infinitylock | cfa4daab47e6eb546323d4c976261aefba3947b4cce1a655dde9d9d6d725b527

Analysis

max time kernel
1166s
max time network
1171s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

211KB
MD5

b805db8f6a84475ef76b795b0d1ed6ae
SHA1

7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256

f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512

62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
SSDEEP

1536:YoCFfC303p22fkZrRQpnqjoi7l832fbu9ZXILwVENbM:rCVC303p22sZrRQpnviB832Du9WMON

Score

10^/10

infinitylock ransomware

Malware Config

Signatures

InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
ransomware infinitylock

Drops file in Program Files directory 64 IoCs

Processes:

[email protected]

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\main.css.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ml.dll.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msvcp140.dll.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\ui-strings.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\ui-strings.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\te.pak.DATA.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil_2x.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\ui-strings.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\stable.identity_helper.exe.manifest.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\plugin.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\svgCheckboxSelected.svg.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\kn.pak.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_psd.svg.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pt_get.svg.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\ui-strings.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_da.dll.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_fr.dll.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\move.svg.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\ui-strings.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\plugin.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\ui-strings.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\ui-strings.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\MSFT_PackageManagement.schema.mfl.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\da_get.svg.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\EdgeWebView.dat.DATA.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\autofill_labeling_features_email.txt.DATA.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-hover.svg.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\ui-strings.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\find-text-2x.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_2x.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\file_info.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\info.gif.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\es-es\ui-strings.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\ui-strings.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\ui-strings.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\files_icons.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter_18.svg.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\fi.pak.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_es-419.dll.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_checkbox_selected_18.svg.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ind_prog.gif.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner.gif.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-default_32.svg.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-si\ui-strings.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\msedge.dll.sig.DATA.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\snapshot_blob.bin.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\ui-strings.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\selector.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\vi_get.svg.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\ui-strings.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\ui-strings.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\ui-strings.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_100_percent.pak.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\bell_empty.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\organize_poster.jpg.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	[email protected]

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

[email protected]

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	[email protected]
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	[email protected]

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 1d63f1620069da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5B7C399D-DA8A-11EE-B49E-62D9003AE027} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{7CE7DCCA-17B3-4997-94B4-0BC635F274B5}"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{66B069AF-DA8A-11EE-B49E-62D9003AE027} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Modifies registry class 13 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exeiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A_auto_file\shell\open	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A\ = "2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A_auto_file\shell\open\CommandId = "IE.File"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid process

1408 OpenWith.exe
3748 OpenWith.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

[email protected]svchost.exe

description pid process

Token: SeDebugPrivilege 2128 [email protected]
Token: SeManageVolumePrivilege 1252 svchost.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

4344 iexplore.exe
4344 iexplore.exe
4344 iexplore.exe
4344 iexplore.exe
3316 iexplore.exe
3316 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2128	[email protected]
Token: SeManageVolumePrivilege	1252	svchost.exe

pid	process
4344	iexplore.exe
4344	iexplore.exe
4344	iexplore.exe
4344	iexplore.exe
3316	iexplore.exe
3316	iexplore.exe

Suspicious use of SetWindowsHookEx 55 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
1408	OpenWith.exe
1408	OpenWith.exe
1408	OpenWith.exe
1408	OpenWith.exe
1408	OpenWith.exe
1408	OpenWith.exe
1408	OpenWith.exe
1408	OpenWith.exe
1408	OpenWith.exe
1408	OpenWith.exe
1408	OpenWith.exe
1408	OpenWith.exe
1408	OpenWith.exe
3316	OpenWith.exe
3316	OpenWith.exe
3316	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
4344	iexplore.exe
4344	iexplore.exe
3132	IEXPLORE.EXE
3132	IEXPLORE.EXE
4344	iexplore.exe
4344	iexplore.exe
3560	IEXPLORE.EXE
3560	IEXPLORE.EXE
3316	iexplore.exe
3316	iexplore.exe
1856	IEXPLORE.EXE
1856	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

OpenWith.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 3748 wrote to memory of 4344	3748	OpenWith.exe	iexplore.exe
PID 3748 wrote to memory of 4344	3748	OpenWith.exe	iexplore.exe
PID 4344 wrote to memory of 3132	4344	iexplore.exe	IEXPLORE.EXE
PID 4344 wrote to memory of 3132	4344	iexplore.exe	IEXPLORE.EXE
PID 4344 wrote to memory of 3132	4344	iexplore.exe	IEXPLORE.EXE
PID 4344 wrote to memory of 3956	4344	iexplore.exe	iexplore.exe
PID 4344 wrote to memory of 3956	4344	iexplore.exe	iexplore.exe
PID 4344 wrote to memory of 3560	4344	iexplore.exe	IEXPLORE.EXE
PID 4344 wrote to memory of 3560	4344	iexplore.exe	IEXPLORE.EXE
PID 4344 wrote to memory of 3560	4344	iexplore.exe	IEXPLORE.EXE
PID 3316 wrote to memory of 1856	3316	iexplore.exe	IEXPLORE.EXE
PID 3316 wrote to memory of 1856	3316	iexplore.exe	IEXPLORE.EXE
PID 3316 wrote to memory of 1856	3316	iexplore.exe	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1408

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3316

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3748

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\SuspendSync.gif.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
2⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4344

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4344 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3132

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\SuspendSync.gif.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
3⤵
- Modifies Internet Explorer settings
PID:3956

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4344 CREDAT:17414 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3560

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\PublishCopy.mpg.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3316

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3316 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1856

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1252

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
16B

MD5
1b864e565a468a3434c22d7c1af1fd70

SHA1
be114e2dfacbc607c13b65a742a3c6c462c4c9a2

SHA256
ca53bf4901105a83892903a136dd76f06320548995182882163b4ab5c36d0d51

SHA512
4ab029aea243939868d579b7096112686af60a5d29b910ecbe87b1be7bcceee49fc170e80d6967e82647c23a4f6258af9493cc50ccaacc94c8a1a2ad7a35a6da

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
720B

MD5
dcfeb14f5f664efdfb2b762e0acfe528

SHA1
7250d1787eee71b111e44e067536a47bc53d825a

SHA256
6ae7779d6b18a63d0d65374a0251b7c5f43a6bbb969a190c506f1815a95ae3a9

SHA512
5fdbd55148e1c519f59a5382ec119826ec8ec4f847052068f8db835bd4a7a6ae756feae3a40ea0c1a0c194c645730a419c4dd612584251a9d1ff1ef717a92af7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
688B

MD5
8faac6eb6f2d72a0436c239b238f528d

SHA1
4e6de4edd508796a721598e835deb02b2b8829c8

SHA256
4d0e0c93a0061479de12f013451fda930e7e18a20a2fa211480ced395ffbaa01

SHA512
57fad5040d1201e1e74cf7acbdbd9d3cd8c8afda120895354cbdca61bf9da1af305342ff318850079e9fcf698e97d7399fe9de4083ffa0ca3a886e5276a1af43

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
1KB

MD5
653a6808144d6a55ff5177bd7fab37fc

SHA1
a8c4e04101d43284a947cdd68e9ea1438187f43b

SHA256
cfd0cd02dfb3c4528fc612ccab5afa3fcca708443478e400cc88eaec0d66552e

SHA512
55a9f2411b440c2d334c2037cde3defcbaeb461126df6f8f7d9fab6cfc4c08859c4bbfd266dfff18dec7375ac31e1a49e752f191b5d8ca6df3b93c360c7465b3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
448B

MD5
cfdd27a8c7783702b50719f914e9d8b3

SHA1
513bda3e13fedeb1bc7b9ab081b8b6386b5db179

SHA256
647280a22a2b85d101907f2a0d4b4c02596cc41ce0c853d8d670dfee22bc7f61

SHA512
cef2ef5725ab8fdd9c6434552f449008c55899d5a81132ff17156cc0cc468eb52d238cc517e70cca86f381867eda805a61f861df131423748c2fe8b66d4c285b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
624B

MD5
67048f8d604a79a3b0c8b0b1d54fbfcd

SHA1
1041b7cc8c2d3720a04e428df3c53ac84a70a0e4

SHA256
a9a4fad8347965dc1fd9257e179ebc69940d46c9dbf2b4fb1a25b7bba93af789

SHA512
166072c94b95ba73e238f558991cda58aa97d0a5f37e3d9b6090e318d53af789f4a13f246619e99b990583b17f6b97aafeb2fd1ef90d4dbc708217606fd0d768

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
400B

MD5
919d2483e223b2b5d4548eebb621bb67

SHA1
0264e9d235b0a9a745d1c0e5c0286fb5fd292e00

SHA256
9f4fd048ed17c41a3d29473eda119b4f073cd432fe59f90dce78bdfe394aa83b

SHA512
294eaf00c776c98af673721836f1bb2314b5a5f4619be6fb1b60205e6b8ca61d4c531e9a533372280e58d6915ac045bbe7476bb5e7e8a9c3e11aef832db51705

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
560B

MD5
a087d506112610d5c07641f2751f16aa

SHA1
3062743ddd55a59988bed44ffd05242602b30ee1

SHA256
326f477e97ac1b725c2c9c61caa775295e84e25f08a2ebaa1d55b667db30190b

SHA512
b803eb6bcab1cb98d2ccadeb352b5ea8e8e6f3a23c286602e35b10e10127f189698c06809615c15e8d2ee172c90804430d49a37665db9a220c2b3f8e46df464c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
400B

MD5
fa12904c505c29d5f5bd70bf2e917e60

SHA1
28078145123fd251fa6191e5c53e58a6723eb750

SHA256
b9c884c865b0d7ccd06c46a6ef72d877a1700d122741c88e2d17e28531595c8d

SHA512
d2f59349d36cc6cc0e9979e190e7a0d2d7db47de559ea923de69874c32499d9ec63ecba3c1ed87b43adde7eaaf12e20175c1ddf95f549e6d3c1136e5ee0a0d98

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
560B

MD5
fe57fbd9a494a8455b81f702151cec4b

SHA1
67ed900ee466d7b21b197094c3b45e652f105f9b

SHA256
aeeead5624962346573313e40a9afeff78602d304858f5da3ab01e1b1ac9fb33

SHA512
96eec70339968df9c9f67e4dd320edd04b2c9a3a1b7e4365b736b41f663a434dcaa16e8d49b879c74a8e0ab861cdd2224454c0afbe596b2b51f6bf0910351dcb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
400B

MD5
9003961c3c38ef1684ef269b2dc9436d

SHA1
ad0f409acc71e919390c60c6c86a1ca5d998adc0

SHA256
3ede826c9a8dab058d55bc659ecc60220e84653ebab5d6748a70a2f640047d7d

SHA512
d05ea8a26a1af1cc46cedb1ee06880b38fb312846132234f12c4f9dd71e981aa897eec57401a823575258c0efa3e246b9ff017beb99f58a6c2f3ca03f8e48558

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
560B

MD5
c398f8637826ba865b31d6670a17cb92

SHA1
b4e2be28ca85e101eabcdf7d71982f56176a6b7c

SHA256
351dbb3c4243dc8f139d44c7e20af5f14c4346d707c58f3a9b88b0c3961eba04

SHA512
7f0d82df2bfa1595e0088f49fce5d78ca2117bae441affd9592f4dba203fe3422a4299a2b3dda3b2f30aa19458d4e90e6520bfd053bd1d9a178a75b646ac54f4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
7KB

MD5
56fd5df88bfd6e9ac528ad7b1470cb00

SHA1
c8cd90e04aa8a062dc4d1f1211b5c0f2a4ee1ff8

SHA256
f4c9f6cab056854a63557057c97a8e5b2b627925e02ff4292ddb018c8602abb0

SHA512
d8e84ddd632d361de0f2c9e238b2a359e2fe806091a68d9344dbebcc1b30bb4e960b9c1fec56f7a04f5fad8e473bfa616353a67893cb584871273fb3e127dc3c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
7KB

MD5
b2c06bc6a3d59f043db3a7204d4b8cdc

SHA1
b06737393641b0f418e69a88020fef7b44ca542a

SHA256
0a7e4a6bf3459f39105f271146321b5af53db287a1e0ed84304885e0ffe84276

SHA512
4b209f021fbca9074dd78db5da725563bd6ade075aa85f5a1e5ab7e822aa1d525085ec7a6f2c61669e869aa5043e14f5507cc0b080766c73fbe774cde727b16f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
15KB

MD5
3c3ca69a40a4bba2ff5f9672eb66c43a

SHA1
38159a9953fca21fc40432a78ecf53ace251edff

SHA256
0ceab27c9a54c554cddb6ba7d672712927145b2491f6316fd81cc353c57f39fa

SHA512
2f5467ab3c872c2ea33b0677803ab53b360bd381c6b04649803a9a7a92e274fdefc60ca57a1d07aa5e3c5bc51002f77cd4ad49e0df5751ad4ed1a45837e39554

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
8KB

MD5
59d2f14359441f9968c2f93743f2fee0

SHA1
cdcbe78b88caa2446b7708b8f9e7952100b63bbe

SHA256
eac1349c0d49088aef714f93d74737e93fb77727b84d3e3e9d9ff0aae5d33156

SHA512
ea97c48f83e35a39f65420fe20c8e5eeb9417976ce83673c5d40c7fee9c16319f67ff50f3ca4688609613d7958f3918dc7ce32fbce6ee120a32bdb607dae135e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
17KB

MD5
a87433ce825e68dffe7e992e4deb02b5

SHA1
6855d86aae8acf852ed5c071351b45aaf29741f1

SHA256
d345962b8c08cfca6b0f405e678d8d1de23c2a599f5a4b395d0987cf34ee0e6e

SHA512
af09286d71c7c58961958586df0b085bf059d9da440a84daf63268f81642a3a205e4fcd3b561775862c5cc2dfef5e808f2fad0b57c3065e1779f1aa0bd5f755d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
192B

MD5
34eebee2ccb5d740a1c351a388814564

SHA1
86ec5edd1a225821296a13e3a2cf3019a7a5e1bf

SHA256
d1e8b5aa125d18a99f99a52402c4d878556713615fd8e0fd77bb1213f04b47df

SHA512
97271dda322e06407be70f4ca98d3ff1a63feeb3139495738c358c427f49d35a193536740b161d1e107371726d61685721b157dc8053a80a20f93f772f8adf31

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
704B

MD5
a9f983b97f594c204a985ace2f37a804

SHA1
e916c4669b7bd66394c8f77ea78c8a3d728d0982

SHA256
e402d87e97f7cc607d91fa02e753a38a1c4eda131e9d487796ee577738edb558

SHA512
1bb68b1b9904e4f4c7fe54ae71f4ca4fbdfe856d501b3242a858ee6f7084c440c41dcae307b567e3d2a0d62e71e5fb985e13500f793fbf45b1e11320d96fe922

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
8KB

MD5
5ed226465b2197205422ef195580c634

SHA1
d9f7d90e77549fc87ead7daefe0c285139dbd855

SHA256
af8edb9b2a791cc7c57786f1c157ad9d772fcbc8b5c54411fc2a480d29eefb04

SHA512
40522dc83918a6180fb2d74431054a6ac7ffbb95f86b0c63eaab215c72dccd5f495df7f557c304e6d601abc9d1657da259e7c4b242f8ddc926f661d2e51db112

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
19KB

MD5
ef6bdadf675ac986491499a4c1e244e0

SHA1
8a565d3519665ec39027cf8c224a7be7c0b55dfc

SHA256
00bf3cacf8c6994d091864879b84f1c4b40d9db23cc10602bcced45174be8556

SHA512
8de580b9b83ce44bd88a96b4eaa573dd82a2dce71d2311a835bdfebaa326a4c942c98c3ab9e8dbd2d504337791fa69624823d9e2cbb0977e4b5e5b44e04b419a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
832B

MD5
7f15eb6648619251d4ee9c87c7bde7a8

SHA1
ae7742a278007ac3214dd45c4d144a34895560a0

SHA256
31f70abf7a833bb01a88d6ffdff4daf8cca0afdb0a6c186fbf23c59c65c46853

SHA512
8726f2e67becbaadc045afdcea15dfbddbdf65b6d262c2513b8725c7f21249ac039928ef7754eecc06c9934ea3e9a8e2eacd63777f866eb85ee0928bc442c92a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
1KB

MD5
736d2d285233156c702dc19ef0c876a7

SHA1
eaf963024745e79c1141843c42c4016dc24c9636

SHA256
e7694304272f9ff1b279d0841de11be008564f8eba1618cbe6dade530804ece8

SHA512
294abc693cec25973de3c9899aa71b76f043610741e35d1c62c0cb9a4c6504b2367100bbd55d576d885deee63b9513244124e6422882dee25ccd34ca14f730a7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
1KB

MD5
01acbbb441ba8dce46642fff45f6a7ae

SHA1
19de0e30b809ffde100bc2da1b2a8ba9ef35b952

SHA256
0a90fa6cb8c686dc8ce5d1d2899b72cd0b02d4fe0eaf394708903d7469bb1dd0

SHA512
5d4211217ecd19b21997f34fd9ec0d01ecbbb83fc0723075dd2a86c609b0ed3095f49ebd4f6b392e25f113a5d571c27359b97620b67b60731646325c78c4610a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
816B

MD5
6759f3ac49d7532c4e7860eef6d62739

SHA1
7252c0c06e50d213a849484c874f6ac0e6142194

SHA256
aefbb258f2593cc144f1464dc2169c6c80f823c1af931f25df0a5efea1d0058e

SHA512
7b3c8f0a84bd2784b33640bbdccee5e15c92c8785be830d178875b54dd0eb5cfd79e803ef03b1ceb21b9d221ec7eb66d28750f069e764013cb3bd92eae3f180b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
2KB

MD5
69aef093aeb1d4f37d9bd9df4238f62c

SHA1
10c4b989c69e5504a6f91e916b7aa94be9122746

SHA256
f91b32ff7d7474d412f54dd3abe0e6d6c674f446ec0a1d2ecfb31e0ad1d136ca

SHA512
c5887a11d3e95ddf38baa4852180742ebb4ac923f0bce9dc485d113a4deeea0d3905c14d1f2d03f0a53658fd927daed7c92fda4078b09f3edbb1a8de756e8bef

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
2KB

MD5
32eeb2240aaf111a36e6873507570ac7

SHA1
633411e088880cd7872ccdeaa0a0907076202cd0

SHA256
61b70f811539259d0dfa4ac328764e98dfaae8c6ef8ba11db58428125af65d61

SHA512
869f04a9f96423e3061bf0bb1715ea8e660095686201822704203182d9288aefc15136eab0923abc227b67a2787409e6602ef026e9e7d19a75a96d78be3cc470

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
4KB

MD5
d5458a96ab2fb6c4a97bb66c046a4857

SHA1
ec10cdd8beede8e4d152de1bf29fc2d104a77bd5

SHA256
d1871ec8510513d5f2a5bab5041d210f048440a961da0aef218072d5c4b3a165

SHA512
5f074783ebef6b9de9b0aa5944228ec1d4fb82cbc0d8e777682339d6b6bef89c1423c24c27d905adbc67c741f3d4d20fc9d22de3bc59c56e0634bbec29af5c5d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
304B

MD5
c4bee80dacf75a409e5f94e031f6c32d

SHA1
1d67a64ea50de4c8a2f24e4014b11edd1dccd489

SHA256
a3db0b15e84686d5c2b1b086737417dc9cd8790854f5976a85c40ecad5c3abe5

SHA512
77c887a439e00612675c9d1aafa9e0909bebb74be3e2c6cdd59902dd2b43ec606e5c48cb8575d9be0443a6ff440d88d8206e195c01091c5e4940cc5e1b6eada1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
400B

MD5
1ea3ca8ea76798b1c85872e9dbd36d28

SHA1
8399d8ea6a3e21fb0cc63eff0fa4d3b9165a409d

SHA256
67af0c28ea4b49230e7204fe5b8f543ef0bc62f48c580ccc2bdb8e88c1d417b4

SHA512
6614c53d5384c47fc4f4c6630b627b0c3655e2cb40918fc979a5a84a56c2575b20c8155c6b786ad18cbc5ac36e49f6d41550b7d95cf558a0776db45b09536363

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
1008B

MD5
8324388e65b36583e6c5ccce6d57084a

SHA1
cc54fa98fbcfc648f9b0d0e1820fdfb96b1e0f31

SHA256
cf920e85f9b2bfa75cc8a9de473012dace765dbae27071a290122eafc8d5017c

SHA512
216363656b55a402aa985cc8b154d2e19de0ad49328bc5740339154ddab9e51d9bdd7b06471f213420f817512a5970e9a011e0864764b00394f789c1350eae1f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
1KB

MD5
60374e2ffe0f41a059b873e8f680f8a3

SHA1
56c283422e89c723624f9476614bf2d06362c1ed

SHA256
10bbebe32328bf6bfc57c982f2d44a0792ebf8bf51ae8bffe98eca1927243e5a

SHA512
a7823399c3c1a8adea00cbb202bf30fb9da2f123f5cc7bd579d7e9da16fb87709ab9dee95d15723e356f6dd3551c21abaf35ace50301a0dc6f409e9d0d3450e7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
2KB

MD5
fda8946f4bee729fdfd765b93bdb7e62

SHA1
72b63c78ae96d29954a0c0309efdf80981de8e00

SHA256
535c01c4be038d1a644f55503234e4246a15e274d89f593560177bec9f38a91b

SHA512
a38e287ea3e4dbd93009d6f8d8f36e26986f3cd0c44ed4c385b75adeaad3cbd1c59358a62c432dae8ac552b97243358536a1c7add8d20a7061c87574bf94bf42

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
848B

MD5
b9335bc19c134abc1a0630824c826f13

SHA1
df572bb0fbdd20f1c3b129c8b7c20ccb62aa9072

SHA256
fc975221a29dfe30bd93a98b3b94f45e3ff814b8a2f61bc3cabc7f80b7e0ea5d

SHA512
303ed266c83b4061baa54424239c6907436c643ab7a539a95a2c603c01228a5d74834af1ebcd10d451324407998ca6de34b58dd27ac9ad6ff3b188f560d7aebb

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
32KB

MD5
a769d8f5b4a31381624e18a60cd5a43c

SHA1
9f593a1016053f89a507ed6f8c9554ad218d8bbf

SHA256
9f575de890b0d2f15aebb0260b464692a301495ebe8eb56f7337628d36c75f4e

SHA512
6436c7d78fd253e0eb9a1413c6bccdd1728d5ada6ebdbc2e6b61c268f87c844e12b34c0764ae08fccccda0dcba3b2f708b8a83019c9b6b8027b9e96ff3bcea58

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
Filesize
16KB

MD5
8c5b675619edccc8beedf38fffef5f93

SHA1
4a595c567b1d95db5e4a2c7095772d05fa3f2dd6

SHA256
022e827204d111f24fc02e2578ecc4b332ff48416341a1472141ab4da72d2a20

SHA512
f90e1e924a70889fba0061bdc14e2a94259b086365ef431395198438cb4e789720c880c514661f22bc2db951fca5830d5a50edf12379b04bbc89b1ab0d8f6772

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF4E7BA2C1479C1AE6.TMP
Filesize
16KB

MD5
f472afe10546067ffd27245fa1e6c02d

SHA1
e7446231407c5b554da672187c65050af27af4a4

SHA256
18d729f265427f24ce496498ddb1862d9aeecaff82520381c1e70c30fc4b3784

SHA512
dd9d7bbc39a8a96a29ad2b8fba72d6a53ab24160eea9fa04bfb1c77214e0f16d2a5c2f70efd88cd75de93472f662528385d98dec6949ea0f13d72c606c41245a

Download Submit
C:\Users\Admin\Desktop\PublishCopy.mpg.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
461KB

MD5
7eeab61d9c68c2ea785ee81be413a87d

SHA1
9fe28a05d5a8dcc7991522fbc6eb44fc9f8771a6

SHA256
92984156a49d363d3c7f4cf13a28cfa8ba80cf8c800d7dfc47fcda537bc18d73

SHA512
4adabf72ac09b1c16e2d73608b6a4f2b83c3c5669883eb9c3381b8487d564a3bb072b8cb90feb6d6944563eb9be8572f4f239076582b4e1fca8b076e2c1426cd

Download Submit
C:\Users\Admin\Desktop\SuspendSync.gif.2F59277A1801A98658736DA6434CF619095439027750756FBFE718311E2D7C6A
Filesize
347KB

MD5
44a0f261e447f6d4b348845c4e8dd603

SHA1
f3debbb779d23db2b4ea0a40d40107eb0ce2d172

SHA256
002184418b9c4f09b3e6bb0ef502de5ab8003aeabd40d38ea7b651f5ac08827f

SHA512
ecee48660b80b6bb4d25430bf7e05726b8c748311d9c361e315c7f6bf07ca83b2e6e1b05f828c2491e831f35f87c8c0fc6bfb3a14a6f5bbcd1b89b29427557d6

Download Submit
memory/1252-3499-0x0000019939720000-0x0000019939721000-memory.dmp

Filesize
4KB

Download
memory/1252-3500-0x0000019939710000-0x0000019939711000-memory.dmp

Filesize
4KB

Download
memory/1252-3524-0x0000019939970000-0x0000019939971000-memory.dmp

Filesize
4KB

Download
memory/1252-3491-0x0000019939B00000-0x0000019939B01000-memory.dmp

Filesize
4KB

Download
memory/1252-3490-0x0000019939B00000-0x0000019939B01000-memory.dmp

Filesize
4KB

Download
memory/1252-3492-0x0000019939B00000-0x0000019939B01000-memory.dmp

Filesize
4KB

Download
memory/1252-3522-0x0000019939860000-0x0000019939861000-memory.dmp

Filesize
4KB

Download
memory/1252-3520-0x0000019939850000-0x0000019939851000-memory.dmp

Filesize
4KB

Download
memory/1252-3508-0x0000019939650000-0x0000019939651000-memory.dmp

Filesize
4KB

Download
memory/1252-3505-0x0000019939710000-0x0000019939711000-memory.dmp

Filesize
4KB

Download
memory/1252-3502-0x0000019939720000-0x0000019939721000-memory.dmp

Filesize
4KB

Download
memory/1252-3496-0x0000019939B00000-0x0000019939B01000-memory.dmp

Filesize
4KB

Download
memory/1252-3456-0x0000019931440000-0x0000019931450000-memory.dmp

Filesize
64KB

Download
memory/1252-3472-0x0000019931540000-0x0000019931550000-memory.dmp

Filesize
64KB

Download
memory/1252-3488-0x0000019939AD0000-0x0000019939AD1000-memory.dmp

Filesize
4KB

Download
memory/1252-3489-0x0000019939B00000-0x0000019939B01000-memory.dmp

Filesize
4KB

Download
memory/1252-3523-0x0000019939860000-0x0000019939861000-memory.dmp

Filesize
4KB

Download
memory/1252-3498-0x0000019939B00000-0x0000019939B01000-memory.dmp

Filesize
4KB

Download
memory/1252-3497-0x0000019939B00000-0x0000019939B01000-memory.dmp

Filesize
4KB

Download
memory/1252-3493-0x0000019939B00000-0x0000019939B01000-memory.dmp

Filesize
4KB

Download
memory/1252-3494-0x0000019939B00000-0x0000019939B01000-memory.dmp

Filesize
4KB

Download
memory/1252-3495-0x0000019939B00000-0x0000019939B01000-memory.dmp

Filesize
4KB

Download
memory/2128-4-0x0000000004FB0000-0x0000000005042000-memory.dmp

Filesize
584KB

Download
memory/2128-6-0x0000000004EB0000-0x0000000004EBA000-memory.dmp

Filesize
40KB

Download
memory/2128-3-0x0000000005560000-0x0000000005B04000-memory.dmp

Filesize
5.6MB

Download
memory/2128-1-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2128-1409-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2128-0-0x0000000000470000-0x00000000004AC000-memory.dmp

Filesize
240KB

Download
memory/2128-2-0x0000000004F10000-0x0000000004FAC000-memory.dmp

Filesize
624KB

Download
memory/2128-3438-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2128-7-0x00000000051A0000-0x00000000051F6000-memory.dmp

Filesize
344KB

Download
memory/2128-3437-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2128-3436-0x0000000000DE0000-0x0000000000E46000-memory.dmp

Filesize
408KB

Download
memory/2128-5-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2128-1688-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download