cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9

Analysis

max time kernel
160s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-02-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
Size

332KB
MD5

10c5fde0d48f9058490705ce7646d73b
SHA1

204eaa05dd25c6d71cef19b16c0cd232b05e1ae8
SHA256

cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9
SHA512

7d37506597ca2e8bf624d0c6fca592e72e436fe4b906ac6334a4ff6b57f363834bf35f1038209e6bf67d43b39f538b7ebdd72a2b268dd1297bf6c99728e48854
SSDEEP

6144:Sq9ezqsEC8dS7CCKUf+9xwL1ZTcDCzyrxQX3hVds+tfCOu3miq/RiXq:S4JsE3CKUf+9xwL15cDCzie1ChhXq

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

C:\odt\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">TpdZssrogvNiRr/jfiO5PBVNaXozUv+Jyt+2iSfkjlMFuVs6Eo8Zw6gMCNU0EebrV2+lvWhaVg3nL4t6xGGYsDOrycjrY6ZfsIC5o3ZMkk2jZDlwQAKBLDTVhnDxdP4dCTxds3HO4tVqR4SePjcwuYkVnG+e1EGUAZcX5Pd0gDBDLOYBoMDBiBMFbFa1rT2NFGxVz7L5Rk/MBU1X1TBjmJ0yhjCkwzvJh56A6oMzKEI8VyLhfbMb2Qq+CoHqQz7dLhuwmLXUDduTvJ7Aq7ynySTWX05pGMR3J6NAxxC6+H15Hm3dQvNgsSkWSJRtC7HSCnYjXm11ZlYRlq7IGZzJYyIks9RjEwPTXXfSGFFt2MrZxeHw84v5HZuItV72IMFffUQDrZ//edhfU+EDzPKY0FLQdcU69SG6g5MfjDY+Sr9spxpqGTVzD/nlXMaCtn5p+hd1620Wxx3Blp49dF0frJDo7U3HYJVP0Cad0eofMSvPftyt2gsLnQtD3H026gmhrEmAX9uy7Ju0jGlsHzS5CuaXa51Wi1Jp/mjXXZwp4tm/D1bMpm5B3186YOE8HdqmiNz4veRzyxGRNeEbjoCKuXnr1CGQEsaO6k3R6MDzOOUCOcMFCXym2Y1SH2vockGAOp1GJLXgXv4w5SsrHMzV+eKjmPMfhuxfPog5T0gJhHiDQ2kO/UzBFUlgS4Pkv76YYNugI+3O49lKMdMH4TwOdfwu/9Lrt9rz4vaZWc/yEREroaKPn5OkK+hx6JpWzU8tn94zIOnBvj9hzA5K2gaWHJUEz4RTaPhnLWWgh0i3AgIXxXE89XohgGB9+uU3izD9RlHSUN7CyJ59oTD1UooA5oeAdmPHlfYIDWghYQiw1PEXbkDDTNkG4y7ibHNItSW9QuWJe6k0VnJ4FND9NPiksldnu3BVBWmWWLOZzQnGmAm1LDX9mMuneVeyO2mS0KxBYkCMjh9bBDtODw9y8NgcbF6iDgVFkh5rhbjVXwVcsym61DOQFgXKa8L96h5v1pwVJ2JjqNdgHJrFz4XfcHwJ3gY5QbzjqRWVf4hF4oqQGlmoCq+jxicLhYhU7xmqxv6su848oDLydpyg4VlobUA/RaKEEd6ws1y/LdBf6g4ycL1MZOayi5sWu0PWtMZZOmhwPU6SOCs24aVABXfEufOzPqzfJW0Sf+j/HQufZrWDdiuBY1qCKu5k1kStH9ExkpbiZC4+D3FnFGB+vibp8k/sftHzSk8DcBi7YLnDq3Pkj3BPCDEZQ5T4JwKh7IadkI2gfFcLutT0YYvIErpwaAEkahgFGTpgjTLPJBc3S5PDuzXKoeEgLb8O2CxpTbm5yPM83dTKNfaMD9OkphWOxkj5sKNCx5X8WfBnqo+188cy8rGCHKnWwzopmHM3p3BLtuBEWyKOl8OD05cySKFsbqcPJf4T5aLnIQ96oyp6p2nRe5qtAoCIFuN4ztIR31MTUIC9pLrHXRY5vhhMmbhL5MmecSV0PXl00+79N1BNMikPTDeMWqhFyjUR9yDVjwx+z0zoNwg+QD6FAKW7CQq4llFnDYRw+XZCKnyXgmvXWoiC5I8kUvRg+RraMdndvsUd7xJiLIrZG4H6AwjzIuaBERAff/B9oJtZVctBn+eBjEj0kSzQW8p8HIwSAXISad15TV9ZKKmZELMR03QK6V4YM8+dmIHkdykaShpQLe0etpGWwK0=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="ithelp07@securitymy.name ">ithelp07@securitymy.name </a> <br> <a href="ithelp07@yousheltered.com ">ithelp07@yousheltered.com </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="ithelp07@securitymy.name

">ithelp07@securitymy.name

href="ithelp07@yousheltered.com

">ithelp07@yousheltered.com

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe

description pid process target process

PID 1972 created 3424 1972 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4264 bcdedit.exe
3744 bcdedit.exe
Renames multiple (6034) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4452 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1260 wbadmin.exe

description	pid	process	target process
PID 1972 created 3424	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	Explorer.EXE

pid	process
4264	bcdedit.exe
3744	bcdedit.exe

pid	process
4452	wbadmin.exe

pid	process
1260	wbadmin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe

description	ioc	process
File opened (read-only)	\??\S:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\W:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\Z:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\A:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\G:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\J:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\P:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\Q:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\R:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\U:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\B:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\H:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\L:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\T:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\V:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\X:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\Y:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\F:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\E:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\M:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\N:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\O:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\I:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\K:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe

Drops file in Program Files directory 64 IoCs

Processes:

cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sendforcomments_18.svg	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-150_contrast-black.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Fonts\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\JumpListNotesList.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-36_altform-unplated.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SmallTile.scale-200_contrast-black.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-200_contrast-black.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nb-no\ui-strings.js	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files\Microsoft Office\root\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-72_altform-unplated.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\ARCTIC.ELM	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-72_altform-unplated_contrast-white.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main.css	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\ui-strings.js	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\install.ins	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.map	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\PaintMedTile.scale-125.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\SmallTile.scale-200_contrast-white.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook2x.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeMediumTile.scale-400.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ul-oob.xrm-ms	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-ms	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark@2x.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ko-kr\ui-strings.js	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\cmm\CIEXYZ.pf	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\FetchingMail.scale-125.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailWideTile.scale-400.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96_altform-unplated_contrast-high.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-32_altform-unplated.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.scale-100_contrast-white.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\20.rsrc	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookSmallTile.scale-150.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main-selector.css	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-oob.xrm-ms	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\EXPEDITN.INF	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_ForwardDirection_RoomScale.jpg	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_CN.properties	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileSway32x32.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\RunningLate.scale-64.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-96_altform-unplated.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.Preview.winmd	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\BadgeLogo.scale-100.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp3.scale-200.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2316 vssadmin.exe

pid	process
2316	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4508	taskkill.exe
4212	taskkill.exe
3628	taskkill.exe
928	taskkill.exe
892	taskkill.exe
336	taskkill.exe
4456	taskkill.exe
1480	taskkill.exe
932	taskkill.exe
4360	taskkill.exe
4820	taskkill.exe
1580	taskkill.exe
660	taskkill.exe
1400	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe

pid	process
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4212	taskkill.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	4360	taskkill.exe
Token: SeDebugPrivilege	1580	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	336	taskkill.exe
Token: SeDebugPrivilege	660	taskkill.exe
Token: SeDebugPrivilege	928	taskkill.exe
Token: SeDebugPrivilege	1400	taskkill.exe
Token: SeDebugPrivilege	4820	taskkill.exe
Token: SeDebugPrivilege	4508	taskkill.exe
Token: SeDebugPrivilege	4456	taskkill.exe
Token: SeIncreaseQuotaPrivilege	5012	WMIC.exe
Token: SeSecurityPrivilege	5012	WMIC.exe
Token: SeTakeOwnershipPrivilege	5012	WMIC.exe
Token: SeLoadDriverPrivilege	5012	WMIC.exe
Token: SeSystemProfilePrivilege	5012	WMIC.exe
Token: SeSystemtimePrivilege	5012	WMIC.exe
Token: SeProfSingleProcessPrivilege	5012	WMIC.exe
Token: SeIncBasePriorityPrivilege	5012	WMIC.exe
Token: SeCreatePagefilePrivilege	5012	WMIC.exe
Token: SeBackupPrivilege	5012	WMIC.exe
Token: SeRestorePrivilege	5012	WMIC.exe
Token: SeShutdownPrivilege	5012	WMIC.exe
Token: SeDebugPrivilege	5012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5012	WMIC.exe
Token: SeRemoteShutdownPrivilege	5012	WMIC.exe
Token: SeUndockPrivilege	5012	WMIC.exe
Token: SeManageVolumePrivilege	5012	WMIC.exe
Token: 33	5012	WMIC.exe
Token: 34	5012	WMIC.exe
Token: 35	5012	WMIC.exe
Token: 36	5012	WMIC.exe
Token: SeBackupPrivilege	4840	vssvc.exe
Token: SeRestorePrivilege	4840	vssvc.exe
Token: SeAuditPrivilege	4840	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1972 wrote to memory of 4460	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1972 wrote to memory of 4460	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1972 wrote to memory of 4460	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 4460 wrote to memory of 1880	4460	cmd.exe	cmd.exe
PID 4460 wrote to memory of 1880	4460	cmd.exe	cmd.exe
PID 1972 wrote to memory of 1008	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1972 wrote to memory of 1008	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1972 wrote to memory of 1008	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1008 wrote to memory of 4188	1008	cmd.exe	cmd.exe
PID 1008 wrote to memory of 4188	1008	cmd.exe	cmd.exe
PID 4188 wrote to memory of 4212	4188	cmd.exe	taskkill.exe
PID 4188 wrote to memory of 4212	4188	cmd.exe	taskkill.exe
PID 1972 wrote to memory of 4848	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1972 wrote to memory of 4848	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1972 wrote to memory of 4848	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 4848 wrote to memory of 1088	4848	cmd.exe	cmd.exe
PID 4848 wrote to memory of 1088	4848	cmd.exe	cmd.exe
PID 1088 wrote to memory of 3628	1088	cmd.exe	taskkill.exe
PID 1088 wrote to memory of 3628	1088	cmd.exe	taskkill.exe
PID 1972 wrote to memory of 5016	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1972 wrote to memory of 5016	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1972 wrote to memory of 5016	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 5016 wrote to memory of 4216	5016	cmd.exe	cmd.exe
PID 5016 wrote to memory of 4216	5016	cmd.exe	cmd.exe
PID 4216 wrote to memory of 932	4216	cmd.exe	taskkill.exe
PID 4216 wrote to memory of 932	4216	cmd.exe	taskkill.exe
PID 1972 wrote to memory of 3008	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1972 wrote to memory of 3008	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1972 wrote to memory of 3008	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 3008 wrote to memory of 1720	3008	cmd.exe	cmd.exe
PID 3008 wrote to memory of 1720	3008	cmd.exe	cmd.exe
PID 1720 wrote to memory of 4360	1720	cmd.exe	taskkill.exe
PID 1720 wrote to memory of 4360	1720	cmd.exe	taskkill.exe
PID 1972 wrote to memory of 4932	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1972 wrote to memory of 4932	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1972 wrote to memory of 4932	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 4932 wrote to memory of 464	4932	cmd.exe	cmd.exe
PID 4932 wrote to memory of 464	4932	cmd.exe	cmd.exe
PID 464 wrote to memory of 1580	464	cmd.exe	taskkill.exe
PID 464 wrote to memory of 1580	464	cmd.exe	taskkill.exe
PID 1972 wrote to memory of 3868	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1972 wrote to memory of 3868	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1972 wrote to memory of 3868	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 3868 wrote to memory of 1408	3868	cmd.exe	cmd.exe
PID 3868 wrote to memory of 1408	3868	cmd.exe	cmd.exe
PID 1408 wrote to memory of 892	1408	cmd.exe	taskkill.exe
PID 1408 wrote to memory of 892	1408	cmd.exe	taskkill.exe
PID 1972 wrote to memory of 3352	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1972 wrote to memory of 3352	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1972 wrote to memory of 3352	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 3352 wrote to memory of 3688	3352	cmd.exe	cmd.exe
PID 3352 wrote to memory of 3688	3352	cmd.exe	cmd.exe
PID 3688 wrote to memory of 336	3688	cmd.exe	taskkill.exe
PID 3688 wrote to memory of 336	3688	cmd.exe	taskkill.exe
PID 1972 wrote to memory of 1256	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1972 wrote to memory of 1256	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1972 wrote to memory of 1256	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1256 wrote to memory of 2432	1256	cmd.exe	cmd.exe
PID 1256 wrote to memory of 2432	1256	cmd.exe	cmd.exe
PID 2432 wrote to memory of 660	2432	cmd.exe	taskkill.exe
PID 2432 wrote to memory of 660	2432	cmd.exe	taskkill.exe
PID 1972 wrote to memory of 4500	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1972 wrote to memory of 4500	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1972 wrote to memory of 4500	1972	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.execf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
"C:\Users\Admin\AppData\Local\Temp\cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1972

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
3⤵
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
4⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlbrowser.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\system32\taskkill.exe
taskkill -f -im sql writer.exe
5⤵
- Kills process with taskkill
PID:3628

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlserv.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\system32\taskkill.exe
taskkill -f -im msmdsrv.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\system32\taskkill.exe
taskkill -f -im MsDtsSrvr.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlceip.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\system32\taskkill.exe
taskkill -f -im fdlauncher.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\system32\taskkill.exe
taskkill -f -im Ssms.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
3⤵
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
4⤵
PID:3644

C:\Windows\system32\taskkill.exe
taskkill -f -im SQLAGENT.EXE
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
3⤵
PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
4⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
3⤵
PID:952

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
4⤵
PID:1840

C:\Windows\system32\taskkill.exe
taskkill -f -im ReportingServicesService.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
3⤵
PID:384

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
4⤵
PID:4504

C:\Windows\system32\taskkill.exe
taskkill -f -im msftesql.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
3⤵
PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
4⤵
PID:2272

C:\Windows\system32\taskkill.exe
taskkill -f -im pg_ctl.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
3⤵
PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
4⤵
PID:4020

C:\Windows\system32\taskkill.exe
taskkill -f -impostgres.exe
5⤵
- Kills process with taskkill
PID:1480

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
3⤵
PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
4⤵
PID:1168

C:\Windows\system32\net.exe
net stop MSSQLServerADHelper100
5⤵
PID:4636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
6⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
3⤵
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
4⤵
PID:2628

C:\Windows\system32\net.exe
net stop MSSQL$ISARS
5⤵
PID:3204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ISARS
6⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
3⤵
PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
4⤵
PID:3248

C:\Windows\system32\net.exe
net stop MSSQL$MSFW
5⤵
PID:3620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$MSFW
6⤵
PID:4748

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
3⤵
PID:452

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
4⤵
PID:3140

C:\Windows\system32\net.exe
net stop SQLAgent$ISARS
5⤵
PID:3972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
6⤵
PID:464

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
3⤵
PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
4⤵
PID:412

C:\Windows\system32\net.exe
net stop SQLAgent$MSFW
5⤵
PID:1044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
6⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
3⤵
PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
4⤵
PID:4060

C:\Windows\system32\net.exe
net stop SQLBrowser
5⤵
PID:3244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
6⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
3⤵
PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
4⤵
PID:3024

C:\Windows\system32\net.exe
net stop REportServer$ISARS
5⤵
PID:5084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop REportServer$ISARS
6⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
3⤵
PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
4⤵
PID:1740

C:\Windows\system32\net.exe
net stop SQLWriter
5⤵
PID:4500

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter
6⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
3⤵
PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
4⤵
PID:5096

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
5⤵
- Interacts with shadow copies
PID:2316

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
3⤵
PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
4⤵
PID:4960

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
5⤵
- Deletes System State backups
PID:4452

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
3⤵
PID:2100

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
4⤵
PID:1400

C:\Windows\system32\wbadmin.exe
wbadmin delete backup -keepVersion:0 -quiet
5⤵
- Deletes system backups
- Drops file in Windows directory
PID:1260

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
3⤵
PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
4⤵
PID:3156

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
5⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
3⤵
PID:368

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
4⤵
PID:1432

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
4⤵
PID:4820

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
5⤵
- Modifies boot configuration data using bcdedit
PID:4264

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
3⤵
PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
4⤵
PID:3240

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoverynabled No
5⤵
- Modifies boot configuration data using bcdedit
PID:3744

C:\Users\Admin\AppData\Local\Temp\cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
\\?\C:\Users\Admin\AppData\Local\Temp\cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe -network
2⤵
- System policy modification
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
3⤵
PID:3248

C:\Windows\system32\taskkill.exe
taskkill -f -im fdhost.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4840

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak
Filesize
1KB

MD5
db5fd80fdfebb385b636e992e36ef541

SHA1
f401f0f3a0bf2d2a49aea8049eaccb3692aff075

SHA256
d96b17cc3e70f462f550b6cae12db271845a6b2443a74a21bd6dd6c234af5f31

SHA512
0be210b4001665c2e7f8b38ebfa6a6875372e90d6f94dc46d048aa781dba508750812b3d2f02e9f5a4a3980d3a6103d91634b5d591f12d66c5016df8db4ca981

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png
Filesize
52KB

MD5
4b0ddea732a60a34fb69e5e746ef01de

SHA1
596340c1a94afec35a7993af7e30c3f10684a25a

SHA256
caaea015532ebec6226d575c4ae512e9501830489f1fd8d1168e2884bb0a014a

SHA512
1e22f0f12eafaf0bf403c7af64b4b78b53f7d64257d4b6af5bb18e14ba2c90f04034a5ff1726246f29c94674587be9477b0fa341cc887dd8cbb5cec23161eebd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png
Filesize
3KB

MD5
8aa389bf627c9f314db9d4a3f77f34a9

SHA1
9a2f8d5cbfe7009309a49d6f0f5eec1d9085cda9

SHA256
02a41d246e459059fb766ab864b660d99caef7410dfea08c086b6dab30ea80e1

SHA512
de2b54daafe9a9173e024d6952b6c9af8625b74b2a3de136820f35d3ef462dd4e26eba4b0baa59afd070ce72b7cdc50372b6573ac33f1c9ef0218f6d4edf943d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png
Filesize
5KB

MD5
15de8316534b8a4aaa6ff95b8b2a6093

SHA1
5e20872c8591ebed41dd021722119e3975bee34b

SHA256
72869de165ca3e460be3b3fc106c90eb0f3ec3f9a379dd44fb5d624c68d0a859

SHA512
981a479fe00c17e8fcd211a37dd6624aab55a969dc6d4c4f0c5bb4476a234b3768b99e8ae3ed2fca51ace27c176475788130a05b11c70774769bbb0701a814b4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-default_32.svg
Filesize
2KB

MD5
c2505781691c3dc627e1f6245ce3f773

SHA1
382ce8077fed62c2ce70ebb0b713de1c837d2add

SHA256
0aa517933c44f532960954e15ee9df36660a30ee290b1c0b11e45492c72b82b9

SHA512
cba58925981c9f22062f6e05d0c82aaf4b8bf4ad3c5704f4b6db90df23d93ac440dc4e0cbdd51c33e0825221b8ed93a57721b962e52d43b32b1ae037df9fc646

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reject_18.svg
Filesize
2KB

MD5
e502cb81dc178892b21e2c8ba99f6911

SHA1
8b0a6d9b2ed810a5922036b956fccba704f0deb0

SHA256
3bce87b3c9cb1567a71407e47beb3e66f44083ed0761175e0e356fb76fd345d6

SHA512
be9f69e9a553bd353e3faa84871185b66159964c8319f471f7a508e8c6b7f57898d3424b2534f6ee6b44157810b75159b25afe2e7467a13ee508c2844b79858b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js
Filesize
29KB

MD5
7897ce25c7507ef38955837e0c70ea18

SHA1
5a874159f256e8a7603b5502704de15e7153f661

SHA256
395ac7cd458f61939a9aae90f1a0d2eb4e6a9e4b76eaa5434669fb2d78d25dfb

SHA512
6f9e571154168a2562c9178ef57640ec4610a0482724a888a3988a8aa0efdd0e87da52472622aadd3dd77f716434420b41bec3cbb14eaa7c722019f5e655aca5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\ui-strings.js
Filesize
2KB

MD5
4c27b76b8f72e1668195a8f93281e6b2

SHA1
8625a61bf7fe6e1fdc1098ba81f94b6e0ad1757e

SHA256
05663d709e0486953cc52eef99b813cdee6e95074f8dc3d3d78c1a91b86179b9

SHA512
084326d4056dd47f8dd5ac0d59f6a339ecf4f2ca4f9eac3c54c14a873ebac038f128b56a56d0b523a66c7113990ab2209ed3843561f9d71bc1f09d9c31e349bc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\ui-strings.js
Filesize
5KB

MD5
ee828380debf34333ec72759d41b34ac

SHA1
43d87a8cb928e3051d4c00e8c6c87f80bad895bc

SHA256
aa722f5c3fa27f5251109c570cf28aa8eed7b069e7cb625b8e8395a6e3d64ddf

SHA512
f076abee79fb3dec37a2b4ccef40ef7ba9d42b23cfe2219174703a62738ac170a7054877a87883125e8a697cc342f529f6e553d4faff47dfe3699cff9b9dfd41

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js
Filesize
3KB

MD5
8a855c669746869b4f85cf3c7e455569

SHA1
079fd6cc070b31697b64c35a8d6b9a54b0a390e8

SHA256
cfdbd7e017106f6e220bda45d6b26ba072663df40c81368b066b642ae68e8266

SHA512
1da3e3c85756d2b6fbf325cb429a848ed2683227e877b1b9d0b7b32048a944d02b756378e5cb33a35667d8cee9fb561b24bb9d5ba716463a616a6aa8c02f65fc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js
Filesize
176KB

MD5
46721cd62e2852e60051d356a8d5892c

SHA1
ff9277f8bace98eb86e6f53f63badc6e8f5d92ae

SHA256
a253c6b6ac223063ea6d1602e781436e2515775cec9b320336dabb0e7375d803

SHA512
a2586242e6a53aa3513ff0738a8a06e60cd69e43f6d8ef7d53984e2e3888db7424a1e48ab1fc9e3307d06b1649bcb314b49c791036f52e8ea9aa57b19c9cec07

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js
Filesize
377KB

MD5
25f017c2dcead2b6b170bc8a78f3ee9e

SHA1
8d94d05fd945761cd38032fc21e823dfb08c6dc6

SHA256
584872368eae7934ee85d7a168b72bc95c556df6e621649dee0e5beebc94ed4e

SHA512
f64b4dd5e155cf0c2b0ab42f638ce065440f0e1a586d8dee7fa5a6dd799c05cd96a5ef60fce3413fda07a2b0896214985317e66be0740203d552b9cb63594bc0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js
Filesize
4KB

MD5
c1bf73e7c78b4dcfbb5966bf868b7b46

SHA1
775513a80c1a0a5ed039d8ebefd9c3a3129c65af

SHA256
2bcf3c2e7bd9f89d9b63e6615f62f1b6b196b0a54ef802a10ae2e5904eedaf63

SHA512
b5841825459082d7504daeff6ef9a9a027b34dca7fe296428af89926773ff7717310d504559d1841e16d935158103aaabd37f0b017ec36d01c8f8be8d9c13d84

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js
Filesize
2KB

MD5
aa1b7e9cf9304dd9964d115f037237e8

SHA1
24c7c994ba16afc393cd60ba669b9f7fc3881a07

SHA256
025b15d08a7ee149fd506a6336496d5d15aa18999fd53a87708b56ac6752b966

SHA512
4934019946db4d79f7d1692dc79fa97a31e846befb07bfd455cdc5dc4641143837d57fdd168ece4a272ef8b90a01f7023cde9ba54f520b7efad390faf443f54a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png
Filesize
2KB

MD5
7f9b9b82c06701057575cb2d26604454

SHA1
9cc9225e5415f4c1832b9cb260616d0af4d306e8

SHA256
3fcf39917f7cd109b55f770178d61ed2dc6e7ee8fefc3c124be3773f5d98187f

SHA512
4e527e253582eb1d9c54b99e0029a8e496569946a52781f0353cef5b1bdbee3ccfb04521cf1a283cc5610a995373bce77b099e59dfdd242174926c283d63b1d0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png
Filesize
2KB

MD5
0b799b47590b8da9b78e9b8a5ffda935

SHA1
031c6cf5d2251864153d393864aeb52b29a21ec0

SHA256
34a80d6db62b8bd2f1cf0517f5b6c2464bee40ca7f03e42bd8c10610aa23151b

SHA512
a998687464ac11ab37fb081b4ee218227ad5bb2b923e7bd7dd6ba89ac8dc5e612931d0d17ff36153cbb487ea930b8483c81a5106c9944ca419db70b3cbf92e67

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js
Filesize
2KB

MD5
0c0938f333e78d0a3188e74c3912308f

SHA1
5c2eb18d385f677ffde6fc7c672d181d17e47f7b

SHA256
ddc424a1b803cdab7cd6a1d2fc1024196e33849d63cd9722e93fd6f959d05e11

SHA512
18ebb00ed6bd920eed8d90006854dd946eb98adcdaa1a79fe1cf5c1f9eb63b43ee42c5b8ca34a3935dc13ef00fec0760cf1539eb4fb63b9121cb13c2d32c2b14

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js
Filesize
2KB

MD5
3be3cbe200465d1c872bc5ce3a53c7f2

SHA1
1eecfb4b3a29a0c5f232a766366094880c823bc6

SHA256
963db5bd8018f1d9734dc9b9851a87d75d27086ae14883112be133857c339590

SHA512
de78c2e81d6b6fddea6d14b3f0c3eb34dafe23fdd183d391212ab8a612016401d7c55c88a1bf0dd3a1355c5bbc0abd863384e91f6883460bd2482f153c856743

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js
Filesize
10KB

MD5
f7e147cd80432e086080543ec6197812

SHA1
223dc0697ded0a7751c74f47851348eb05a4a364

SHA256
6e71f86d5f07ba43d44ec0b11a638ff2cf3f9acb5c249bea57682e612596d496

SHA512
82e7dee90149744d58722bac2701c242c54bb9c004ae6f45135b0d8f624bd1bc6e853124ad435e0517674c7d8f47aaa103e7bd7d4578e4ccf9a8d6c8b761d2e0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\ui-strings.js
Filesize
2KB

MD5
bb2214d3bb7fe44754aa643fa46fa479

SHA1
3a60d2b680916074595e479c35d9d454a0ac26ea

SHA256
0aba9f28c0a7438ae2477c9bea3702827ea49d29320ea11fa77e4837d3257d7b

SHA512
3071a5805da6c76a571206741c4bc44eab0219ff49bf4a3906aaf5d09e22aaf07298b5e0df1bb716caed8965ea5020b05c10dc2daa7203378e6d3cec33b094d9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js
Filesize
2KB

MD5
13dec6d7244ed933f4890bd91901d00d

SHA1
08e3b46eac6d925301941cf8ca3694002f6f633c

SHA256
fe7b5e813b10a6c5b4ef86ddceb8d6767f07b06bc03d9452b541a6d5593fd3d6

SHA512
60b9d088594b5020ef5a8c0f2db2ca7893f1d44eba5259df97c74b9010c2c9ada5f9558f9eb7569b8e20d0552e5d62a5a53366971c82f2e02cfa0327766349d4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\ui-strings.js
Filesize
2KB

MD5
6faf7404d4c2ee7730c38fae26c430a8

SHA1
c462ca83df46c0daf0fcc72222893d763d5bc48b

SHA256
ff88b5e5d357a2e56ca135375bf4174917c0763360e9e6a865e80dd354d966fe

SHA512
18d24739f1ae0f98b3b3c00f504c5b70ba5014b5231f84d5ec6cfe85154ce6dca42d751ecfdb62bf860ec3a07c7303d5962714b2ccae94c959a8de52c5db0d73

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png
Filesize
9KB

MD5
35698ddf6f7f8c466578413fb2d614e4

SHA1
cdb4c5a978197e08dbc3831869d276822a352b1a

SHA256
10ae21276391dd8db7a9dfa33a093499a9f16624950c2699d9f39d8237330931

SHA512
f6944ca0c498645459b9e37e8fabf690c43163f447823acfb31e2817d2187e89e72ea525b3d1c4c37604081b69bc67e89af4cccd269b47dac5a609e3014d70f8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif
Filesize
9KB

MD5
e18203f48a788bf47315ee31d9792513

SHA1
a51dc6eb06aee1204198f6e6f2ea9742bcbb6cb8

SHA256
d6da10bd948a48023b87a9fa18867e1271d16630e17067ece4903774ec01e29d

SHA512
e2338691c8cd7d723818eec2a9f7d45de011822b6d9d12c8d3815ea60100ef20ecd25151341b8c71713e50960eeb738863c3be3f3948d3913c7d30d6d7f26b60

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png
Filesize
16KB

MD5
ccb1fe5755e37b47c6ad674d7a30d17d

SHA1
88cafa3848c5ce99733191d9c997535776dd2d48

SHA256
e8028262dd3646308c13eb4b5aa5c659589a829620eaf5796c3219d22cddba4e

SHA512
cffa188e6950ca193147c7499ee39dbd97b2bd1dc90df08cbc3833e1c7ee8ee608cae3de209c39e31f48c0557a9ad6b265a4c24293a7e0938fb456c9f4c6e852

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png
Filesize
9KB

MD5
8a84b2582a7cedc5ee0e022810c1040d

SHA1
3ab930b5524025ede8b7404fcffd3e9996160c36

SHA256
0ad435166d2d65e19210d31710f7d784e4e0ba8704074b7adb64f46b6ae96da3

SHA512
7198d6bccc3ee6c313bba646c96e97fd1b6619beceef91fddaa38604c9b9b8328204586e088a18eed6d4e23e7e7d90c62b4ed14651e074d55ef2a915c14d8bed

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png
Filesize
18KB

MD5
7081ee37dee7c49e64aa888bd76f575a

SHA1
26930bd614a6df7082de71d15e0146a81540a16b

SHA256
40b8c2081f84a11c457381afd2f9b481b25f64f98b27ca75c21b2bcc71477a8a

SHA512
0f13f86d327e5651f37098ea89e5754cfc0c12e0bafc221a0d3dec1afcd6919daa7b249b4e30c24fdb9a56c98769f6d280a1771f7fe823c3be5d689a0ea53555

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\ui-strings.js
Filesize
2KB

MD5
1ad7649079123d4ccf220fb9fba66e7b

SHA1
6bac642a80627a521e636898f5d8bd8d6269fc14

SHA256
1f0049c603915adf04951d8549220745e14e7f4c6e2487bb085ea68204ffb414

SHA512
d3c1c1a8de2d71eb637e36c8cc817b1dcf4bc82ec5b9fcae02946cba5bced1d349d33296923661b39446e117b4d3bad4221a1b444330cc5ed0ebf32f4daf3597

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\ui-strings.js
Filesize
2KB

MD5
1768bc0b93330b013db6c1786e032fc0

SHA1
3f0172e85ffbd2e4f0cb50bb53eb99eca4ffe20f

SHA256
3017911a9f66a720ce015e0055c7a33827464199c6d7bd4b4002a0c1d0852064

SHA512
4be386f1091637a7d8aa30c4ef62f3e230622122d1e2f35e5d022186a3dd5f9a765eb046080441ff2a6b009d1f488678f15151942f869d2b3fc4596f24dab8ab

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\ui-strings.js
Filesize
2KB

MD5
54b68803fd7770561cb7c94ed24df93a

SHA1
a515b98fffb516fecf787798275c8771627fa37d

SHA256
512a1cf34e38ecd7a8de22177e7b5487e782731911ee43d4651b0c54f7d0d358

SHA512
08d60fe195b2592c8fffa0906f5e2f19cb46f5366f94a1336e6cada98c9917f33ccb1463cc12ba0007fdf5c4001be8e5c1bc5635b8ba845d1dd8a741510eb709

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\ui-strings.js
Filesize
2KB

MD5
e79faf040dfb64fd2e8cbea5c1b8575e

SHA1
ceb0bb60efbb5d7bc51a73a7bae3730dd472a097

SHA256
0f07b9f20b4d08fa5b95ef90e460b8dc0bbae535e4fa7cafd02795b2f124cc38

SHA512
1adb1bc10179477b5f6536daf5ba8492756ae78b121028b940b48a19256227f41c3e3a7833f497a694ebaa71d0eb56c99ec94f8206cea8e16baa72d3fe92862c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js
Filesize
6KB

MD5
ed1908edc95fc30fd06095834af863df

SHA1
bfd065d622f99216dd398275e3e4c4654898f2c6

SHA256
5dd93f7e19f9494213b5d070dc62d0c46badee05899f4b7496e83118c7d78f88

SHA512
fc7701c83b9abafa958d2513ac1cf762db03b0c528da837a8dc114289ba822bd9bce0f69b1965cde6b0247a37c071c35321557023292113aee2fee99c5c3b52f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\PlayStore_icon.svg
Filesize
6KB

MD5
d7fc2dd57fcec963f77a4c5e8a4e187b

SHA1
633aac58340cbd10b9fb80fb02c66cc58af7bbf2

SHA256
d55cae2306feb134fc9d623add130706d82857e69e566f14b282f067fa170e15

SHA512
39f8a2dce79b60c0b34be003cc5bdf6fa3ae95b36e5254f9958520d9b4d878bc0cdc5ff7ba7e2b222285741abbb2d16500bada737b3cd7506395743e79918230

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js
Filesize
14KB

MD5
bd85606862c491f7ecf8820cd62b7647

SHA1
6f011634697e5317611a715ce6f849e93eadaed9

SHA256
5ec088084d6232bb59dbd8c89722e8e469cf018ba851ce456fe15383573ff746

SHA512
5ef44d6037e7c6201588ef153afe18dc272f14f2d195b4c4a95e2ce9fe3fd4813f842ccced273d50bd15313b8335f80a7abb6a4755533e72d57944d4a7dd26b5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\ui-strings.js
Filesize
15KB

MD5
94511ff7a9abb26554cf94340b893021

SHA1
334dd8237b5c16b35fd3f59463a0565ac4326fbc

SHA256
77062bcf86e221ea5b994a1d11fa484737a24b0a40bff5ae305ee9eb867a3ba8

SHA512
a559d76a1f17dad8ab436b1966922217ca8c6c02cbeddf2f32baca00a1768ec3d1d01c4491dd05780f9112321f6b71a5140d179b2ff535491eaf43a5d3c84932

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js
Filesize
2KB

MD5
c922d93f3ea4e65de148257e4ab2dc7d

SHA1
c96b1c8d6c9e6f46328c3e0f9174aeb32be75df7

SHA256
840a77740c9f3f999dfe5c5a0cfca0073f7af5dc5e5d624304c1066527f7d553

SHA512
3467a7358216bf6e1ba1d02c4e218e27ef90493a8b7b25413d1e90a4d44d55acd6672ff8c9c72056b01655fa95f0af4ef4f3d77dcc3d13cd8dac80ba8a95f5fc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\ui-strings.js
Filesize
2KB

MD5
ce5edd18207baea3d13f07ec166a33eb

SHA1
ed3e3d256b680d20d1f5b7aaa4239f6e603544c0

SHA256
7be7a3c36d10debe322511b22265d64019d3335106ff1cc2a605ca885d45f097

SHA512
5b2e151cdb9da9d11023d48282623db6743ad78b12abae8989a5eb034cdd9bb96b4af92cc6caee67203e2f1d6b4acd261b33de32da954de7bd3e1cc09a4a0a10

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js
Filesize
2KB

MD5
61b7bde8d68298e1a5579f4763f9cb25

SHA1
1c80cb0c24b2b016865c6b92b42423bf50b9202f

SHA256
1fa1ad7f70c1cd119d49d086549f9e93460eedcab63f2423a718e8eb84bfe614

SHA512
654030ad951e1c6aece27f790f575a9e614ab5601363ab489d402507a6fce56a316308fd2a66bbb057760cf8f19a8a5763db2033733a09f70a87cf4f1212d790

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\ui-strings.js
Filesize
2KB

MD5
5ab8394b377e949a63e9629abb3fb0c9

SHA1
e54aaaa72ec1e1cdd663956a810cfb2b928f720e

SHA256
b910d10ddeea2255ab6cec39cfab27c77434686aac3cbf7e30cede68f028f824

SHA512
61b69422df494a2341ea8b698019649391641aeec2950c538726614cc831901ab22d60197ba3f30ca38c69f32bf166ca96831176ad254840c27a03d9e97d72e9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js
Filesize
9KB

MD5
8555778a9778ad7dc4aec0313f01bb71

SHA1
a40032d98ee021b71b28d352d8ef4b4119150dc8

SHA256
3daa52b39efbdc52f9e43dab0db23208f997adee03c8dc4f891abed5945694a1

SHA512
4ab63822270db7bba4d8515f44f530b48a1061ebd819b137d5c83111cff7f18734d6ad14bd79a542c4e2dfb5c964130e2a124cece7b213cd7b40a3abfae00ef3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js
Filesize
5KB

MD5
77cb285063c4df6fb6e5c5f61a1696ea

SHA1
52b3eabeddb621e564d891d861087bd5f0ba47d8

SHA256
16499d79aace0a5ae3cd8ee949e9e79f94244b2d9de0b86bf7f9b68985780b3c

SHA512
a2fb1df5ee3a25dfe830461ccce8776edb9f03a8571b79d371b7d40a4dd0c088be66d2b893538c6bd3aaea267edfd388289f6600d0b4e3b60e9180cf156dad04

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js
Filesize
2KB

MD5
9568d2ccbbddd7faa307bb58d7b7fd8f

SHA1
118efeab2fa890f7006b3e67c5eef8e760506cb8

SHA256
85df4b496435196fcb56b5794b6b944b7d0e323dc0aaa7af4a6267a45ef74a0e

SHA512
ce5d595ada09d58c2acc5791fc795ce5988bbba51308a95e60fe0e6240419509f8fc06408ed5d82b74b914224a68c36631d27f8757f671f4b23f273acba5e2e6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\ui-strings.js
Filesize
2KB

MD5
640200bafdb4fceabeb15b08fc590340

SHA1
abd53057198dcf4fcae761ef312824b80be01a36

SHA256
e21e2b9dd369ae213cdd902854cd414ebf1a226676eb5c06463bc54e2fbf85b6

SHA512
f2f6477c064b99e197a4a860f488caa2710187a741bf55a1a127f6e8994bb313d5a1cc5441abedf43901d0fb50d58b7a0ea20202617613eea99a58435aa025e5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\ui-strings.js
Filesize
15KB

MD5
8cd4e663c449fc57d753cb829bef6567

SHA1
e04055c62b36bd096a48974d3e187b4d2bef28a3

SHA256
8b1390e0ad1f79db05f481b86f5b2d131def65848bf2a0e1001228656e77cea7

SHA512
16fee9f2784d0cdb4fb68cde7a6c9a8bad405e12d589a24b60800f113838c25f1cb59365e002df145bfbd6a34628292238c5ccbc4845390818dbf89c5b5e0642

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js
Filesize
2KB

MD5
31eecc4323214814c32f5617b9d97a2f

SHA1
448b4cc02eb1fbb46877ab2fa50fd74d009be850

SHA256
284868f26c84c1a7afcdac67f3c80f47ec729da5cfac7f0a0c43fda62ff70e7e

SHA512
5478480c8433fa21bbe7d774643f6ce77ec759e32b20d1c6c94bf55c77e4073ff83948713de8b66aa73cb2ee00c457475d1fc331878120f12a5b11ac28ed5ae2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\ui-strings.js
Filesize
19KB

MD5
a7ab03606d0690984938edb8d81e1391

SHA1
ba7a73968bb324e1ae8f6aacc173df2ebb6b82bc

SHA256
01ac2acc2a1c0415b45c897e6aa90ff75e36f705ffdac4f48f21c6be8f3774ea

SHA512
9da1da1fbe6ee2ca3c64b217bc09c8360720b419fdf5ff3d1f42c4242c75bf2019474a3eb99be1d412616db259eedf03b2fdf6c293933dbfeacf683fe8628b7e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js
Filesize
2KB

MD5
0fb91fdb043181975be3c44560671a57

SHA1
b4401264806a5e2b73acb263d52d000283db13f3

SHA256
a649d8ed7314d001bae1ae9068376f8d6e4bc512dfa57b130875bf6a558edf53

SHA512
22353d6e2054e7a9b1f3e8d821842a9e9f61e7b9f5f84200fb4d7f7759ea8e125bb1b5764b882c9a9f7eedc9af4fff051699d070faa70e8fc99acb6d6e2e98f0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js
Filesize
3KB

MD5
6c92455e1510335efdf8351d5c96b888

SHA1
bba4bbf766b743d0f010e00dd013ad799dc2eda7

SHA256
c61661b27d9e0805365bd8fbdb4e6a785f0a15e5fef604f75363e17283827bd5

SHA512
164e9aa5d93196b746f37dcd47c698141a1bb17667041b83dcbf6d4e41fcb01cfb47ca60e4c863f74ea92cc2c7099118d338c69ad7e6e196733d3cbfc3ee057a

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt
Filesize
34KB

MD5
d6aac2737b91c9729da80bfc9702e20b

SHA1
6609dbd2402c95d81fefd0bd262f721108a053b5

SHA256
a532da89eba3b2690dd35836c71927f0bcc7a0292153a0d526766b1c4d54e7f3

SHA512
d3537eee6d9e2188f950bca3802aaf3c6e91159d594f67f589e819d229be317c466b1510e50edbdff6c4978f41bf2b6d9ba0dbe71c95a1ae112a8b29aba4d37d

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
Filesize
1KB

MD5
be9b8487ddd048123094146ead9bba56

SHA1
45f0b3848c396945cd66a5a025b40d8f50f2116a

SHA256
725f5168384eb53166e852cc2d162d67fad0a7d572c843a256dbe0717984ce7d

SHA512
1abc07940fc76882d869e3033c25edb46ceb97a3fd5b49cdce6b16f5267140e27edb143c74f487412a7e0ceda06ae30fb609d6697b7e16d3abae6dc0dd59b71e

Download Submit
C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif
Filesize
1KB

MD5
e3ff2ecc6e5557895a6d17f7264bb698

SHA1
d96e8b4ffcbe3fcaf5a200ff6f8e7f4f91a529ee

SHA256
214ccbe60d0e8c63a7a68beee8ae36d71f31fbcc502b4177ba1d982700769f6c

SHA512
80fcb09089963996fdf7045d4e13472241abe26a0ae4858948688a20db3ab16b93111e87f47492982a144cdd1d54e0ddca21a55677b4e1c779dc8809d74b19ed

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
Filesize
1KB

MD5
ddfb37a20cd5978e492a13671ebc0864

SHA1
b00d90da7c36ee2e35b6e9962ca530e46823ed67

SHA256
289aa9c22c4c6c0fabfae7b6bb2046fc98f42179a981e6f16c0f52f24e479873

SHA512
873d6ed6ed56c383b49e97f1130df69416d0ead451fcfb1f8ce50282528b939c024a0df57f931aa4bbdf0fc5086dd24e6ee3c2a4d7d18b8d37234d316d510a54

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK
Filesize
1KB

MD5
ee048a21d5272dbc6023999a29064bf9

SHA1
5f23d984ed09746f3a5927e1b9add8881366f018

SHA256
eb556d3731c0343952f80c4184e236f82a21629a59df2ec41643fc2796483d3d

SHA512
d5184564504a361fd1d0931766e7674473c7267f1d4e4e7a75a4ca82804040571f1c0e20ed69ca9fdb0dc286a5c2055674a307060022a97c69009d9ef5eebee4

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK
Filesize
1KB

MD5
c8e514878251944b2a45c26732de2933

SHA1
38a6acec10d481ea1847a5667defd555407aae13

SHA256
f65a04b3d75c7b9d5951286fcda7072f5cb123334ef31a8ddb09a023febcb06f

SHA512
6c9616f91ce9a64bbf4ac4a30c4ddf9bc8dab6b99d428ae4b989a4ab0dade869503a760c982789c01eeafa56e2e786d9186b38186109a0f913ddbe5adbc99280

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK
Filesize
1KB

MD5
42fd081943f2890cfee5ca06fd849b64

SHA1
246e11af81942011ac3e568d9efa78f9fcdfa5b0

SHA256
79b6e7fd03911b86f28442403238cdeea7aac729fe4b4d2302dcb1b749834edb

SHA512
79c8856691053a1cb9604edc0588e57dcad294394b6eba61ee1c77031a7d9ae5d23782b50e9230fe36141e2e0877233a770f58345cfc463f469f58202c2dc6f1

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK
Filesize
1KB

MD5
d1143cdea5edf1fa29d887835f54bb8c

SHA1
b6af2ce67f4b36195c87fc68fe211b12a06bf4aa

SHA256
4ff1959a12ae4a893c6a8887fede010b7aa6ce7561cafc002d73089e9de7d7aa

SHA512
1a1ecad3636edb71bd82f30f2338000dcbeaaaa244046146eb601ce07ce5710bd601a3e0e7f95fe7704e5fd6cb3b9fd90fc4c5737a6e10bb45a728bf60af310f

Download Submit
C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config
Filesize
1KB

MD5
54dce3a8077fd62f4d98e3266613d5fe

SHA1
ca8e70d4a08eda2353c46cdc499a82f16c88509d

SHA256
e745b9ec2535c5426173560c045fb20813c5d3bc82688173e52890ca843574c8

SHA512
c930e0adb8553380c430407903fa8846dceea5939920fd3da95668ac3f0fd8301c91ae6bda123dc09d4cce3928fff7616fae7c6af7aa3eee34d78be4e77f76e8

Download Submit
C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL
Filesize
246KB

MD5
f8c5d6bb0d98a0c67c7f1e5c357df8f5

SHA1
3468446e40ef1d706becaf8e0cbfc49a16097cea

SHA256
e4e949bec89d246faa8be6723a07ca9631ae62e5fa2736c3cc9450f520e05138

SHA512
7b437354590d283a4b88463da4c7e544586fb12cb2ee586a6580b8ef18b37033e843743ca05f0657d33cbf4980d49e4d14a1cf315cfb8a2ad58d909826845b49

Download Submit
C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub
Filesize
1KB

MD5
338f5d76c69fb944c04bff12791d4f90

SHA1
511910bd50560c38830e8e59902e6756c1bbf47e

SHA256
115d2cc0cef0748ba7dfed1f1e32afebf94b992e78c4ed38da5c1a217fc0b542

SHA512
27d57eade7bfa6b9d65182a4cd8a705d6d8249f48fe1ae6359d7412b859bc75530439a9212ee207c016ce70a91e1a8d44c72bb76179e1dbf7d4d5eb3be83ffe1

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi
Filesize
3.0MB

MD5
9111482dfe4d7973282cd60c0104a41e

SHA1
ac46adb8485ae60e76d613b0e7cd0f3e8397e021

SHA256
9039bd88b117cbed846d8f5c16336480b1623fd646567367f26db33ca085a9ae

SHA512
772e5a743687b768583fb20772c914c36cf2c8f9ae14f4720ce19231ab8ab3eb7a0819282fde3e7ce0a2e7e3beac9d87e49f986f8f0ae16e6b7f139392aa57a5

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo
Filesize
609KB

MD5
4eee733fef1b05a92447574f0fdb098e

SHA1
3b526a096063325f346508ff55bd58a6951d26c2

SHA256
b6e11db07f47c6afa7198029e82103d29e164fa29be5e1137ff52fcde1a08ed0

SHA512
af2b003df69af746cb2f6db2a39cfceb3e48c8d67856cf944d906bc2222bdb12c24b4f79ff3a457d8739d748c04483d4b3066ef42827e503a8096c1e631eda14

Download Submit
C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo
Filesize
610KB

MD5
036a0f43a843ff4d03c73eb44dce9ae8

SHA1
acd30e3fa539673d992d76c4d3ef27d972717e32

SHA256
3a98ca2c16529776d4c5d7df3655dc4c7bb983f2225d649fb9541d19dd48eedc

SHA512
2a8db922d8824e9368ccb8a26767eb5e4f250c0664518302e44a7dd8a090498fc65ad623a8adc2fefb0b1dd980a014818bf5352882f0ffbc55e18c13eebab826

Download Submit
C:\odt\How_to_back_files.html
Filesize
5KB

MD5
a2fd608e7f5826df3b540305950cfd3d

SHA1
62ef4f9c052dca0523e85a0667043a02603d2bba

SHA256
e91c802342aa08c6abc72e1532d1613f27bfd6067ce04ddcab4f1bf051aadc3a

SHA512
bfb161bde0f99ecfefc783d7d24c158eb8f52bcd1690cd4cd4120c9dc606cfd7b271534000e0be790df4faa61f2d539520c3752a7c0987ac97a95ee5dd2c573f

Download Submit