrote to memory of 2980	3036	net.exe	107
PID 2980 wrote to memory of 3680	2980	cmd.exe	108
PID 2980 wrote to memory of 3680	2980	cmd.exe	108
PID 4704 wrote to memory of 3368	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	110
PID 4704 wrote to memory of 3368	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	110
PID 4704 wrote to memory of 3368	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	110
PID 3368 wrote to memory of 1908	3368	cmd.exe	111
PID 3368 wrote to memory of 1908	3368	cmd.exe	111
PID 1908 wrote to memory of 4756	1908	cmd.exe	112
PID 1908 wrote to memory of 4756	1908	cmd.exe	112
PID 4704 wrote to memory of 1460	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	114
PID 4704 wrote to memory of 1460	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	114
PID 4704 wrote to memory of 1460	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	114
PID 1460 wrote to memory of 1492	1460	cmd.exe	115
PID 1460 wrote to memory of 1492	1460	cmd.exe	115
PID 1492 wrote to memory of 3024	1492	cmd.exe	116
PID 1492 wrote to memory of 3024	1492	cmd.exe	116
PID 4704 wrote to memory of 2180	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	118
PID 4704 wrote to memory of 2180	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	118
PID 4704 wrote to memory of 2180	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	118
PID 2180 wrote to memory of 3912	2180	cmd.exe	120
PID 2180 wrote to memory of 3912	2180	cmd.exe	120
PID 3912 wrote to memory of 3396	3912	cmd.exe	119
PID 3912 wrote to memory of 3396	3912	cmd.exe	119
PID 4704 wrote to memory of 4128	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	121
PID 4704 wrote to memory of 4128	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	121
PID 4704 wrote to memory of 4128	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	121
PID 4128 wrote to memory of 5108	4128	cmd.exe	124
PID 4128 wrote to memory of 5108	4128	cmd.exe	124
PID 5108 wrote to memory of 1532	5108	cmd.exe	123
PID 5108 wrote to memory of 1532	5108	cmd.exe	123
PID 4704 wrote to memory of 4244	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	191
PID 4704 wrote to memory of 4244	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	191
PID 4704 wrote to memory of 4244	4704	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	191

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
"C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4704
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4340
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4736
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    PID:3992
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sqlserv.exe
      4⤵
      Kills process with taskkill
      PID:3096
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        5⤵
        
        PID:4612
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
  2⤵
  PID:3036
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im msmdsrv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3680
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im MsDtsSrvr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4756
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sqlceip.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3024
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3912
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5108
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
  2⤵
  PID:4244
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
  2⤵
  PID:3188
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:4628
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im fdhost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3756
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
  2⤵
  PID:4852
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:4900
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im ReportingServicesService.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:320
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
  2⤵
  PID:2224
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:2368
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im msftesql.exe
      4⤵
      Kills process with taskkill
      PID:1724
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
  2⤵
  PID:4760
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:2508
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im pg_ctl.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:640
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
  2⤵
  PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:5052
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -impostgres.exe
      4⤵
      Kills process with taskkill
      PID:4520
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
  2⤵
  PID:2012
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:1136
  - - C:\Windows\system32\net.exe
      net stop MSSQLServerADHelper100
      4⤵
      PID:2716
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        5⤵
        
        PID:5028
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Windows\system32\net.exe
      net stop MSSQL$ISARS
      4⤵
      PID:2488
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        5⤵
        
        PID:1780
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
  2⤵
  PID:4708
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
  2⤵
  PID:948
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:4584
  - - C:\Windows\system32\net.exe
      net stop SQLAgent$ISARS
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        5⤵
        
        PID:2160
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
  2⤵
  PID:4828
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:4384
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:1572
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:3116
  - - C:\Windows\system32\net.exe
      net stop SQLBrowser
      4⤵
      PID:3144
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
  2⤵
  PID:3924
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:3204
  - - C:\Windows\system32\net.exe
      net stop REportServer$ISARS
      4⤵
      PID:1984
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
  2⤵
  PID:884
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:3548
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:4480
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:920
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
  2⤵
  PID:4244
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:4432
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} recoverynabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:5016
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:4248
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:3444
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic.exe SHADOWCOPY /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:720
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
  2⤵
  PID:912
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:1304
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1724
  - - C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      Deletes System State backups
      PID:1168
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
  2⤵
  PID:5056
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:4852
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:1708
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\A:
  2⤵
  - Enumerates connected drives
  PID:3924
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\C:
  2⤵
  PID:5016
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\F:
  2⤵
  - Enumerates connected drives
  PID:2948

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe -network
  2⤵
  - System policy modification
  PID:5088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
1⤵
PID:4820

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlbrowser.exe
1⤵
- Kills process with taskkill
PID:4960

C:\Windows\system32\taskkill.exe
taskkill -f -im sql writer.exe
1⤵
- Kills process with taskkill
PID:740

C:\Windows\system32\taskkill.exe
taskkill -f -im fdlauncher.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\system32\taskkill.exe
taskkill -f -im Ssms.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\system32\taskkill.exe
taskkill -f -im SQLAGENT.EXE
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\system32\net.exe
net stop MSSQL$MSFW
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
1⤵
PID:3088

C:\Windows\system32\net.exe
net stop SQLAgent$MSFW
1⤵
PID:4064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
1⤵
PID:3784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop REportServer$ISARS
1⤵
PID:4992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter
1⤵
PID:3236

C:\Windows\system32\net.exe
net stop SQLWriter
1⤵
PID:992

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
1⤵
PID:4616
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
  2⤵
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
1⤵
PID:2776
- C:\Windows\system32\wbadmin.exe
  wbadmin delete backup -keepVersion:0 -quiet
  2⤵
  - Deletes system backups
  - Drops file in Windows directory
  PID:4900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2488

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak

Filesize
1KB

MD5
9027ecd027214ccb8ef0059285e531a3

SHA1
ee92c13c2eb49a21e08029e7baab89365276ae11

SHA256
4b890d901d409654cd1821e82e9ab3f96cb84c9c27ea3f30f2eff1adae81c00f

SHA512
bafb44d3a44787d183ee9188684d187b2b230aa3de3087a602ff4cd03567fa45523e8becd916a53c67fe34d2fd5a83d96014bdc57f8a3f2930d187c937ffae1f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

Filesize
52KB

MD5
b02617a51225dd07553f2fd3a458ca95

SHA1
7ac180f4cd89e52b9d78788263ae548654117b79

SHA256
5a8d396e314642bdbdfae3dc1dcf63c4b012a2b497be29059da9661d41c22736

SHA512
8f8080a14d073b0399247c0d9ff392e360d358205baff3f9a59432f797b153e8f885031aaf39f0cd45bf822ab8b95a633da399e3da3408a0e191f20010e2d638

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_remove_18.svg

Filesize
2KB

MD5
d0de6ee091845884026ff4a2df0025dd

SHA1
6be59bcb3815f349f3e5bbd7ef320e91db29cf8b

SHA256
a6b347ae8561aec924457abba4d8654f66b2efcb402131b41c10cbd7e8bc7ed0

SHA512
737d09c4fc64b26d6f2fe076dd90dfe7e01e8fcbafc42c8b2fb8033c44447a3ffdab7356ef854154b07913669deba91e9ae0e5787893c283919a742f72445ec4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png

Filesize
3KB

MD5
981c8371892a461e7308528d5422c119

SHA1
67b87a9855e44f7e183aee908e3b2e6ed45f9587

SHA256
8bd0580e2f7a5bf5c6b07bd1cafd26e51e65f9257d45b5ed1cb3f1aaeb0b5578

SHA512
5ab05e454d682a6fd5ec9df264116641bc8d45e89d48ca0b74895599b639ae4c0ce498b0322f517422fd8b195f560a586fa61b7cfed338c78424828f64eded3b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png

Filesize
5KB

MD5
abd050139550db447e18c0c1b937a433

SHA1
d76fa5a90d52ec813a82a68cc854c95fcf3294f9

SHA256
8691c67163f3fd0198119e4b0094f4e15402917da020fa26c13478b566a7f40b

SHA512
d3961901c770eefa754592233f81d06b191834bcf766a9a50ee5758be11d4b150bdb1208956e051b09e5a36c775fc5c829362c677a1f9d0a7d634e66ff7abb00

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js

Filesize
5KB

MD5
5e194b1008a63dbc93a4a2c89815ed81

SHA1
ce844ad578ed9370874c80eeef4a90dc9d926c69

SHA256
6d45f5e4e3efbcb1d0e85a2b582131e2af25a873d4958120d08e3d286e60bde9

SHA512
38c2e7e74b4eac3f53abc32446c911e31798f28c01c1f7230108b3fdf20216068b6612cb98e42047244a8089be3f0eaa6d0af89b0ee70ea0447d960862de9169

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js

Filesize
29KB

MD5
04d6d98a1f3ab7391a3fe9b0c85f9df4

SHA1
21e1068c1dcd54a8238446068905a86505315180

SHA256
40ead9d83a4cb78106d2f8ba6ad188d52329460e6ba287d175dff2814cab9e92

SHA512
f0fde7c09bc57728aec6f475f6125b62570cb59eda0d764619ce857c4ac0089767bffbd8661144b3d2e4df529780010c5ffd4c89baa01bc5b881aea3f06ff68d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.js

Filesize
9KB

MD5
966d2593e4a17c3d2c3446ef24cf0fde

SHA1
b54bce27030897d9499036d726916c5078dc4b09

SHA256
91100013b18e1b4aeeec54ac57e1e8d1f684749dbb2e22d226a3d7016069b74b

SHA512
6e9f6f343edef64143fd29661a65b7fe30e879d46863ba09819ea16d1ddfa1c335024024617d1c910f4c70aaba29d4eae894ef01baa8444eb0528a6a86eab06e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
ec29c5d6a8afe1a882092b7fc41f529b

SHA1
3e8a786663dc89ec3c51b6c30f4e83de785293df

SHA256
cdbed9dc8d9ad6e1203b3e6441241ae0787badc004c8fec59f276c3a343efffc

SHA512
4c97c29b286424d50c2efb5f9c08a63203f55ce0a8eaade97f446eb69e3d50a1df26a8006a8e0a98c7d37c3ad214cbebedcd71f518468ce0b54eef242b02b3f8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js

Filesize
3KB

MD5
c04def50adb1ffe2ced98d6202016ab4

SHA1
20c8045f0dcff4e2b6cab0582357836be59cca4e

SHA256
e365e6a50dd4dfe5646f8ba97a248f2ae7e20ae4be0601cbc643f11c4e99b179

SHA512
0c46d922b1eb8c4afdf3e072e9bed7475cde439edc907a3e1448ac971661218866e9c24885e07c7d12a93fac98609c0ab793dcd13dda98d87bd0626b9f7b000c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js

Filesize
176KB

MD5
732173e0d5892d0c75c036788f3aed7d

SHA1
cc07850483babef40a56ecec18d8b16f39f2f275

SHA256
1a1b7345ffd2d4491c961fb6da1fcef01690e9fdd83685e71413a9af7ef06a29

SHA512
7b333fa7954ada98262c6c36a481ed74719890683ece7a23919705634a658a251489594fea9b8f6742a6a5155059b19a99b2f9e8da266036e2328a8635091a2e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js

Filesize
377KB

MD5
edac3afba5ca02fa9093ccae1e435aff

SHA1
3d77373be7981c114c84e1317a7cc09162ed52ee

SHA256
cf395c205e8edf37df48554e6a3854983c895b1496becff3cf6105be0a9f5454

SHA512
4cf9faae409bed8c7a69341e5d320f7b2a156cda50dad2f06f3dfa0c408573f9b4e111e69a3df48d56e43c8ee270ae7d0ef56f4d6deb3c7f4c6029ec404221b7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js

Filesize
4KB

MD5
5c97299e2bace2580c2e69b4a958a612

SHA1
9cc6ec1411dc092e64e4c093412d5cd878ea97e3

SHA256
d863fc2cced64f3e334fab8382fb6bb365d9a602a585138fa54aaa2b4db3113b

SHA512
1e8504f0b7374a9c4d9415add9c56d5e32a5105e75c10d9da405dcfeb5d84914e7af975308e57391b41d05c5ae55638473e6baa29ef5dfcd1a0ffadbc49b8d2f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js

Filesize
2KB

MD5
a30b93b069887dcb83d4e476d9e3f9ac

SHA1
9adbf0da52bc56d7190a0647ccf4fbf888adc681

SHA256
442b77612b4cd64c72c6fc81381df297328d6afeeac7194e85605ac8c4896207

SHA512
d5b387d4f85d877c4e85867ba72df97a4cccbdb10ca06d49fe76e7195a9613dfadb104f96e0c3856546007cd93b4b0767559198ebd6efa8a2079f0247a1aa041

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

Filesize
2KB

MD5
3f9c040cf02e37a5227bd40583a7dfd8

SHA1
941b701f7d2d78796962d6ead08f1e3fc0dbd545

SHA256
40d6ea5ce51908f00e5efe669f72c537ad8f731105b7319aa64cb1fdb9385f29

SHA512
d586093cb7516d871c228192c7756d783cb3f92f01e71f25f77b2ccf035cc9443a1974b68cbbedebc9454b2003f769750fd5a519a669d81d9b9b6ae149a00c52

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png

Filesize
2KB

MD5
07939935898f4c84b2a36a42472df72a

SHA1
909d34ba79e03faf17bcc2804ab518dd6ef9de02

SHA256
49ddb822669224148746102de3c5d46c375e38b1e0e00c6bb4d224388156564e

SHA512
78b7f7d48cb4d6117e451d7c7c641954f305883d8f31be6c73e64b329b6d881a5068e1ae6e51bb587c1fc4dfbf19947f635a999ae29b4f27ed8cd85c184ba195

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
1c7104e11409143479f74ba8321f5523

SHA1
d65405137589a30ab7d24e79bc916351bccbb59a

SHA256
367e20d0f7cc6765c284495968a47e45272ab27329ebc7243008baa3a27fddba

SHA512
799e192164750a6381b3b2a0f9653fe952e669b1a3f4016173bcb773f941d71f5b3dace3de7b64ff9230996384ddd573c85e2162792d05a64e41a05cf04ee828

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
6093d36920340a6ad20d8f3b5ce01bb6

SHA1
2bdc2e6fec7071a18b6d6475bb80e899d984d6e4

SHA256
0511a66d7487a38f7947ff4ce75f33ee674e38eccc514be97fb54113dc70b679

SHA512
d64e95e2d458676628203eb737e11b2e36ecc31348b90230d0ecc7f36b021b26d2c9299f562477f5bce3435bb3168db8c9663dc915a41bc09a0c30359398259f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js

Filesize
10KB

MD5
39adb085a081423bc6239dd644c9058a

SHA1
c3cc14859c6e1a73b2725ff57213349a489b0c2c

SHA256
a76ef44eb7df72e2383b2fd5fdb680856fab3f22dd8b1901b8dab44caa71d75b

SHA512
e2efbc769df87bd3990ec3a014937766bd60cddbcc93e62f11b12a910f514ddcbc49692be060f36289a260cbe70762410ff2ec9356abca5eb7f58537f3a8c466

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
053c13381db9680427ffb0a6f612595e

SHA1
a5b7bc29c089c0d9bc8e7f15900b95f582c9a625

SHA256
a913b15ac4348b034ef3401ed985aca7f8fb9cf68e0865fa050770f7d3b26ef0

SHA512
17f08595a61cceb7edcfc134d1887eddc7dd6d1606c06c8a1b44a4f60a9f9ed98d2f31f7b7da424aae166a46ed30c128135107850cafe2ff20b8f8c1b1b67f2e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons.png

Filesize
2KB

MD5
ef3419d1d12f148d05325d0effc9925e

SHA1
5d083b3bf14b1f595cdb78fb926b3e835e054dfe

SHA256
290fbdaf01951a3e6df763257147294391f0f3ebe8307ceca836961314974f39

SHA512
7598b3e381e4007263f10a4e75552847f12f29d43412ca9d3768abe8b3fd93fbf7dcfc718ddc652f97c7ebaaca4da7a55183ec008c2a36a3464215dc2ed261f4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons2x.png

Filesize
2KB

MD5
7ce22f607b2bdf9182cd6991a0339bab

SHA1
11f98f862ceedd8f0cb1cdb27c65956d8da74ed1

SHA256
cf053b4a83f8387e200dca470367354b242b01a5e26a24218fde56aa6c99403f

SHA512
f7d69d84bee13cf40028cf9c0aec6d3d93fc9b1e47b2191be95f1e6f1c6b17b285ee37351f1f5264cc2c21b6b25a258085f3f274981bff04dc493d84b4ff53de

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
83a52e31988dd45bbd0872a5e8a873c1

SHA1
0b75342dba048844937e7e9523377cbf7769ff8a

SHA256
1dd729142bcd88b5404b3dc38741676680d85b781d5d5bee3c3694d9f313fd7a

SHA512
d4590fe972009ff7f8f6ae01771682813d14619095dc56977626cf84abb6ae6991646285edb932aa7f50526b9073d6afc4a5769a82d50f19f172a15980513d50

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\ui-strings.js

Filesize
2KB

MD5
c36c8704132e18758e45a52d465856e8

SHA1
99cca2c4b032a873065ce77e63c97469efa1b87b

SHA256
027083a56daab47390783e27b2fa202bd81541b0250be0c5fdf893b4e5a856fb

SHA512
1655e6896e83591506e146ed664e830520c322551852ded20ff01b39271b0d841fcb852c26269a9d1a9ef962591f5efd77560445c157fa1d483fde35e271cb71

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png

Filesize
9KB

MD5
2af69b2b428af750fb4272df4374a9d3

SHA1
f0bc3bd3716085aa830a62513a3c190a0f9973f3

SHA256
1cef8443c7b98a9ad610fc13cb5a43f575e62f7db21ad9812c8437db39fded9b

SHA512
3da7c4526a30b6ed563cafb9ccf385f4ab5054f0ee29416fc2cbbd0131c413d684cf75321be69a5c8506cd318acb6ebeb2c79c7f10fcb67eec38d692bac3a49d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif

Filesize
9KB

MD5
9538bd61592b2c9ece1658c49be8ded4

SHA1
60fd73311d979871fba09b55625f9dd5d7d9dd95

SHA256
915b3c70051958a43151d657b9d0ef8355cc1571d5652a91ea17e14803a6232e

SHA512
3ec46894fddb2b8c5ba6c2bf8ea8d08f5950529f647e64587798f3771f58ba75d6e7e801676e41a200569e02a98db328606ea3eecb27056b79c9f0e98c45e5fb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png

Filesize
16KB

MD5
34164e47e6d119328f00c5b433847827

SHA1
b0a355133510f3d8c9f3e6a9f6124e2ad2eb57f1

SHA256
ecc649547b06e36d961f28bef84e3eab36a0ef65c66f729fff13aab7fa74dfe0

SHA512
4d7b35c1cde2ef8ad40a08503c4e115f5a992e5408d375f7a3972fe8a16b5852715f820b9cd51c74b62462ff103bf0501e692b58b0ca3a831f2f792b8628515c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png

Filesize
9KB

MD5
121e8c181fa7644102eff78f5ccd5304

SHA1
e3fa99486fc5e0141c8a53cd799960b9e619c594

SHA256
a13bf04054a64f1c3648e107a0fbb3f253df22a16e949d25624c1a1b11097053

SHA512
33afd53a22008c135a5ce34c4bff1ce7a2a92b4ab812c457ee7a6a8bad5d941a81156a9590ad4ded35ec095202e6e693495247870f911700195e5886b3d5e9b5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png

Filesize
18KB

MD5
2136fe0ba379957dcedccf8d11bf2b1e

SHA1
0fc61ff9878bd6ea7ff067c7536590dd30eb8f90

SHA256
50e22256cd3dce36ef1f8b6a85f4916294b7f568d7cac3c2aeca4bd516dfbf94

SHA512
bc4da8604a525a8f8127acffc27dd400fa1556ed0f1260ebee165f6a908ac9b364434015bb3a5f2fa7ea14b3ac7850c61f0077e84cbdf3c401d4d9655dbff175

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\main.css

Filesize
2KB

MD5
a0ea5c02d8b50c13c227852ee7723d35

SHA1
d2f0841cdc25534a6f16184508f7ddd361891b3e

SHA256
b478dad582718a7469ee32a1318317f23470373deb95f2728aff9dd09efa3ec0

SHA512
51a68047b36f830009b4ce0a321caaf9c8f09c7f11e374f60ac5697837499ea08e7563064bae713872cf267d6187cab9c0b32a428ca998ba45699ab014aeff04

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
787d120bc891d36043e8da30e7bdefb1

SHA1
8efd03c73be195fb65683fca159d0839d8d30d72

SHA256
2acca863093ebd7f780ee0dfbfcf46e6cdc8cebdf9b26f42ca468759e459defc

SHA512
409f648b46e7097e17464cf3730249ebe4222582e079e27650d2907b84507c8b897e1151f4ea81761e1136ed12ab7ca69d309d83fb29016db9b3bb67b0c34a6c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
ca97f0800e791aee055136ff8c066917

SHA1
1eaf9e65a39d1b63a32346464d9bcb40f1970a38

SHA256
09967f08274a18b70af0d83a8c8c552a446103603367b9b31c3d3c999f9706ea

SHA512
d7a15f1a50b1fb52cc2976add22b21a253de821dde53781dd2542228274831bad16644386053c6e17afd326d0d545ec5fa63fa7f0f62431b3208efc695e111dd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ui-strings.js

Filesize
2KB

MD5
eb7883a9ec8f696081163aeb067ced19

SHA1
c369d0d116b8c85d547954ce0cd09d05f00296c4

SHA256
93e0edfe9397a2bc0c2f8664373845782b09202aa0c3d684559ec16ae9f5602c

SHA512
7329f14d66fbcad55270e1133382774dbed072eb49120bf1e4472b112162f2b695af132178438e72cb107c2b4aa60ab8f3c9a67fa86216fcf3b58cfd5d8ad01d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js

Filesize
2KB

MD5
89850bbfa796ec6548feb38b259148fd

SHA1
6da291c3c5ba4bb46fa53503d4e4d0da612f415a

SHA256
9498aea4a1085be65fbbb3007150afb9c702b27353a50656b988cb8b49c60e3c

SHA512
0b16b15cb3ffcc6f5616318b6d77f104dd0e060ba637e803b5f195bf4dccb2d36c5fe808ac2fac56135386ac796785bdeaa6f5bcfe7fc7aeebcd42dd233cd97b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\PlayStore_icon.svg

Filesize
6KB

MD5
6ea9cc258534dec982335ac5ff61b659

SHA1
133f5e9db6ca96e4ab7662c7b49fe2bcdad017af

SHA256
7f91fc637bd8cdc14d51623f6a8248de7d987ae4ac56bd96cc8daf1a0d6802aa

SHA512
4b06f6975d669044f357057a3e7bccdec9fa0262bbaa1b61281bcd8c30f7c6310299f506e67304aefc100a97aff403b252ce33eb9b9a6bba9d5a451bafd27c01

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js

Filesize
14KB

MD5
64b01e6717673298f40518b66663d182

SHA1
c814b3ca6b44d0eb08a74b91ee08a1383e46726c

SHA256
34103c6d81c88b7752935b48cc4c5d4fccec06cbd757a9c9ec8a67c0c21a5051

SHA512
f3d2f45f596fc4cb4a8bab4f75965ae26f84aef4117fb3a0e14d705c9866144bbc2a5ab341d4a29f3a3331e819340d1e5de01da3c685d8b9a7894363d98506d9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\ui-strings.js

Filesize
15KB

MD5
8e2ec472f908e69cb192a15e6d697ac8

SHA1
09c078f439c68e22f2b8e8a38be2b49529fcb88a

SHA256
724d2051389ec621343d6e06f44bccb8b5c696585e00a2245af747845fe259f1

SHA512
2d18cca6884dfbaab2c5eb450d14006b4bdaa237d08cf4db30a60bcebc3daf6b286980fb782ab1111b10a278d1f3d0970410f84f27895d2632644a0df843cfbc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
194ef621e9e841e5b791c284bc2dcb2e

SHA1
1414b4448d9527cce575ba23ac3b199ce4dbc31e

SHA256
dd955d703b4dff4fbcd2d5ae6b00628b98c745d4a55c2a358836eef2e014abe4

SHA512
42cbe169372aca61a887357f6f817149cd335ba88743076267e17dd312f46a5984b9380e5d9ee0dd45b4ea46ce2b271e39470a54b04f1a0890674158d0b08760

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
12ce2a500191708834e4ce4b1ed0ffa1

SHA1
539a946eea0b4da92e5d6fc332951653b2b2890e

SHA256
f1da5c6e8e475050930ce7a6ddd4b74a97ed7a8055c3fc6105437b666172b307

SHA512
5f9d0ad85b5c9d0d554f4cd595320f26f1fbffa0f599032b93bdd20259f0a8f20457bd9c8afb174130ed48be6106dd32c8045a234f32a89842cb7063d4d4d3bb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\ui-strings.js

Filesize
2KB

MD5
757bc63284e04938e3966243c5674ee6

SHA1
892c1c80e73a3863c728a65671297574ec9b5c3a

SHA256
ba2d8b1e3d0e92a0ef5c50f5c1d77cd75e0a38dae2041c99e2ba286381afccad

SHA512
c8d001e22718b42da938020faead8d1443b12bc687a0b1c0a6b3b4d19fe313cbc8ac301b1f76d07f91db35098cf39e42c740ba6a8ecbe7fbcb656ca7de4643f2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\ui-strings.js

Filesize
2KB

MD5
4ea1ae60eeda94a6c516c489c43a5818

SHA1
15b73eb0948c48eb2f79abcba65e2692ea0e001c

SHA256
512d986a94ac30917173f0119abd12d32572ad7c94128a03e11e66bc435bedc1

SHA512
b31a7531de5909049e07520c3c1db8a83c55d9dcc5a1f2bc5d6c0ade3b8745bc85f50a8ee2da889c037f05a0fb0b8ed920b7617f9f8e0ec3114b26bead4c5e2e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js

Filesize
9KB

MD5
b01d44acb833848a18a49896f42d0f55

SHA1
800a697f24afd527ab886ef89ed30af0e702d362

SHA256
e650ae762548dd9023ad4a0babe17c7d098253587aad1fd4a10afdfe5ac62860

SHA512
989f89dacd6a864e3256ada11a9000bdb8cc89d7c068dc0816b8eda0a424b747e176c572e94af3b9059353616ee4d807fa82390a2195cc75a042318e8b6d220c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js

Filesize
5KB

MD5
297cca7c6c4cfdcfb4c070b68c65e053

SHA1
1e30f228f4b986a4d669d83e6d9623857b97aac7

SHA256
cda70fa3813314e56cd39e64f62b6f28e03792e222a0d9279e194956547cb180

SHA512
aafca381fd8055ee0278f8602199381889b7f7ed42ed3ce0b032a7698693b917bac4a7009c5969501da7829e5dd89300ccd9109fd0ea3bdc210145344cdf3075

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js

Filesize
15KB

MD5
063cabe5866d19f9fe031f8b3a9281a0

SHA1
693dfa9f470c904f7d249dffb2e15aee7d9a8ad2

SHA256
64e904e20a12041b8a29359af8e20dcbabdf3a68427133bea144eaec187a3e94

SHA512
7b50b92a00613e9c83be678de648251cec2da51ba29a5e82e193758c1e2eb1d3e1487c09ec43fac968183eef75577dab869ee9d35e6c989adc52c5c8ac561e26

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\ui-strings.js

Filesize
2KB

MD5
b275e5bba3ea0cc64755463d4f6ba027

SHA1
49c47a54bbd412e9e3e573a490525e005932e158

SHA256
eb22351750c60d5b3cda038e3a47bf153433f7a30657aaf69f36b92fccbe9e08

SHA512
2df639e1b0f8a48dc650d5b8aa991b9abedfb1b1adea632e6d57cdb5734b48ac00444f53b0971bab538f32fa03543f26e375e90bf5d530350d547f6400b37a9c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png

Filesize
4KB

MD5
10d1619c5ccd676ec274aab60ae0625d

SHA1
125bfa22bcc1320d95d4983134bf954d3c1c7735

SHA256
ecbae7d314fafafa0f1b3cebde09859a912dbc6c824b588e300f1adef174a924

SHA512
eaee0a9cd8debd100c9fa4e0ea00fbbbb649e9ab42d8745c39447a2153cc4dfb66e596a6ee5110227507b3677cb29f0aefcdc09c5463b84944e58df99ff4f2aa

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png

Filesize
3KB

MD5
a386e8dfbc9bc237317b380cb1b64d6b

SHA1
9cc2afff5a403ed650a7295142b555e518112d45

SHA256
fe7d8ab1640e564cc8cadbb29341ebc54f357e9d8d493d58e51bb8cf484656a8

SHA512
cee51483aed4c35e04e77298299ad369cdf954629c6eb892c7946ba5c5d3b828f811e99f8b97aaab192cba00e7847c2caa0d48c2f5418a91297b62fab7d377a3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png

Filesize
6KB

MD5
65fc589ec7eb5ddc863bd4d22157e956

SHA1
389abb903a437e923dc05bd124961a5decd314fd

SHA256
53e1e9d9fb9f4ee444e5590bcde44187e2e554fb041f24bfc6cd41cf8d3b968b

SHA512
bf44491ecf8bf0bed7ce99fe27c40b459f25106553d7e4ca6da573d7e4547af1cac0ee4a76979e406af64cf7e4a1397e5c0cdc7e928b147e5619569c72c0e684

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png

Filesize
1KB

MD5
83ecc869524bb06ed31fb4a88a0096d4

SHA1
e6dffc7abdf02272e365d2744006fd51102b0297

SHA256
257196c542907249ec75608deabc93f73f3fa265f1149b9c937df6cb536dd5d9

SHA512
55f5f8729da121941c2792f9751db10ab690889ab369dadb5464f93fbc8ad204d69c9cda29955f240a0ce8cfc7f91b094cd6b0bce85c49dd7c10b4715d73c933

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png

Filesize
1KB

MD5
6cc4e4c30e0d5df6b873102c24bfd734

SHA1
f0cc0de7b8b7886608f2d4fee0e97366e5ef8c75

SHA256
4fdabd95cff4087be01d88975508375e7ebc13410819de906d2c67e8bf232eb9

SHA512
e4eadf9670727c5a0c34d3719ff6246c25a96d11e8ca730acf04bc7d3805ebde75e464603485b0f2d247d4f36cb666f34d3780682371cf348cff18ba220f4363

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png

Filesize
2KB

MD5
7cae394fc2aa19e8e033a2caf7614209

SHA1
d87faeb58bc8bce5b50f95be4d524c3089cdbf73

SHA256
54d33fd16c5305633315e432bcf377a382c05e214071e40a6356e92196a02e61

SHA512
e6bd09ab670a16f77006e23b61dfcf391343353f6b7223dd04a4ed2875d15de53608f83e13ad58f5f2f29c76f86efc81497098431771bee59ba613fbfddff347

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png

Filesize
2KB

MD5
b5cb8943e6f10356e70da6f44a5350f3

SHA1
bfc724f5c992ce0e4ab07e668022d387da090420

SHA256
83b65cade00465fd569a270c89de3583671e8ca1b3776b98e7c3171349f0bdbd

SHA512
49d3e5b97aadcc5203cf6555e8c4772e8b5bea158f087684afdb28a52b3f074850b7dc9e095fc6a0d1dd67dfd73ec3ffde89d67186d196208977ebf89bec86aa

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png

Filesize
4KB

MD5
1ea44750ab80f79afa4f24a8129bd7b1

SHA1
115ae47fb134c64e3751361010bc0c20e80fba4f

SHA256
5816156f9d3d7166bd914fb178c98c10e874460e47e57b1b2e4e02739d9b09c6

SHA512
84d07e555b71920b95097e8311b0689e2146891fb71ef9d2ebf38a2e86a4405f22cc9c86da79f76ade9b19a73c59aa47d34c902215b29b4ed46138b96261d0cf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\ui-strings.js

Filesize
15KB

MD5
bfb75dcecf8c84b839c6d04dbdf14773

SHA1
69399cb48ccbdfb192077f6967d43b2cea6a66f9

SHA256
68ae89756ab436436032762c3f3650cf67edcdc45f1e609bc1fcb2ee07ddc738

SHA512
30c72150a263a1b48e7480ebc4a0e29fe8deddb8a5c5f3b83cddcd7c2356041c894cd0dce04272778dc4803d0b6526eb847abda7b399065816676241cb8e85dc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js

Filesize
2KB

MD5
57d0efd1a1a9308ef078525ef099b436

SHA1
dc654c3ec2f22a8ab51f84727cd44c3197377de6

SHA256
3daf7f92d5aaf8494ef0327e4688f1911f602f574d3efe58fafe208606060105

SHA512
5d528ea06b78cce20ed0828302a6ec69e25f0673475b4f516db1445d4528afb6bb80c1305ae47fa42dcc74211f7f2ecc71b0bf0287751838658c71af71c96d3f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\ui-strings.js

Filesize
19KB

MD5
1f8a2adfdf7ff61612f96eabd316bfc6

SHA1
bf4fa0388e555b9f8dc7391ad3502d250e1e129e

SHA256
5010c0eb9960c279d8ff518fb17c7a5b2e9a8c2d7b3a488e8d5a06f1474573c7

SHA512
cfff1c4c62ede1667ef7db671fbc2f93a1f96d11fb02dffaacaa0d367b678a695753d999a9e148a3aea1c0040593feafd9446ecf3f8a066b8452cb35f5cdc1d8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
3fabbaf754d8859a02323e91bb259819

SHA1
20eaf49fc182d8a7926088d835b865b876decb7b

SHA256
9bdff8d69daeb73b40d8dc6f3a221961b25ecc354387b39697f263d6870e080a

SHA512
a58a5575fb4af9788965ded2a050245a201cac4af886bf246b8fa6b39ca23e5ab2390e5a3bcc0c274aec6f0aaacd544cb02a1b6edcb6c77e7b098b20322e20eb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js

Filesize
3KB

MD5
3a61b86ef18def7f8bcfd35b8b48f830

SHA1
5c90c0afda34f32fcf789023ae84ffa43fd1c7e0

SHA256
9a8496b0d006b230f50ea8473af34dd8fa514198c35646b786dc07c2e0e91ba2

SHA512
5af7fe50cb03b7be4526b98afd67311ca808ed3a04d223c3274440ea43bd14864b50208231c0d13829c05bb8e32b91b15543220505cfb39ac5203ac2b8e5c67e

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

Filesize
34KB

MD5
703224c1bf24cf9c62c2c8bb336a28dc

SHA1
d3aee396c75b7ee40da5851dcff06ac44be40083

SHA256
c8c779f5857330ad14ff6da66aa13845529400427c7a12b0801881c6a602cfa3

SHA512
e130640c5f9927c61c303ce230b6d3720ddd545d82cb3fa1df59c4cb801d48fb5158767cb5e321ec1ab4e75557c979f87b085930e43974ffb8850b4db13ff071

Download Submit
C:\Program Files\How_to_back_files.html

Filesize
5KB

MD5
5155f40eef4048767efb29ab0ce5a61f

SHA1
74bdf7d02c81aae90990bbf67de2aff2523acf6c

SHA256
4dfebb9833ae5d9671e0e098e2cfb1f8dee77c3ad5224292127bbc7330865796

SHA512
9346d58b9e183a2fb07d365d0144a31efd15443cccb62637c6cba629ed59ebbc0892a7166745faaab22534ea8de0e5886e0e14d746765e900401ed3e49fb2084

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
c52ec295998c914afc499265803ae706

SHA1
c9c515007900d9eed67794d66ee43842d7d58610

SHA256
1c6eec040bcbac410b8f4fecba89e0045662cb58eb424134faff607b221cc5b0

SHA512
78fa4aba26b7b9123289d5dcb445252a8be25a29f6b8506cb27eae6a5efb954ad9d10028c614251637572d22ab45555d2eb6004cafac7061f533445c78dbc6ed

Download Submit
C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
529545e5d5e1638515c9d49963cbe5ea

SHA1
159b69abe4269b31d30803b88912ff19febe1a4f

SHA256
1a6d8b95354b3df0023502c52312aa2da6f1b5d53c7b8873e61d22e0a01c4864

SHA512
01f6eaa75aec29f8fb54b99f5dccca0d59acb29a7caad9d512c682e406fa2ddd971aa43579bb961372259c023ee647fc0f013658d7a38c4e904a581714991e57

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
1KB

MD5
38c0697d6524edc68ac652e1eeb67f3e

SHA1
8ead593808696d0e56619f5968987f1c7f39810e

SHA256
9fc0aa82b361e4e5b48b570f26e1c74fbe5946965b854f4a7f531d41274f968c

SHA512
cf77719864715b9ae5e6dc0cc5ffce14bd24f903387564137729ee283a4281800a448d0a4c020a130b7f7c5d79a838877d3c07ba562f034a92efb89227bc46c8

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK

Filesize
1KB

MD5
24f092ad9c4d46cd1dcd6f1b8c796bf7

SHA1
4da768e657a9a4607bd15729d1450946ecab46bb

SHA256
6d30e71e5c63971bd2d2642a66dd99957b3d63b15162eeb6fb8f4e3b883d3d07

SHA512
cb19b7772c69592b9f5ce77cd78853204d22d4e38d999f24701c293e5eb4d901e95145960bb8a5e1722302dc655fdad20c2b75c4207051cd6f198d8d41261879

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK

Filesize
1KB

MD5
98a37b57805b77df77d213a07cf1bdc6

SHA1
6bb16ba727c1e0b07fd3a180e2329aff955ac6e5

SHA256
6f20a264f547f1f4e088633c03fbafc898a957dc5d06177ec8af7269fa9d64ff

SHA512
10cc501cfa934d88f6fd604e2f5a4513747d82c4e6f5cdddf573575f41d228efa5e4c3f1557a691a49511f42e8ec0a339279e04483597e1bea7085ec39790a1d

Download Submit
C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config

Filesize
1KB

MD5
8d2d1d006ffb705b386daca98984de5b

SHA1
c5858cb1c95bb513119149b86158c2500e5b51d9

SHA256
8243ab9059adf397806d6882c8d4129980ae89e40616f94a1afc77a37c03d398

SHA512
2b2702b61e369f398b293d3241666dc1a7a90d7410e1e63db2840a63bca0d096169666010c91674c3a93734dd9939809b8ac1cf4d225f3be6d059a49b46adbac

Download Submit
C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL

Filesize
246KB

MD5
93fd49f7a15b14b6cb0be88af11d5cb3

SHA1
545e58fe61755f488098baf327b539e9585a8fb3

SHA256
b30316c1129d34094b3c81c0fd5d757530e4ac6a808d0deda8bc5ee29e91e701

SHA512
5a857b19155dc7f1249716f74040dcb81ceaa6653820bb322d787f910dbb842f7b8272f44d91d432f2f6fdb81ada3f7ec57fb8ceed0fff727a4d580b092cad60

Download Submit
C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub

Filesize
1KB

MD5
e91c4228ce0a21b8e507503af332190d

SHA1
e2fc994607bfcabb85de77d33227d6d2ede63bd0

SHA256
65878fdb93255703e74a233da887bafc424626e1dd3f78acb2055e8a1522409a

SHA512
ba703613e0cffe7ae42fafcc15311128bf68959c2701231abf314e1f52123bf1e02d6bd12e5dd0376fa9166767eebeeeafe62baaa3667a723ab6d8ce00a85da2

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi

Filesize
1.4MB

MD5
1ab876cc1538624dbf71196f35d90328

SHA1
464a59b24bc0891a7a142c8217026a338ebff38f

SHA256
5bb0d100c80a19a1cc39435c4da5bf7fcd9376ae3f96affb122779df4f5b9673

SHA512
1b31c1acd5f4c1ff352c03a0de793ecbe0a1823b63941f90ca4d52ecbba22ad68f9da44e49ccf7ab8a6ed77682eb221d73cb519bf246c41fa66518638361bded

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
d4e199df059e9ceb8942cf91cdaba8af

SHA1
0ded09e625169dcbab9b9a3983901bd26b07454f

SHA256
7b57fc5f2ee29f529d7a663f623b9e0ecd91b8b91e8b812c9cfb7f0c6a19760e

SHA512
cfde70c53d45ce91bfd4c232786bd9f131ec2bd518e683f5b3b3923ff587162e94450197ce6616b439ac04a21c6cc389015a343f1a24a6d2915fb848603074a3

Download Submit
C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

Filesize
785KB

MD5
21dd3783360f6fb96397046d3ff8313c

SHA1
ba09c2bac9b70425f7d62a3b1418de8590c4496f

SHA256
3c6db63d8aaabc7ea59872788902623a533cd0583bc2858256f0ca739be148f9

SHA512
2dfe017095f3c712fa12646dc65293c63124d9611243ac613095da44290f1cb2d416f67c524a1fd68cf8bd506758e9c67e6b77ec3f5e9c3fd1d5178bfe467d4f

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo

Filesize
599KB

MD5
53491ffbe4514823e0999cf762220578

SHA1
ec923834d8b648f9c56b02065055c13b394aa240

SHA256
3d0e87f3ef774f50cab87df6b4c976b780358f493a903530dacd0cd223910918

SHA512
b6d72298de4bb590cdf02dfa6ca30bddf064471b411810d74b32e7e105c3bacd1d56d5474414cecf45018058f28bc05c30ffac7ad6146e3191067b87c7bf33e8

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
640KB

MD5
ddabcd8a329110ed429fcfcb52698072

SHA1
f0d66ee9eabcd592e9af9f3a5dd5ca36986ea13a

SHA256
737dfec2a2931817a810493af4e9ab23ec3a30866d136db19c8540fa71e4947a

SHA512
0de8e612a0ab899880a1c29bf71136b82d74c22011fe54093e5fc7d12cedc7b8c50528048d8c093dc18b531af2b4780017495ad5b99c81d245e0670c7cbf2100

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.itlock20

Filesize
624KB

MD5
f94a777880ff0c30f7f4559374361a79

SHA1
d8c87614ad05fd1caee77c660cda2d6f1a302ab1

SHA256
b49c3252d999f180db7fd0a6a1f9481bd14accf205de69ac14d9ac56d4e7dcec

SHA512
00f01987472df2631494179cdf8033b2f59182fbaf024c9c71d08417581cde0df01428b9a7bff0a086659966df78d3ad8b6c0f1149bf4610272d806e7d227a32

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

Filesize
181KB

MD5
8f242daa52a5f21b7432ca1e605a9434

SHA1
94db17ab299ab7487176987740f3a293f623f3d1

SHA256
4da8c68698806f9a98c0e7bd49d00d1b0bb907f50b206d760607f81ed100b7eb

SHA512
915334583190be72935d60fe6752aaf435e23e9e6725226900bf7647e6ec0819a426e8f0ef5ea772e17c4f717285df7f8568b3e24dde3e4a59b8910707b601d1

Download Submit
C:\ProgramData\Package Cache\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}v48.100.4028\dotnet-host-6.0.25-win-x64.msi

Filesize
669KB

MD5
6412aca5978c1ab01c8927c0f8b5fc97

SHA1
dd4ed7d6d784715e673b6e6c78c20d8449b06fb6

SHA256
a7fbb8fc9f6b150c3695d6d9e73b1206215bd70c58cab575f20d36374a619db2

SHA512
df734c603225ab1a7839106db743f71c9f10e37dd66927a5535455dc885a663ee1a2f1e31773d54d3fa45af6935c6ff0f6533da9f7f50af40ba3d9218e4e09ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOCK

Filesize
1KB

MD5
a9597b6a31cc66e1cc88ff4764509810

SHA1
5c2dee4276275bece278a378ab9342e263107411

SHA256
b5bcb8b21984691146149b89fe6cda054f7f2de8030f15a5a84a72850f7b92fe

SHA512
6f647df2d02393326ae6c0c53b104b40110cd60276a2a1ba0da27c5c0c9c10715bf8507a67cfc04017e6b5924bf38a5ef030ae4a417da9eafec2c5a22272d84f

Download Submit