51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51

Analysis

max time kernel
150s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-02-2024 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
Size

340KB
MD5

714870c33ba84e744b84b32e6e114ed9
SHA1

840f442d4466713becdf72b88846871330ac38e7
SHA256

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51
SHA512

270c584cc9f696de3421429627a07bfbd7829a033cfdc16280e7e233e8ae09e2f1cd0341537a6b050811683d93a14a1465aa3ab96e9577c98ebea521faae65f2
SSDEEP

6144:PNs9prB0CnszdPZxMzk1ukSXa9bnuDOeFdGpBP7ENf3zcfUE:y9RaPZxMzk1uBXa9bu2JeAfUE

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\odt\HOW_TO_BACK_FILES.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">{{IDENTIFIER}}</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

description pid process target process

PID 716 created 3444 716 51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1736 bcdedit.exe
1536 bcdedit.exe
Renames multiple (6544) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4760 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1660 wbadmin.exe

description	pid	process	target process
PID 716 created 3444	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	Explorer.EXE

pid	process
1736	bcdedit.exe
1536	bcdedit.exe

pid	process
4760	wbadmin.exe

pid	process
1660	wbadmin.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe\""	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe\""	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

description	ioc	process
File opened (read-only)	\??\V:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\Z:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\I:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\K:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\O:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\P:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\S:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\T:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\W:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\F:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\G:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\H:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\J:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\A:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\E:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\N:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\R:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\U:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\X:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\Y:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\B:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\L:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\M:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\Q:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

Drops file in Program Files directory 64 IoCs

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppUpdate.svg	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected-hover.svg	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\ui-strings.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\VideoLAN\VLC\skins\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-150_contrast-white.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\example_icons2x.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxNano.winmd	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Json\Person-Content.json	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\selector.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\20.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxManifest.xml	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\WebviewOffline.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_signed_out.svg	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\ui-strings.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\da.pak	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\msapp-error.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.boot.tree.dat	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-30_altform-unplated_contrast-white.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\adobe_spinner.gif	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-oob.xrm-ms	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-20_altform-lightunplated.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSplashScreen.scale-100.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTile.xml	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\AppSplashScreen.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated_contrast-white.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\ui-strings.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-125_contrast-black.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-100.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-256_altform-unplated_contrast-white.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-48.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.NetworkTroubleshooter.winmd	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\UserControls\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUR.TTF	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-400.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\main.css	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionLargeTile.scale-200.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

Drops file in Windows directory 6 IoCs

Processes:

wbadmin.exewbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2304 vssadmin.exe

pid	process
2304	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3204	taskkill.exe
1384	taskkill.exe
3136	taskkill.exe
2480	taskkill.exe
4976	taskkill.exe
4952	taskkill.exe
4708	taskkill.exe
3536	taskkill.exe
2888	taskkill.exe
3432	taskkill.exe
2416	taskkill.exe
3688	taskkill.exe
4224	taskkill.exe
2116	taskkill.exe

Modifies registry class 2 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-566096764-1992588923-1249862864-1000\{A2A1E339-DC12-4EEB-869B-66F87511EF61}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

pid	process
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeWMIC.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	3136	taskkill.exe
Token: SeDebugPrivilege	4976	taskkill.exe
Token: SeDebugPrivilege	3204	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	3432	taskkill.exe
Token: SeDebugPrivilege	1384	taskkill.exe
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeDebugPrivilege	4952	taskkill.exe
Token: SeDebugPrivilege	3688	taskkill.exe
Token: SeDebugPrivilege	2116	taskkill.exe
Token: SeDebugPrivilege	4708	taskkill.exe
Token: SeDebugPrivilege	3536	taskkill.exe
Token: SeBackupPrivilege	1404	vssvc.exe
Token: SeRestorePrivilege	1404	vssvc.exe
Token: SeAuditPrivilege	1404	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1708	WMIC.exe
Token: SeSecurityPrivilege	1708	WMIC.exe
Token: SeTakeOwnershipPrivilege	1708	WMIC.exe
Token: SeLoadDriverPrivilege	1708	WMIC.exe
Token: SeSystemProfilePrivilege	1708	WMIC.exe
Token: SeSystemtimePrivilege	1708	WMIC.exe
Token: SeProfSingleProcessPrivilege	1708	WMIC.exe
Token: SeIncBasePriorityPrivilege	1708	WMIC.exe
Token: SeCreatePagefilePrivilege	1708	WMIC.exe
Token: SeBackupPrivilege	1708	WMIC.exe
Token: SeRestorePrivilege	1708	WMIC.exe
Token: SeShutdownPrivilege	1708	WMIC.exe
Token: SeDebugPrivilege	1708	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1708	WMIC.exe
Token: SeRemoteShutdownPrivilege	1708	WMIC.exe
Token: SeUndockPrivilege	1708	WMIC.exe
Token: SeManageVolumePrivilege	1708	WMIC.exe
Token: 33	1708	WMIC.exe
Token: 34	1708	WMIC.exe
Token: 35	1708	WMIC.exe
Token: 36	1708	WMIC.exe
Token: SeShutdownPrivilege	4760	explorer.exe
Token: SeCreatePagefilePrivilege	4760	explorer.exe
Token: SeShutdownPrivilege	4760	explorer.exe
Token: SeCreatePagefilePrivilege	4760	explorer.exe
Token: SeShutdownPrivilege	4760	explorer.exe
Token: SeCreatePagefilePrivilege	4760	explorer.exe
Token: SeShutdownPrivilege	4760	explorer.exe
Token: SeCreatePagefilePrivilege	4760	explorer.exe
Token: SeShutdownPrivilege	4760	explorer.exe
Token: SeCreatePagefilePrivilege	4760	explorer.exe
Token: SeShutdownPrivilege	4760	explorer.exe
Token: SeCreatePagefilePrivilege	4760	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

explorer.exe

pid process

4760 explorer.exe
4760 explorer.exe
4760 explorer.exe
4760 explorer.exe
4760 explorer.exe
4760 explorer.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

explorer.exe

pid process

4760 explorer.exe
4760 explorer.exe
4760 explorer.exe
4760 explorer.exe
4760 explorer.exe
4760 explorer.exe
4760 explorer.exe
4760 explorer.exe

pid	process
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe

pid	process
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 716 wrote to memory of 216	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 716 wrote to memory of 216	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 716 wrote to memory of 216	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 216 wrote to memory of 3948	216	cmd.exe	cmd.exe
PID 216 wrote to memory of 3948	216	cmd.exe	cmd.exe
PID 716 wrote to memory of 4700	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 716 wrote to memory of 4700	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 716 wrote to memory of 4700	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 4700 wrote to memory of 2284	4700	cmd.exe	cmd.exe
PID 4700 wrote to memory of 2284	4700	cmd.exe	cmd.exe
PID 2284 wrote to memory of 3136	2284	cmd.exe	taskkill.exe
PID 2284 wrote to memory of 3136	2284	cmd.exe	taskkill.exe
PID 716 wrote to memory of 2500	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 716 wrote to memory of 2500	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 716 wrote to memory of 2500	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2500 wrote to memory of 4568	2500	cmd.exe	cmd.exe
PID 2500 wrote to memory of 4568	2500	cmd.exe	cmd.exe
PID 4568 wrote to memory of 2480	4568	cmd.exe	taskkill.exe
PID 4568 wrote to memory of 2480	4568	cmd.exe	taskkill.exe
PID 716 wrote to memory of 1372	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 716 wrote to memory of 1372	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 716 wrote to memory of 1372	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 1372 wrote to memory of 224	1372	cmd.exe	cmd.exe
PID 1372 wrote to memory of 224	1372	cmd.exe	cmd.exe
PID 224 wrote to memory of 4976	224	cmd.exe	taskkill.exe
PID 224 wrote to memory of 4976	224	cmd.exe	taskkill.exe
PID 716 wrote to memory of 4680	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 716 wrote to memory of 4680	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 716 wrote to memory of 4680	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 4680 wrote to memory of 1892	4680	cmd.exe	cmd.exe
PID 4680 wrote to memory of 1892	4680	cmd.exe	cmd.exe
PID 1892 wrote to memory of 3204	1892	cmd.exe	taskkill.exe
PID 1892 wrote to memory of 3204	1892	cmd.exe	taskkill.exe
PID 716 wrote to memory of 1204	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 716 wrote to memory of 1204	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 716 wrote to memory of 1204	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 1204 wrote to memory of 4996	1204	cmd.exe	cmd.exe
PID 1204 wrote to memory of 4996	1204	cmd.exe	cmd.exe
PID 4996 wrote to memory of 2888	4996	cmd.exe	taskkill.exe
PID 4996 wrote to memory of 2888	4996	cmd.exe	taskkill.exe
PID 716 wrote to memory of 4644	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 716 wrote to memory of 4644	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 716 wrote to memory of 4644	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 4644 wrote to memory of 1016	4644	cmd.exe	cmd.exe
PID 4644 wrote to memory of 1016	4644	cmd.exe	cmd.exe
PID 1016 wrote to memory of 3432	1016	cmd.exe	taskkill.exe
PID 1016 wrote to memory of 3432	1016	cmd.exe	taskkill.exe
PID 716 wrote to memory of 3556	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 716 wrote to memory of 3556	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 716 wrote to memory of 3556	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 3556 wrote to memory of 4196	3556	cmd.exe	cmd.exe
PID 3556 wrote to memory of 4196	3556	cmd.exe	cmd.exe
PID 4196 wrote to memory of 1384	4196	cmd.exe	taskkill.exe
PID 4196 wrote to memory of 1384	4196	cmd.exe	taskkill.exe
PID 716 wrote to memory of 1848	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 716 wrote to memory of 1848	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 716 wrote to memory of 1848	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 1848 wrote to memory of 2840	1848	cmd.exe	cmd.exe
PID 1848 wrote to memory of 2840	1848	cmd.exe	cmd.exe
PID 2840 wrote to memory of 2416	2840	cmd.exe	taskkill.exe
PID 2840 wrote to memory of 2416	2840	cmd.exe	taskkill.exe
PID 716 wrote to memory of 2220	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 716 wrote to memory of 2220	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 716 wrote to memory of 2220	716	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3444
- C:\Users\Admin\AppData\Local\Temp\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
  "C:\Users\Admin\AppData\Local\Temp\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:716
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"
      4⤵
      PID:3948
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:224
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1892
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3204
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4996
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1016
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3432
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4196
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        5⤵
        
        PID:4620
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:2220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:1332
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:4476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:4024
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3688
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:4776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:1512
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:3000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:4964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:4068
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:2284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:4568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:3252
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:2916
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:4976
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:1208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:3752
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:5052
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:3204
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:3068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:2776
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:1008
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:2308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:2400
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:3436
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:3096
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:1452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:4960
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:3556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:2928
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:4924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:4904
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:1332
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:1752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:4328
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:4024
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:1336
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:1928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:3992
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        Drops file in Windows directory
        
        PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:4392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:4636
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        Drops file in Windows directory
        
        PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:2984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:1256
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:1636
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:2404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:4068
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:4980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:1568
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        
        PID:4672
- C:\Users\Admin\AppData\Local\Temp\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe -network
  2⤵
  - Adds Run key to start application
  - System policy modification
  PID:4432

C:\Windows\system32\taskkill.exe
taskkill -f -im msftesql.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\system32\taskkill.exe
taskkill -f -impostgres.exe
1⤵
- Kills process with taskkill
PID:4224

C:\Windows\system32\net.exe
net stop SQLAgent$MSFW
1⤵
PID:4192
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop SQLAgent$MSFW
  2⤵
  PID:3320

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:4672

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_100_percent.pak.infected

Filesize
1KB

MD5
e3c0ee0b416b47861f1d897f78529038

SHA1
e8f28e1e201889082b6544afc2a1c0bd4ca21b57

SHA256
aa6c19b1536e60bf2decda7d837a0d1c8468e47f0d280ccf43e98d61ce07e7d0

SHA512
49150ef705c8a480a65008ab4bb5c877ca2bd91f29921ce5e8f71dc3127d0a68ddced9677447e6e3a111626de33e3d62c6bef75bf03522f9904919c32ee50e89

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png

Filesize
52KB

MD5
3e67f55f5ac67566f63df8c586e4e9ec

SHA1
5c1f3a68443f760b5ee323fbe9f4ee247549f8b2

SHA256
7c9101ef6b91c3f92d6a92ecd616fa1c796ca5c20a4ed417e9f450072b4e792e

SHA512
9f703aa70df641f70f7c4da192f2cf8e67370d531cac23ea17097cd31ce08599f2653a48f1dd1081de273b14132b968217560945f2f8da0cd4987e55bbeb4649

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_remove_18.svg

Filesize
2KB

MD5
6b073c2b5b6e653d0d3feb7d6effe3be

SHA1
a68f5b66b6a4a39603c0ced2848d7dc8bff09a48

SHA256
a5c70e0348a91671fae1d7a9cb1858d711d42564ca24f74a600ad2f009e413b3

SHA512
084d009e1d06f1cabd0b7dbea92767d2829d7cb84c674ef1f5bbc55f0bdcf9242f9b4f03ab4f5fa612a4409db4ba832ddb8fe8b9a78b2321e7b7efec32e4daaf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png

Filesize
3KB

MD5
a6348f46d9a31d66bed8af1a50376bcc

SHA1
4eafd590f30f5ffd99ab5d9e4335194de8344ab4

SHA256
f317004693b89d0864d42a5f94424e501f6c2e5660e93a51776da47a9a4726e6

SHA512
cb6fffc816447f554f4226d7ff80efe60483f9463e7ea78c2ca7cee45ea1e2a8f1e4a00e95a98259c9b45b75535d3faa6b4140a845bbb6898a0148cd351c9c1a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png

Filesize
5KB

MD5
ba8e9ee3e349006271834f6eaddd469d

SHA1
437a02e6ca1fd79b2f141ee27e6e091b52d0799a

SHA256
cb774c38fa1dea13c50c14c4ed69b21e47f4e3a27519f2dfd8d73b9948db492d

SHA512
fac43593c32cb72f01d0fe5de45da243a3977f21e6af3e58652d66eddae390f7a407fb678777a287fd9a75d6c11d80cb4ccfaf2b98d9ff01522113daf35cff38

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg

Filesize
3KB

MD5
2b409c67899e8037175a4d2252f1c99e

SHA1
b888aed2622c2403a3efb0c90f7da96ec6700490

SHA256
b36d795904bd57ecb4e7786a96fd70c8814cc0bc5b3b4d8240a7f82560a241ff

SHA512
1aa29b1ac199c3f615de437d4eda7633f72c6ef47404d857137960047f5552804752c69b698c322b0cfe2fe22a5f7adb2b21ad718328d7c000a1995f9e3ed351

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\remove.svg

Filesize
2KB

MD5
0d06a81adacb4dc7eb96e33a6328b4da

SHA1
db35602426d3a15411d3c2ab1af80fc4b04bdb42

SHA256
559d8890e7fb4b4bed36f8481a5f8096b98a6897ed86eee5e72ad939131c3102

SHA512
58ad80b23022b3c63358c4f7d5b80695fed45721be6984291c32eab6e1dc671df0bfd5ee3e36e7d39a4e5e784cc0936c79f6750598760794c9214477a0954a45

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_backarrow_default.svg

Filesize
2KB

MD5
8d4d7f6b79bb38313e1b8db5d21ef6fc

SHA1
8a08ae0c3c3d8b89b00309b6ee9a4cfa9698a223

SHA256
ea035d2f3c0137457ea37afcbcf2ac8a1c8ffd71ebfbb82cf62f69161853baeb

SHA512
3cba42557b73837084ea9b2745be7436362126e439036f56d1f4940ccbb43100b025737eabb208e5e5110a9397a3e67982f9e5ba90d8999d7e2a21b845788ba0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg

Filesize
2KB

MD5
16aa88158b91d946ef75660b2a93721d

SHA1
191ac078f2daee5cf16bab19c538e1294b516005

SHA256
bbb825f7ed13022dae20fcf24edee622174a6b77122bc6db2cd8e85a26701646

SHA512
d86ef5e3587232ae7ec11e6de3774be7c2aed5af76b464e2947d132154a1b0bd79eab7bba24ce14d55b0aa16b34ce67d88d2c9191f215cd242294c9e97f080c0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_editpdf_18.svg

Filesize
2KB

MD5
59857f910ec7e87b3ae89ff9f9dd4b52

SHA1
db558f7e1c39e179a17cad140bdc8d00873b1904

SHA256
8624dfd8bcae8ba913d73a4de84ac116198cfa985379063dc7370d53f3ab392d

SHA512
2160c8429c25a57593152c929d13254ac3759f98eb77adf2214663a3d4b6407123e93d1f20e5a73cb4d84345dc362b97531bd4bb062f385aa28dea06a378d2f2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_export_18.svg

Filesize
9KB

MD5
e7c12802cd9fd4bc2fed350d4cae5c7b

SHA1
314bb2e214168d79f3078246836cd463873cbd0b

SHA256
0de3b0a632c9384fff81bcb3e71197d2acd46d28a63e07d771cba2287b849a00

SHA512
b976e217482f20ffc004641db67a0ff6f306ceb17c9612048b39545b7eff624fc7857c82e308340b13ca21b9dab79ce50f1e0fb650f6a2c32dffae4edf6df449

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_fillandsign_18.svg

Filesize
3KB

MD5
b3fa5c64adad4e305018c52855842a6c

SHA1
989d9ab85a2742a20429b98186214299fae584ea

SHA256
910f3d6fbd1799227996632c09a50e43614d99d08e34ab9cef5bbca3f16344ff

SHA512
3c8d508fe00e85b198648f5960b361d4c24117f576a3111cb398a7b67751fd9f55ecd7c30df81b3a2707dba873c02d68eb68dbbf0b95aa7a25cfe9d6af869cc5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-default_32.svg

Filesize
2KB

MD5
9d9b65d5bb5072c854e03e7c3876d50c

SHA1
f331f561293acaf73b9381b627d8d79b526623ff

SHA256
a3e6a9472202588c8622a46ff7942c87815fa3e601331f0f5ad6d32659b46378

SHA512
f3d48058465969aaf957fb7a7deb8da35bfab9aa71f432c01db3f760f28abddc2f1e6054295e27d7045ae811bb222164230a99ec840747d29d78628f1e1d7cf4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_move_18.svg

Filesize
2KB

MD5
dfd75985c8ee712af64354ad831b2d41

SHA1
d698c09fc6d12a4eac83fcfb00b5e9706f30e042

SHA256
6c709663a76fa50f4d50b8804408ddfdf089944111868aa6e57487e380ac0689

SHA512
050c4842c8c80b28d2fcd504efbbb5c1023cb7ec4fa36970c896594373d17751bbe637bb3607cdbb2749fae70d3b7de2ceb23961bc2fd3afe1c6a2eb4b282828

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nextarrow_default.svg

Filesize
2KB

MD5
f80caccc5f542ab8191feba7f79103f1

SHA1
d2680db06ac4c9e437e9e74bbbfba9270b8d8510

SHA256
55b59e6422455d81828b810880499cab33c98b53133c98007493cb0b830da25a

SHA512
3d4c05578fba919df474753c6f17889c6e6d645623b40fc1c925bb7a4daeab6b8cd970391cbbef225fcaa270a77c51f157f217c55fd78dea29c7396737e0f127

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_organize_18.svg

Filesize
3KB

MD5
154369a59fe75702fe1366bf1e495723

SHA1
0e2ffdd4771555454323cdd0954eeabda77ac040

SHA256
a8676b62e4c547484f42823006aed2752e4a03b20c0d557f0f7facc22a3e68de

SHA512
97b1f5236df2fb1b7d04dee44901551da598d58986cb6b86e5dc2222cbb4c41d6f9994fdaf9ee83cadedb021a33fe6ab945d0a9ecdad3549a0fd2c5311fe2fee

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_rename_18.svg

Filesize
3KB

MD5
dad2fae7813a5bc5309d818c018e7f28

SHA1
364ef4ebe97a49bc2e8c31f3911b2590ba667cdd

SHA256
4daf1c4ac3db5a87a2afe0788dca9094212fa63e9cd674be87905ba9b86c6227

SHA512
e6ff965ad8a24596e713ef71bf280376d91f469901f58f488f6c917b9938a541d6a5ff3349e84ec3d927583a5ef2438c3dd9aabdae4b7c6f7ead1f4646e47247

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sendforsignature_18.svg

Filesize
3KB

MD5
f1f873a344a44cf7e1678c1c00953acc

SHA1
fdb35784bae4614b052809ebbea732e3c6c70f6d

SHA256
d52340abae1e8939957f000d7da211e93840cf0b4988d03062885d4d2b49825d

SHA512
31c6da39915d44a2d15b3ee2b60064fcf811afce93272d7123358507eb99955581af185b4b46f663b072b93be84fc7251c91d5c8a1c0f2a1ea17c93bc20de527

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_share_18.svg

Filesize
2KB

MD5
e0d9aa07b3d5ba40ad2df4c896d8c978

SHA1
9a5c88795389c16dc6f9a4bb695b66cfd65c427a

SHA256
d7153a528ba73f08d0140f8cb0e646f98e4b117fa02a23d5dec421d0076b65f5

SHA512
484704193f3432a6515d7af3bd2540881e25ab3bc11ff982c4ea2895db7e5a6911a967b909aa1de12f2e9f94c3790fe0a16a79d15c205f0a95fd1ab449d8d58b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js

Filesize
29KB

MD5
67bbdc4aac9a4e8b097c13fe28f47c50

SHA1
9bfd69faf14d6a11bdb7c631682ed082a538954a

SHA256
d9c8298b0ad12271cd5b51cf9f51671f331f0fb64d512eb54676325a980d6fc7

SHA512
a221bc9ed04acd7f30014b84d98feb5bf08ab2d33cecd22db096b9f986272b290c866c04b225aaf37eb0402809280d06576427891e605ff42ef6efb47bdbe2fb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.js

Filesize
9KB

MD5
741438a4e08542d7189a0cfa40d1af23

SHA1
aeb703b759c40759be674f6c3c2412b056feda85

SHA256
228365e2cef46cf5abc19080dee51e6590f6e03456b0e9b20dd00e289a7ce8eb

SHA512
32f349bc3249c0639275680279ea516d2731ddcd7ea39efb2afd7e6b95f2746a0f5d2d8f818538ca635fd424f526c449ee484a752230848906f4cfbed9070c5e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
12149efe5b1d55dc2c5ed720bfc6e2ba

SHA1
1101f9af03e9ac0e5ccdec7f33d846e773cbe6f0

SHA256
28e363aaec8d4891e1c7150ba2e0ad4664e3d85f2ffe69b845cb8eef29d6ac5f

SHA512
2c55e598d5ee849a229c46a919578ba439b6c9e38c654e41433429254aeec3fb00a3ef8d9ecb57e20ee4893f3c8d406ebf60cc826e7ca3204441bb0af984f79b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js

Filesize
3KB

MD5
fbae2f709aaadeb01c2129a65447fe05

SHA1
bfc17c55ac1e8aed56672143ce94af63657820db

SHA256
a49479fa5bd1f9634e88053f8dc0dd4ed982d1480ced627d487b8b23cfd3a2dc

SHA512
73d3f6a90c69c2264eb09332d81254204fa50f90fad50d39b6f8cb24d64a3fb53a272276dae198982ae1547751f5731b26a779f14c493ca9bc807c5f431ef0fa

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js

Filesize
176KB

MD5
c7eb08df2aa2d05a5a0181dcb68b99bd

SHA1
f0a81a8c8e8106cef1c2bf3d724488d99366abe3

SHA256
d43bdbaa19928580b793400631d79b882c0db3cedbc382007a8323121dd44c12

SHA512
b415cf08094cbdb560c59c99587dff287c198ffab5db8e879d36743e1438d6020d50fce865df92ac5d6d457d7b44bbf047a9eb69f3b21b30cd81a0271effa1d6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js

Filesize
377KB

MD5
2429b60ca300830c0f08f41d00de7550

SHA1
d358ae5d533aaae26c902e9c0cf28af31a36fb35

SHA256
05479ee898652cc9a6a0264d83231341852315ef89648ccfba1282bd6815c923

SHA512
b1136f9657b3b342ce0e344e82dffb1d10136bf0efe9321fa5248e0a45729be47f87573d67a5eef32425a19315025cf637a216208bc30fc5152916ff19b2c60e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js

Filesize
4KB

MD5
9dce51463051c42cbfe0ae2b01deebae

SHA1
629218abe22ad0b5323846c47f6c877c6407d299

SHA256
2939de7f2939b37da3ed1670c906386cc3894ce1f18011a1696a1dc29c3b4ca0

SHA512
8e7bfdd2332a1a5657e67ded7a524175c257bc451248f21e18ca6994369e30cb09cedc545f377eeba236be0c450213fe0fe4f0557fda4563203547e964a48778

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js

Filesize
2KB

MD5
f4aefec6e6d4d177acdf15d6a3e5f1a1

SHA1
33c7ec597bb9ab02e1998c8fdecf1970043fc9e2

SHA256
033920d61caec0c1b7c430a865132b9c7732e32580b9c95e470a7b63eadcde16

SHA512
6d5ac5adc55560447f56cb352f1cec819d02e49f9395abdbc318e9966f521070d447724a953dc21325348f504358c1f51ad6523abb76651890eba3bdb35cdc15

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

Filesize
2KB

MD5
404620e35dedbcc7a2918e275bcebad2

SHA1
93dd3a8508cca8f834a20bcd3bb395c3ad8f55b1

SHA256
2b5c3a2da862fc4253fac25822d170762ace28ba5278a206dc8d56ac9d6c6080

SHA512
57215a278fc6c3f6ffdaaadd5d95b7d03f9e43acb3a95b01fda82ddf59ac362a2edad18392260d2b694fd21049130436ee69baaf132adf48c4f89b55bae85164

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png

Filesize
2KB

MD5
ec429d2bb8c37e7d598b67d443b56d47

SHA1
d4827a9236d863ac7e76fba550e43f987747461b

SHA256
ffbdee2f21180c222213365d934277645d8f0a1ddc448ebbe1bfd8bd668d6790

SHA512
ac93feb2906fd82740fcee58eb390f333226c1acd271e91457b0c53db1407acc6006556acc180203bda0ef9e42067bcc5eb1fe4973a3f65bab104e1fde22f4d6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png

Filesize
1KB

MD5
a20f7412aa21f9f72eab123ce9ffcf44

SHA1
24d9083c68b3b696f00c22da637d29cbc3ca63aa

SHA256
694a55f195fa8f78f4473fcbcbd3ea27b3630a15770bbc2442a974825b805651

SHA512
746e25820705b87ce518100f5aa5a5d7296aff5c4a890ef06e17b5cc672a7f1961ea0105301263323557914356835546bd201482a72326b5effc8d8d1a970a39

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png

Filesize
2KB

MD5
a3d574f6ad96178d738b4dddc93c6455

SHA1
1b8dd64111c061071a51f143328aabdd5efc9b7c

SHA256
b6cbfdce00f8fea2f2ea8ebdff95ab65354d52c3daf5c7567013ce0e2c29b02e

SHA512
e5088268d84e467f08195691a046645e7716a9812f90801461026c553a45fe88d60caf8cc8e014488c0a63d6c80fd1c8bc4be301cc3cfa04aafed2b7c29c7cbd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png

Filesize
1KB

MD5
b2502f9fd4c7ff1d1ddbac3b7a273079

SHA1
7f06c85dbcdaa1389cc633e9d7d35b638669c146

SHA256
b3e1450bc5801f4f0b70832790a889d7e1f7ce41253f04e32adae569464f818b

SHA512
8914170e7708886f5eecec86cf7690cffea9d1aea740abf9b293717a5135d72959a80c2af9f27e2a62c8d1df992b070a6aad42be1865baf1e59059089bf2a7d3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png

Filesize
2KB

MD5
a080027981ed3f565d75302875ac8b1c

SHA1
638d7af6fe856d8bd36459bd11f79bd3bb779fb3

SHA256
78f7d01a8b7fa6268f0085735a8a9b4c917e1bc9c82440930e49edea7ccb5483

SHA512
01de3d254f9c5c854c8e644f6d1233fc9be30f6a8588b0a6ecb7822a177a6e47951206a2c9912730eadbfd2983ba30e0bf46d41b17c4659825be30e461118cd6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png

Filesize
1KB

MD5
e9500136d9e21d56d9b8ecee0b8a806d

SHA1
54e8d963e90832f8fb6b912db324119e536486a8

SHA256
6f2e7b2218d3840a9586d43bb94aa4765ee196978a0567b2dc521685b13df983

SHA512
e0672da4cd9982b1d4c8e51f56a72166155007664d1d14097ef72a5b431264a383ed9f894930ec28416dcc5a0d119a67c422bf00b501a84188309ae87f4ea453

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png

Filesize
2KB

MD5
15b279b47b1e05f6980e1a18792a445f

SHA1
463a0c0b54c4cf54378e7b07d1eab3bfe429c9ca

SHA256
f4e8cf41518d7a164dd46d75554665cc181e359e3541a5c6fd4c2487d83dc0fb

SHA512
0a92aa489f3895fef232e227f5364fbfa03b1ddb9b65f4a0e186862a1360e16c64785b74c1ca5728f636303bee50bd95e2cd4c134553afa3bc060766e1cdca2d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png

Filesize
1KB

MD5
495c87860df38b7f1cd99758e5421254

SHA1
5eee72a4e569daa3c4574299fa60e61f0c2f893c

SHA256
24e303aaca2e1b2f89f81dccc20e54af7107d5042277b733ed3183fd558599c5

SHA512
91533ac237728d5008973126b5f972c5086884ac6f523ee18e2592726e4df36789b8f6f662211eb611a65ba483595c3b27d95d3815aeee8178668f83856bcbcd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png

Filesize
2KB

MD5
bd28736f700111614aab61fefb865022

SHA1
d10ad0b112c0be5b5f11579e059db09315e26dd4

SHA256
12659b1402aa04b4d0b9ec9427923d26b356fb701f40562ea8a1d17784bacde1

SHA512
b30045dd2f9a192a2bc2bc92f517d57ed1b0bad19bcc94794b879473c6870744e2ca3da33a89c975e630c2094e0ed5d06914273127635f7e8a2d459cc1e50c74

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js

Filesize
2KB

MD5
a43b2c27a29923184d2dd2ed190cb4d3

SHA1
4a8641ceb1e3c4809d2f7a4c8c2d986ac41c3f1c

SHA256
d19a784d12760c3ffeff55f3d19449a04243c33e3f4e1583f80845b4353c4b7a

SHA512
631175e08310c281f0bce8e7f4249d8d3e7ef00a99eff6af2b5c4f299e437d226040eaa5e3de8000e0afdff80d811bcf25f0694a5cb653b98ca0310cc9847ff8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
278a3136ad2334ace5b16f43874077c1

SHA1
8f1ebe164d1060d132915ebe5fb55cd066c7fa33

SHA256
cf267d691a054b6353ceb9cab2ee889a13ab9143990ff1f3be8bafc504d445a1

SHA512
0f4324eced2e7827c3ced9310fb4d3b57baa0bd0f67c8e45fccce3bd362de977a86aba28797ea4371ae5862ed670ca77942066b744f39a865a0e15c88635ba4e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js

Filesize
10KB

MD5
3cf16c902d0e7200d61e289f20f51967

SHA1
785fd61641463b5b0a4e0353ac43f8c0870af21d

SHA256
9a5598792f8d045e2ad73f11e7fbd4279cc9b0a06a81af257dbd252e46eeb9f1

SHA512
5d699a9f03e52611e39f88aff3cac98822a3305af4062e13cb2fbf0c9e7f0d0631c1732a031f9f56c4af2e7c68e86c8b4abcf3fba0d6e1ccc9dc3f90da5bafe0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
5a2ab0ce0061cf0525325cb4c160366c

SHA1
42ee7aaccea13880e32db86eb719146b10b0f4f0

SHA256
89e1b9cb5d28ba0d1ea2f9e4e03cac4050c70928b1f2b1a6d773161b46973822

SHA512
5181b39ce8185b503b1fe95d38315856835334733a1a308a94ab9b3f3e3dd9e0adfe884ec8e84218888a9839ddcd16e83413805499d33ebd8bef16292df55c06

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
aea38265465727fe4015d2de3bba4e3f

SHA1
86a01c24d777bc0d5211f8fdceb8b904ce3b6248

SHA256
35e34aadacc97e92322487379ac2680cf09149ed6f97020f5ec5d75ab2a90fcf

SHA512
d1ec37884b54ff27f7c2ef19e4e50b862a902e0eefcc7f58ce674ba2ff7929dece452f6487659f402e974f96b05a2753ab9edba0a70e5000c3b1bea42b7be41a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\ui-strings.js

Filesize
2KB

MD5
493ef88e2c94c8489de97e56f02a2ba3

SHA1
c18fc567b2f43e713758ca456db82d471040f0af

SHA256
a216721bf2e059b79634bed0366dbf00184ee866a99c2c62a2240df5cdbc536f

SHA512
0c523f6555d8ad5d3ffce87b0ed70f71f33ca6d8c6be05f7f50b98dde4f8f6904c2990e04958643019de4984bbd8466cc1072527b0de7690a8a04867855bbcd0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png

Filesize
9KB

MD5
eeefb920d10087314f4d195cd6a71794

SHA1
ff7f754c4d88a472c133ce120c985ad7ec16c144

SHA256
3064c5eaea5ebb0ca9f56d1bca887c8bed7bc989ff118f927c265232a0233951

SHA512
f89d8f25541bdec17235d84038662752336c558195c6e9d47a52e2fe0de5e62043fd3154ba7792ea4a3f79da790c8ae8e1ca7dde351b10a1a0c599289cb22621

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif

Filesize
9KB

MD5
8a74ccffc3797b660c143341958f70b9

SHA1
2b99c602f3a118a134146c1609fc2cf25a908dfa

SHA256
663c73376c1e90ebaeab874e763bfe794b61faefa6cfb4de87aa337b44782ffc

SHA512
5fa1e8cee799687e6c41e4b8020161dd379f1867e47ae2ddb24e39dfc59c607362b20d19abecad644d6e698fd607623e55eb4be14fb73009163a89d736554243

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png

Filesize
9KB

MD5
5d705512ce6fe792189c79eddd0c01c6

SHA1
8c70f020545aa66f314876ec497fa9e5d88f6b0f

SHA256
fc2bb45bed7d2604a91cd664d3601394e829110bc2704947f2379193236518ce

SHA512
861e2e4c8918fb46dd3ef6d031dc4f4e2fe9d0eb001df353ae9d2be7a6eb426e757e201c1f0a8e4bd86b96f180a7c945101fef32a95ee672d0a04190558f0c66

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png

Filesize
18KB

MD5
6aa380b95d2b9d6ddcd64c49b1ca99ec

SHA1
986bdbb3cd6d3e032302f9179740c621605e4725

SHA256
002a45e772989a9872b5fa939326c140816af4d8da4dea25a939b95ed09350c4

SHA512
a86f1d7515c951506ab55a6f0997f873310dbb151936c9f8c74ae9298b3a05d576c233b106c1c11c6f757d2d5d7eb92e0aa0170bfc2e4970830cd3418437db4a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons_retina.png

Filesize
16KB

MD5
6278dc084c193020b4535648d4073115

SHA1
70735e64a4e4aa9b0cee7848ee0a6ae28c844df9

SHA256
834cac3ba7c1ac2441427d3d23cb1180a150223caf1a28a2e148893bdadf821d

SHA512
f00cd3784b72f6b1c4ab8cef7a2359d5076dca2f4055df6a7a987098829dc3b4cea6e102d3d0d37aef1cd206c484549447f8d7f383de47ce6dec76eb6f0698a3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\ui-strings.js

Filesize
2KB

MD5
482afe65fda008365563bc0afc4405e4

SHA1
6321136259f1f57b44eec6b32ad5ef2beda78e91

SHA256
9815a56110d0af3d9e3568a240406cb9940c46df87aed91a454a7cc25adc4ec9

SHA512
57f1740a7025f1a7cce4aacf84c53689ebcc7b6be806cec6330916a30298a9aafcc38261966c07b6627dae354e5d7d628502f9a4ff1a6747379157ad8f7a3a18

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\ui-strings.js

Filesize
2KB

MD5
2c0fa3a576907df04471e0c0a6d6c413

SHA1
94d5f98391b85a7deea0ade4dfc560cf27a8f30b

SHA256
8903bbcd1be756ee32fe785382a212b743979353d860e40a3cca0f885af54e36

SHA512
96b00de4a24c9c96fc22fea6ab0e1a8bf577239a50e909e6ab07d04d7d01ac74a04d13a3f6c59f0c16235109cac9e1dd3673176d62f8d6421d741fa49b9fbbdf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\main-selector.css

Filesize
2KB

MD5
a826547b12fd2fb4ac708ee9cca00726

SHA1
d46ae0ee863006cd33ed42339dce79db74a6c3d4

SHA256
4149425bb343de2ff8f1bd53f2c8b36929529463818ed9c262990cb26b8dadda

SHA512
9ed71018716f56664ddf22479707b6a18a7d8113deca15fcadb7a3edd13f8d2d20f700557c3c24693675be923aab7c840fed90c4e731547ab625aa53c9bbd5df

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png

Filesize
1KB

MD5
ae50ed57e9aab93a4bad62ba114c9bc2

SHA1
50029990a1da2496a2e4cf54b64e48b3ec4ddf0d

SHA256
7343ba0b07caa66e1cb355d578f3d064b6ede50d6dc5554dd8abf7a7cef26f92

SHA512
14ad794d29f4321e35963c08ab9306d7c494b6fa8849303dd74c66c0ded2740e784dd748e69524e5b0296c7275938d9a4ab5a13a46427d650b000a81c58283f8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png

Filesize
2KB

MD5
828dd2021d1d98b5b26c07f1f205ac8b

SHA1
941963c9315fc5a1812582a36c41800714523d3a

SHA256
98f82e5620607fbcac37a689b0a0d8aa97fa64698bb498e067ce5c7c17b7e058

SHA512
668a185ef44d8b13bebbca9d8e199497d70e5614eab60dee626bcb86a666b222e06ebdefde90d397c5247b9e92385bdaa66ca1e85cded7a22b0f63f063ead21c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png

Filesize
10KB

MD5
165f78e2006686f60f2ebcbf2ecad85b

SHA1
c8a4a69547bd9e36f4924662253e8b18d61351f1

SHA256
49d6b3562f54f2d4a42fe2a4547aab0eca0e27f80cd33abbf6333c88d2c1ae00

SHA512
87a4ba24282996d203c639717184478814107b12a295019b47e0a679fa0c84c765c83172b34d18fd3b24501a1b40fcd72aeace91db31927e7785e47be0e3153b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png

Filesize
20KB

MD5
322403454d0b22fc1552a6b6cc1b337c

SHA1
8269e7c685427654f98ad5f068e642bd1b79829e

SHA256
50319427924311e086030c09020204e8c738850580b0af51607924570cd7306d

SHA512
333d277ace950aedc9ea4ea559ad6bc0932d6eb83718b1d31be3e47045942212ea9a7028aece249f8869d2d8a310da6667c1c6035fea7c80b2148473d29c7390

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
dbe50831d6b5fdbdda6ac2ff40391721

SHA1
73121470a9c72cc40ad684cde8474c75ecaec90f

SHA256
4de879719da2b8acc3494d182a5bd900603b654aa79653ed06300d161feb3314

SHA512
934d0f55bb3979b1a3ae4085ee031d60e2339801c3176ed1a3e77bbbc1935d595a48598db4a7514d524f994e3c168b851f39d30ef63be7c1ed015f729914138c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
d33939cc1367d47359a1bc76ebe3f328

SHA1
1e1a7c3edf7bfdfb4100e42955008d7235ce22f1

SHA256
a542608d115cc53f14fe5e889009915a627570394d0c5d488bdb2511413a984f

SHA512
6cf1715a345a0dcc27cc309a02cd841ca7ab5c875da948f83c2cc7f158d1c2ec767f354746e8727f77c9b32ca52c17a9276b43c2944bc8f3168457584a3e75b2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ui-strings.js

Filesize
2KB

MD5
9e71f56dd6e7cbb6237d6d3a16381ba8

SHA1
bb32e467cc8b37aefbe2479ff7e0934afc95a8f4

SHA256
f49ccd72493d24c4b24a69213fca8ab7bb574fe8609cb3d4d428c8293a86138e

SHA512
cdd01d1dca82b221757925ab43d3a78b70be39d8fca94ec205de1fb3fc3669caebaab0f4ae07bb96099b9a09a581aeafde27ae29de22cdead456db1cec6a8a3f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js

Filesize
2KB

MD5
d128eb537eacfa4cb30b144e61b044a4

SHA1
d7b37de25b30e4ceba9820feb4495a3b1ff9b973

SHA256
0d1a6b9ee184efd2ae577f610e0e802d35690b604a165edb501a622e4e307542

SHA512
72bed482e1c324cfc18b673003eb59a2969da3247f94a9bd8d772fb16eb60d135b34b476d6a932259f6e2c9bcde440164a52b7dc5d1aa86c7c95f09a8c01bba4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js

Filesize
6KB

MD5
5af24429c11ce4dc80a0579806b0fb29

SHA1
7ba50b7236a3170b9cfc2ad28f018b160888144f

SHA256
d4d1c69dabc4233679f6f786326b253df04ba19e5b1e39dda177fea9c25f237a

SHA512
583a62d02c188850d4f151709bd21a897449aaeb237a05fb38b2be71f4f88095fff84e84310e0a2a2341cf4eb5f26687f0295d14264976d676a21f66cb0976fc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\PlayStore_icon.svg

Filesize
6KB

MD5
2ec314a27c52987af291e1602262ddcc

SHA1
6ea24744c2dcfdd460cbb51e149c16932443ff5f

SHA256
be96011b7207d7f51483a9d684f7e3fb13d0f6f8efa1d13ba8cd69b914df9b68

SHA512
cbfae6ed4e1e52c44c352ca891701c46ac5cb78b23969d11e55b69f82cb8c14faa190d121a3f9033994a6ededf0dfa943fe70714ee5a390fc7bac39a3c90ee70

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js

Filesize
14KB

MD5
81aa1baf10ed72f622ff8dc1cdafdec8

SHA1
34bf2e912f725fd032ffe6ed0a636512f8fd9f05

SHA256
db3a1c16ff0dc42460543f8ac5fda4676e674e6fe38b0032611c0b3039f55467

SHA512
1ed1454d795fcff907b4d0de147816cce7833c998aa826911170af381fc2654293a28831894931412752c3b8d2e5661a920c67b57c15be35ea40a52df625b69d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\example_icons.png

Filesize
2KB

MD5
969b4bf0937f93841d8584fba19aef88

SHA1
03b94320e5ea2fb9663d88b46d533aa867967c6e

SHA256
be853cfaca47a82c8ee3f3012e899f717f77fe262cf6ab98ee9fc689aa2dca55

SHA512
ce7c3839238b1be8433e0d494a0de4d0ba157168a3ae7ee6000d0bbed65c440b69569e270dfa1304ac220fe66fe9a6c7652c4a951e0239aec18421118b462ee7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\example_icons2x.png

Filesize
2KB

MD5
6f41ba45652055d4689de5c9c2107f19

SHA1
5b7e1d35bc17c20dccd5d679daa326c6ebc5d2fd

SHA256
ee0441d203b7219811416a55132f2d573a337aaea5edabc22bc44905d0c36243

SHA512
f68d2b02d8d285c82ef377050399fc9e5e797a27268c0993cf9b26dbe149427e929972a6f3916f104a9077cec8c57fcccd6e08d2defd452a2d889b04671a9ea1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\ui-strings.js

Filesize
15KB

MD5
53f94c558411fcb42b143eb5ae5df65c

SHA1
1eb891f3e54829f530f0005687c44a5c85cede04

SHA256
8a4fc34cc77dad8354cd55ceeca62b1cc9347e290858e34cfee18e70881cba21

SHA512
001785e29ab4f9555e2a60ede2d7db62ff4192916dc00b920aec61f40882772ef3a101e5eba0d3ebc32df8128934510bdc0cd4b621813b86184f81b33f2c16a0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
f09addfca4bbc979597a8792b36fab38

SHA1
eb4d6bb9bb0ecdbb9bd843193f3c55e5c01558e0

SHA256
49588f6ab55ed40653d70c1a2f528a3d3458692a1c524fbd80f3c54123d5a539

SHA512
2024949d5679af48d05c2dc3933c1f2eecc3fc0d47290c8839b3a638f80c494a02b5cf3f851129980b179582faa733b38564b3eded623f56a4b5ccba25636a51

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
1f0f4be655b41662217a7ff616e59457

SHA1
2b738e103ff0970c02307267abd0dbdf13519930

SHA256
ef053e647a95c8936ae1b9aacf415763ccf72865f1123e693518ff952933920c

SHA512
4738f6c8ff6978e8795fc95a6c61d06fb49558c29e3d77c4ff553ce5640ae28cb224d44a3ea14aa14a2745e44fd37880c81c73950e35c1a0adc6ef2e587f0666

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
a1c9e07eda53a8c3ddf22601c8b09f6a

SHA1
06751f23bfac234909a634a839004e859f252102

SHA256
a45d5a7659aace5b92913fed463c5713672aad5396f04230faa1f5bc16b9da48

SHA512
2298ed77ae75c6c011f74910f14df5ede10d2c5f66b0798f993e6aec23ad687ed78e33b10d5e036ffc58cf8f8b53c23c688b99317633f5e3e5ad3e7356785063

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\ui-strings.js

Filesize
2KB

MD5
bf9216b045bbff4b6c92584a4176b94e

SHA1
2519be07fe4bf835b18358f428d4fc955ad7e766

SHA256
2fc66a6cac2d0c99b279dc1d59f06e9377054555b3dae5c1964e9c77887abd0d

SHA512
1a0c957b9bb487500c29066c538a85d169d30fb07a558e81a04b65acadbc347388193d60ca726d001d3ad0840c812828980338922d8486fed18a9e6970babb07

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\ui-strings.js

Filesize
2KB

MD5
69baf93811cad328715ba3ca74a1a05d

SHA1
fbc04d75973a3120dddc7abcc8b9744017d78820

SHA256
e9d90e3913048d48566bb03865261513ae3e125d9c2e2245f4f6cc89bf4b7977

SHA512
d20fe99aed0064de47081fe79199a6ff912a6bde2c3f26533a293fcb2bfe83c51806de35f2ca4ba6d0cd0059257b5d89870797117a8ed44f702096a8be39e6a4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js

Filesize
9KB

MD5
7efc090a2f2ac7958235c4dd1ffef91a

SHA1
69960eaf510ce99f7efdc382d179594b2bee9b0f

SHA256
b0339df631816444272401096940f020099b1565274b30ebf07ac42702ad058d

SHA512
211419ac078f59af25e3788853ff0464b5ca281ca67307e171af19588f016dbd96f4fcc77c67f8928831508a7cab27c181d9c716b45a5eb7fe12309001731d09

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js

Filesize
5KB

MD5
2c202e599c506777855a217410f6d3bf

SHA1
a65fb152b1c9b0a28df3abdb3bd5b63b6f762ba5

SHA256
d261a26e3683e56bf207a9069be9d252722122a16b835d50b2bb20bff5dc4029

SHA512
e80de42779bc9e45598002470a29618f5ea4a0a2d0d57fbc910c6bfa631b1898c61e5082b8120c85a5ecb579795707c37dd5e2f006b704b5704c801b59be7bd2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\main-selector.css

Filesize
2KB

MD5
a3d11d8e769fdb4cb3e87b12723b6b24

SHA1
2f645255494f947f2e615db82f4b6d6c29214b25

SHA256
bd7e10b09258dbe96b64ddfaa98445332a46cdc9f92775aed2b4295412ecb2c5

SHA512
0ed8be94c9cc3fc7a848c4122e5bb2c84f7e3cc03110b82ce2749d027a7351e6a4ed17461582c02863b20278ff55d8f4b7c80d593e0b271befa4306ace889414

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js

Filesize
2KB

MD5
b4326b29b46eaa03b207d722c082b199

SHA1
2298d2b2187e6328da67e059ebc9f6b63485843d

SHA256
d9d27d19ddadbf2b6f9b3267a061a5f982007ae2e03372ee1fdb56eea25ad93b

SHA512
42f1d4ad1d1f9c2544f0eb5130a5d43ed433d2890177640758ca4c9c639dc2f737bc700c270b232cd7b677912777edda9ff38df12fb82e65734595b1e409b2c6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png

Filesize
4KB

MD5
3f64520b75fee731a8b301abe22bfbcf

SHA1
532eb2fa1bc725fb2bb7450b567e1722571c72a1

SHA256
48a3d3bd7d51bd4e821d4803786d688e6771a4f577e7d000399e27a6fd39dfcf

SHA512
ddba329754892de453381cf98ade544548a730d3a5038adbcf686d6a6cd772827b34db583885f56c2ce7110a187a0ff7f5b7a57f337ff495169c95401fe66213

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview.png

Filesize
3KB

MD5
9c9777b4788de39a9ed31e6ab5096de1

SHA1
16be442e8a5e3203eb9dab94625ecef1d75adf00

SHA256
8810b9fe7b46622c17f1c9b96fd153b86e1ecb5a8e903b1e2c862ed3ff8d20e1

SHA512
9e8e4e57968977b2b26ee17014b743e0ca6c37ea1cc60ae584f126d14ff515bcfe6bb162cbfae56b5b537252cba69aecfc5cf3ee81b7b887ee2a15b0750190f6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png

Filesize
6KB

MD5
663751d0bc6fc1caab49fc27b34dbfe8

SHA1
26e2dc5c2c1c1c47d3b792d95340f3a4c15b4b6c

SHA256
c1685ab59fbb757cfe54b23af9eca234b6241c7c745d206600de3382ae0e3898

SHA512
72555d4a6e3151e1d6439a7ec2866fa8a05b77a68b16381f14cb07f0b69308453a68b3397af5415e10857abf7e20f9a7685c68afa8d38791ec489a1b0c1e8287

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small.png

Filesize
1KB

MD5
4bcbdc1bd668ceb1906da6c12cd59248

SHA1
ebcb65f498fdb03d5e2f1f4f69c5371c9eb6f6f4

SHA256
8d3d595db1cac3ed504eb9e2bd431e9cef480ce020ca169bf2dbe616837ef29b

SHA512
a11e8c5fb681237fced6752bfc4f3d7df625e86eac97da68bcbdc1a36d394eacb625986d8b03981655cefaf022636e39359e45c8a93ccd673bed2233e1da55bc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small2x.png

Filesize
1KB

MD5
565734e128f70edad0e5c9cb7102600b

SHA1
f6942af6040177096da0d131b06f08300500321c

SHA256
0892bdea327bd7a4ccdb7b2ab2d636a3501e00256168758e0510c5114282a8a3

SHA512
b2b54bc3fa50f0cf3e254b6f64aa2cf345b644ffeb1c614c3e83b57268bc22de6149ae9491fa943e457d0397a7123b8664132737a2346bbd13a36013b35a6cc5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\nub.png

Filesize
2KB

MD5
b8db51f0248a7f1cbef6da529c215741

SHA1
516d9d27ac4db17debdb80e7fe52edd5ac37ac89

SHA256
65ee779e90bd787d7bcdc175132890a0acd8a20b7bf71d7be48564450c8df027

SHA512
e66176360f481d4cc4016a5dbb344faad573fcc7f8a838ba6648ba481a6d29874eb5716201e53dbc45747f59d5d35ed7d7189b927b4faf8969b4ea6b7a695dd4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_listview_18.svg

Filesize
3KB

MD5
3c3ec02f464d15831a9a4e3dcd02cfd4

SHA1
be24c85b7f4dfc644a14f4c066847fda10ef47d3

SHA256
c0bd8c21285c02fe6bb1b680f6dd5ba8dee4ae959c5c74296061cbddfa7f4677

SHA512
ba16da829440a9b62b5b1d20ff63eebfec49ddf5df8267c7181e93f97a562775771dbf3f9030420c667686eeb3d50865f99e8c4017609782ad54a4549e90508c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_thumbnailview_18.svg

Filesize
2KB

MD5
62a07040bcf8da719d3e76974de7b4c5

SHA1
9e3b6395edf019b10744ab39c4c9985381ba76eb

SHA256
ebf6c2a5e0188294375df501e391d9c7c493246c52b2c585c8dab3c06a378233

SHA512
1cfeefb8f5e5d5d7d5ae04a88ecab8ab1a5b59e2016caa91d2d6ec2d8fe7cbaa1640b62fae26e4aae7bad8248f43d57672db77f6ba9cc483ff5a17c44ecd0959

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png

Filesize
2KB

MD5
7868877b847378e5296cdd9b1ba414eb

SHA1
7078d62b1af721bff82a51482195d7655efcc9fa

SHA256
a03118ff9c6b49d3caf1b8de0c919a55eeabec449c9358a149d792de038e9bc9

SHA512
5c90cbef82f558bce1a495054a1986c109c79e1f0e0d05ce49f8ad570dc0ac693097c745a8033425ae7c55f0112a4c3095de9f7eebd6ed0b1141a7ea71fdedcc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.png

Filesize
4KB

MD5
ea3d49a64f09ffeeecc25e4dd4e49a7f

SHA1
baba81e88dd3378dd68fc6da6a9aa98ac3306f25

SHA256
f2469202a620bbade955acb925e4666d218ca7012c3300d20cc8f4b17f15f265

SHA512
e22bba8dde3983759bffa7337d3d1872ee513af6a818f6b40afa1da4d936876b373f2d97e9951f26ea93debbe958dfcb2c66186e35a6902a1cecefc3e18069cd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js

Filesize
15KB

MD5
d3b68a2af0851a7c1119eb296e5b4147

SHA1
c6746952ce7ea4e917823b41618207965cd0f34f

SHA256
25280db4cd6c386531b575bd31855d119dc540dafc8e35354d58f91126f7b8fc

SHA512
3ebd078e67c84ed55040151fe7667dae50781d19108d77e949fde72bf3de47e50b825f7ebeb585b292a7056fae687e03549da626f34ddcd62e90292265d06036

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\da-dk\ui-strings.js.infected

Filesize
2KB

MD5
28836a069f31cca6ab3775ea2f303162

SHA1
83ba21b73b44dc35e0d56881fcaef4e73ab45219

SHA256
4ed85ae1712532d8ed54ee8c6911f712df99b6176ba71d16e0869014a69e2361

SHA512
dfbb85848b03cb5a3abad1553070a44521412b60b1391fc1206b0a58dcd260e58f13265b82e65391837c2e2bdb453f5bece0a84d1d538c63505b10102979e6a0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\sat_logo.png

Filesize
2KB

MD5
95f033338001f94596a3177662c9d4ef

SHA1
7728e4c3dbcf2ee2f59806195dbcdef0dbf185e5

SHA256
5cdc0152ad2e33fc25ca152d93d933f1d68c8576d5e4d377bbed7b2d75d19b4a

SHA512
3b2452c190156b04facf6c72661121d305d8229bcc0813af02485e64a0ea5f22df85538525722c8c9f374359cd88d591baa732f89f98281f4a06a0bb40e17fc8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\sat_logo_2x.png

Filesize
3KB

MD5
90067ab2e48ee5a21e163d51a86c12b8

SHA1
7b455878bafdede2b5c33a95eb157c7cf0ad1c98

SHA256
31410da3c291a2d6210abed91d945001f107bcfbef3482b4250c24b3eaf14042

SHA512
fdea0ed5ea46ab4bce244eb984fcae37838eb8a8d89383eeb49890ef8841be32d282996749c4df2ed4ba80d9f45df90d176199278d65272dd2c75e7e16ea17e5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\ui-strings.js

Filesize
11KB

MD5
cddf2f707ad4c1c8a7fb6dde64eef8f2

SHA1
44ea8bf1588dfc4e4c4e7dd094c482e731788aa8

SHA256
e1cbaf52e8051a37321eac9d93d2716581de70827486727b38a47b7f3f35a689

SHA512
148c4ca3f24c7d4543a1db6d439805010b40f03f282a5dcb8854d4eef881ae2106d79497a27f0c37b8ee0b89e1cf8bd7165db337e7545064971c0ed9fd34b569

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\ui-strings.js

Filesize
15KB

MD5
2072d2e31d88f4f3307050c779455d79

SHA1
68a2c605d6d17b2e1349e60b0f78e4a875c9bffc

SHA256
5c2d88f3b0f91cca88a5b93c482550226ffb470f6782dc2003b21dea32e48e46

SHA512
e68605002db7901ae5476df3a34391111b12aa9677fb3b2f72b90424f27c1becb7f99bbb5d9c13dc7c2433ff7d0c7644e956c9b759d09729afe4ba5ded2e02dd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ui-strings.js

Filesize
2KB

MD5
8950032a76f2076f94f8f625122645d1

SHA1
986cb119a379a463ab5dc09d74cc41410f233c53

SHA256
87a73bcd9750f3da0a7639d8fe6272fef975fdcb8abb13065b4a7af626db2987

SHA512
cacf2ba1154650b5a36f853ea3c80d082612befe37d5559ae12cc44a46878d17ea9da528164a1c4b856538702a22392500042b02bfde1d757b7622bbae817156

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js

Filesize
2KB

MD5
55c33cde7128c1fe4fe03f87b3c1db61

SHA1
27513b01615c79ae2fff8195ffd7c212f7790935

SHA256
07f726daecfec6dfb74366e5a094fbc243ccc17b90358ac0a907df6f81344087

SHA512
c73bad4aee5ef9008ccd756346d1eebad77eba9acd83847fd3fd041b6e3309100bb0e482325063df745b54427f42434f3a30478a169c348bd2c8001f64c4ed05

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\ui-strings.js

Filesize
19KB

MD5
0f3ef4e7ead47542768aa15e552faa17

SHA1
43f361d9efb2f7bb26064a7879dedd1d34dd1302

SHA256
812573d7436b89497192561f63d5399b3e530d8ca50f8ecd8e71871f6e5ee7a9

SHA512
5f4debeba408f5d7ab0fd439fb835017cfb58db841c7c140e5c836bd2c1c2e834b50531b4f220ae9ebf647ab8b14b3ce68ec6f13862d4b1eb9cee33a6815eab3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
8114cda51a68db0b06b07543130c93f5

SHA1
ad8d86e3fc1b564991c965791782be6b9fdd58af

SHA256
8e6264a6b8ad8f716dad22e5d02419f718e2214cc0b6c445c5a960939fab438d

SHA512
d7d25cd7ea3e7d33c72e0c0829479252b4d5d374960774fce389c31fb5a58c4487b54d791866953c1e52e3f5451911a83f2d37ac7b582a494cd053cfce5aac74

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js

Filesize
3KB

MD5
5569fce466318056f9d2cc32f417feed

SHA1
244ef40d9f4bd7d041f14fafc32aad3b9488d50d

SHA256
b3077e14cc7cc67446ccfb6c58b2d55305ddd6c85f509c97e4b76b80a0a6406d

SHA512
d029bb8a6c59860d30d9a99b069459631a4e5526582d5ffaf03820a7655b91efc83ec02f1d0c31333bf6df3e55bdea261a0b48bf38e7c2948084c894ccd0caf2

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt.infected

Filesize
34KB

MD5
23d3a1852c5703dacbcc8cec1bce3014

SHA1
1cd7a8dad0a9394c282bf016e91b83c2bb858e17

SHA256
8fb002d24227135df05b25df6f66a4a53d605af997215659ea86bd384667375e

SHA512
4def952c2c93b837ab23fe144882b329293e453dbbbe6561935c206ac83c741d5a86b994690cc89158164595d6a8258e1416b3fde151e9ed4bcb222dccd173b0

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\identity_helper.Sparse.Stable.msix.DATA

Filesize
56KB

MD5
da531fefe5c41fc6fe9a474166e879e5

SHA1
b279de1811e7262afa6db5dfe6219bdb0fd64e83

SHA256
504e56586e850437a2fbd055e0940581f110211c1beb21609ca9dad24ca210b3

SHA512
bca7d42dbc87d0cdd7631bdc1807027b276fa6a4ec33fb7464e36d3fd87d9c5be3485ef9f4bf18333ed0f9b6fce76805320f113f9965e29a40170f246e1484f7

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
40a708fbf83958ba52754165660456dc

SHA1
d3e039f525eea3a7215269a2cd90690c96083368

SHA256
02f86d044efb64d0b6cf8f7280a6a84d1ca3d9901b1d8991ec72796ecc9201f5

SHA512
df73305a932df35aacf4fde4e71031762b3c451dd18ec1c1ae76df3699d41457d98d66d9f8697b42a396cb5d8e8c264dfaf7cf5cd4319aa96367b071c96a64b1

Download Submit
C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
374f70c30d64a4ceaea01333f1482996

SHA1
4016418009e0608478666b193081bf7673ce02fc

SHA256
de773103abd0fc1f4d8dd83af6bd79cf4f2d6434c81c47bf06fb6fa74d641d1f

SHA512
7ad119f2cfd20b2a0687627a4df6b712f7516c9bb54166c264a3d98b1992a16dec4e8bd4cdb04ee1a5bfb1c26719ebcace390f3074df23624ace57bfbc597d56

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
1KB

MD5
db1d370acf747a25c0696e8ce1a11496

SHA1
d1048760cefb1fb22f4a7c5894f99e94b2c13078

SHA256
0b0a821f748eedd5de7e81f8e1435c8355512506d77948530cf9ed4c49f0557b

SHA512
f48ee9e86bce6c11991d0ecdff08c602b072179afad03559764d78bc73adf0520ee06da0a06d8afdc6467cec28ffeb4bbdf1e2cee59b37e45a67903063e1d38a

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK

Filesize
1KB

MD5
086c8e411bc5ebc7a43d21caa0d023b2

SHA1
1588ee5c49d174240e61ec890575fac7a0a7bc68

SHA256
95494786e7cb0ba08f1af4665fdfa39d300d98624e70f49e025d8b34ac20b8de

SHA512
a9599ddee0075715a97d1766bc2ff1ae44155f6ef6822672a3ab9c84aeb8024d92c4c2ee99cd2fbc06668bb721fdd75181a4c11ec82f6385f9e18b4dc09e5a96

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK

Filesize
1KB

MD5
c9c99b04a72cd23a71b29cb05b779a8c

SHA1
2a34cae0503e8c46e4eca59a7d781e27a97f9327

SHA256
12d851d7ae47b47ea0feba6c2f0a9be2a603dc8d3323da2417a43e6e987eae11

SHA512
5d79f7feead07b6c9aa560ccb0c2cdc6c64eabf7bfa8272e5c58c0f851e5ffff8647749980be00008c6c4efc61104327544ad17494c0ebe2edabce5c603da354

Download Submit
C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.infected

Filesize
1KB

MD5
8eca7afdf5d4e0dea2a7eca842d7e9e4

SHA1
deaf7ad0e23f5b9870afed96dc7ebc8edc1cda66

SHA256
315071a53a0ca5a1bc8a1a06b0294b6c0152bb943f7b522bf3c140a690de226a

SHA512
7e6a6a64f5008658770c24e841eab656a65d6fa8fb64e788ff8519e246f4484621215aa4b7fddefcad66c6ac20f913a280a7c1bb43ae0b336cb9c484dbe8cf46

Download Submit
C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL

Filesize
192KB

MD5
ba293fe1bd749620126c362f56432885

SHA1
8fd9c497eb1a2b534daa876a9c741d9061396ced

SHA256
789bcd58f7d57858455bdb0ccea3dc11f91ad45472bff8628b82c11e8f27e228

SHA512
b8f33fce5db5bfc90bd0e3638d10f54ee3cf92b776ff0e81b229937b9d90198d2fd7aedea02e974dbb1bad3889ae1a896191dccbf91e1a0d8667da5af2816ec7

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

Filesize
2.3MB

MD5
61d7810cadfb6d20a8d157fde55347be

SHA1
552634121423c40add6c02411d703cc2294dfe13

SHA256
fe03cf09e33c81236785bc0c215fed1c40f55ee4cf4ce5a2387e84d92598f89b

SHA512
13c63e556667ec62727c660313230ba510a9679c236941363e9f6551035eb92336f7cb64861f7cb816ecbd33179b7d51bc0cf6691092188f4f99c166d43dff3e

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
0e6d8ff4c4a669c09d07191d19379aab

SHA1
947a1011d793415f346a7303f67ffb64b4523bcf

SHA256
9be6e652ace277c5a5c2030cf5820762ddc46c9fa709640eba9b2d2b7154d818

SHA512
024e7cb9eba592f0c7311388301f8edd181a8f68721333786adc5ecfd8bb5e37c6d4b55f87306d6ab34b2a639eb181136bd6c36f20e72beb6a781175f6390b3e

Download Submit
C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
dfddf681d6e23c1565e91657371bf209

SHA1
a1ba6caa700144fdfc87b4d391c760d9b72fc58d

SHA256
67a359f306344f44b75e25d1bc5c27a61eeb825aaef1b76441964487c9e4ca9f

SHA512
5196f8c026e7eea15c8b80349f12c8abc87a8652167fa79141713c588bfe9714302c0a1ad243040cbf496f839b92b3d6a0cfbcbd64b46f4029ad03d681078f9d

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
95ac4c21357b8f46381aed4ad1b5dba4

SHA1
1233581abecadf256f132d229393e6e64f4b6c2b

SHA256
73f4b125bb2c3ee6ff272c31401217e62abee5020e84912e018ac8ef9ffa540d

SHA512
e07eb80ba2eb11c16dde250be55fb763716823e2b474c89c730eeeae8fbf1cff05a344407b4b02dd17fc66264287f96f7624bf2c754acfa73e1873dbd35cbe14

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Admin.dat

Filesize
1KB

MD5
3c2801b5a0d2682ad499072b56e0b0b4

SHA1
0b6a2b943928f34ae81b135664a52a4869725ebf

SHA256
d1a8c41377c59bda48ddb61bb2c4b69754fc6c1cce7553c9feac08597a3d3765

SHA512
7e76b423a1ec24660cb3db8e61b37b9a99c0ab553e6636af459daefdd2262773637aba130d25f954b18032a4dde3826bcbb4f269f6d12f8008774bea13fca2dc

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.infected

Filesize
624KB

MD5
d303c8bf96a666d6836a3abaa0d52955

SHA1
6469da5d3f6424da305aa6986d416750b466d312

SHA256
d9f9a1a936abe2e3387a0724e5fa603565d29f929666c325ad2c43d80e050f0a

SHA512
1863d86e42a23e16a2e62f66a9470580c5b756b37e3ea2b07cb1917eb9e2ccc6c2e4c90f9169d362f20f08ba72a3058cfbee7fa48855e3f1dd741a0646aee82b

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

Filesize
181KB

MD5
3cfab6a145c8f099839b41016e2d4290

SHA1
cd60ec701b985a9bc03f22e9c559a1285604a9b3

SHA256
a34b1d55b1df3fb4197d91c90587f64d4d2914ef955f0264d47e6f6f7c1f6d34

SHA512
8328aa03b69bff0a819bb855240195e8ebc1a2f667fdc204413544b839d6f30e86650a5513b551e8ede7eec7700f5da1831aeed5720b2a5b121c8fb1cc6d992d

Download Submit
C:\ProgramData\Package Cache\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}v48.100.4028\dotnet-host-6.0.25-win-x64.msi

Filesize
737KB

MD5
3780a1fab16ac6c32162464f9f8380af

SHA1
86e84028a32f957b0d7186289bcc5b75dc178156

SHA256
e5f4da987485025088fce2917f8b1832e955f5094dfb2b73b26135809e599a27

SHA512
d7818776f1abdd073db591d2dc92e27c042e7c551fd9aacec9fffa3b7fdde6ea8dfde28d0c4824dc2f162bee282eeee6caf8c9c6a95026338248949a1c568448

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\000003.log

Filesize
1KB

MD5
65ca41321a3c3d070d0746aabd765022

SHA1
ca8585ee92d611f2cbf1ef3a814437982210135f

SHA256
dbb4ccba6cddfeb11a00528f27ca64e988d4cc66bc61f8801e9444a6c07fc2b1

SHA512
ec908aa16b94bbee275f1cc927cd7e2335476869b14ab3898ec6098f46a76746fbc79ecbc78c1fdea0550dcf8dc221bc6a0e629579c858fa4ed87e56e1546450

Download Submit
C:\odt\HOW_TO_BACK_FILES.html

Filesize
3KB

MD5
a8514fd9f3a52ab2a00f57494d03b2fe

SHA1
0e204aabbd8b5d6ee1b36d10429d65eb436afd14

SHA256
056ae301d1686bbf2355fd96ef3363e2b18d593f58f912498d87de3569fa9028

SHA512
6250481712b51d19e13bf148e3cb046fbf669398b06f8ce757a8583a0fec36ca22140cb90d4706a731f27d1419795ff37ec079d170e15e9e2985020c1e6a1d5b

Download Submit