phobos | b1968b4be3f82fc26b1e2decdcb8f532915aed847603aeeaf254722bdd411d26

Resubmissions

16-03-2024 17:17

240316-vtswysfd2y 10

16-03-2024 15:31

240316-syg9xafg39 10

15-03-2024 08:15

240315-j5rmgsbg5z 10

Analysis

max time kernel
625s
max time network
639s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2024 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
Size

56KB
MD5

891671a3dbedc9f31325acd29ec912bf
SHA1

9d0f4cb30fdf9cf55948306190e3f71a72cff9f0
SHA256

7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5
SHA512

014488fad8ecfa5dd583d14e7084f4c9f6eb180aa3f06157546467f6b545a849a90afb04eff0f20cc7d11d1a04986e260ddcf6d97a09ab7798022640706fc6ee
SSDEEP

1536:CNeRBl5PT/rx1mzwRMSTdLpJ/VeHOR8ZJ+EJ:CQRrmzwR5JdeHG8ZJVJ

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1480 bcdedit.exe
1164 bcdedit.exe
Renames multiple (394) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1316 wbadmin.exe
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

4536 netsh.exe
3160 netsh.exe

pid	process
1480	bcdedit.exe
1164	bcdedit.exe

pid	process
1316	wbadmin.exe

pid	process
4536	netsh.exe
3160	netsh.exe

Drops startup file 1 IoCs

Processes:

7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5 = "C:\\Users\\Admin\\AppData\\Local\\7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe"	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5 = "C:\\Users\\Admin\\AppData\\Local\\7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe"	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2727153400-192325109-1870347593-1000\desktop.ini	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2727153400-192325109-1870347593-1000\desktop.ini	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\desktop.ini	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe

Drops file in Program Files directory 64 IoCs

Processes:

7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe

description	ioc	process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\System.Windows.Controls.Ribbon.resources.dll	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\UCRTBASE.DLL.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBOB6.CHM.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-200_contrast-black.png	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsym.ttf	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailSmallTile.scale-100.png	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256.png	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dll	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.GrayF.png.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupLargeTile.scale-400.png	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.f964b1d8.pri	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16.png	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VRecMDL2.ttf	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\UIAutomationProvider.dll	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\directshow.md.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-pl.xrm-ms	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp8.scale-200.png	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxManifest.xml	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dll	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.cat.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-24.png	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\PSGet.Resource.psd1	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\WindowsBase.resources.dll.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icucnv58.dll	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\iheart-radio.scale-125_contrast-black.png	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-synch-l1-2-0.dll.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-200_contrast-white.png	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\PaySquare44x44Logo.targetsize-24_altform-unplated.png	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\ReachFramework.resources.dll	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.exe.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-ms	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEES.DLL	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PREVIEW.GIF	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\wmpnssui.dll.mui	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-200_contrast-white.png	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview_selected-hover.svg.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Net.Primitives.dll	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\PresentationUI.resources.dll.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-time-l1-1-0.dll.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\libgoom_plugin.dll.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-80_altform-unplated.png	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_id.json	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-conio-l1-1-0.dll.id[99FDFE8F-3351].[masterfix@tuta.io].unknown	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3676 vssadmin.exe

pid	process
3676	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe

pid	process
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
Token: SeBackupPrivilege	3664	vssvc.exe
Token: SeRestorePrivilege	3664	vssvc.exe
Token: SeAuditPrivilege	3664	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1852	WMIC.exe
Token: SeSecurityPrivilege	1852	WMIC.exe
Token: SeTakeOwnershipPrivilege	1852	WMIC.exe
Token: SeLoadDriverPrivilege	1852	WMIC.exe
Token: SeSystemProfilePrivilege	1852	WMIC.exe
Token: SeSystemtimePrivilege	1852	WMIC.exe
Token: SeProfSingleProcessPrivilege	1852	WMIC.exe
Token: SeIncBasePriorityPrivilege	1852	WMIC.exe
Token: SeCreatePagefilePrivilege	1852	WMIC.exe
Token: SeBackupPrivilege	1852	WMIC.exe
Token: SeRestorePrivilege	1852	WMIC.exe
Token: SeShutdownPrivilege	1852	WMIC.exe
Token: SeDebugPrivilege	1852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1852	WMIC.exe
Token: SeRemoteShutdownPrivilege	1852	WMIC.exe
Token: SeUndockPrivilege	1852	WMIC.exe
Token: SeManageVolumePrivilege	1852	WMIC.exe
Token: 33	1852	WMIC.exe
Token: 34	1852	WMIC.exe
Token: 35	1852	WMIC.exe
Token: 36	1852	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1852	WMIC.exe
Token: SeSecurityPrivilege	1852	WMIC.exe
Token: SeTakeOwnershipPrivilege	1852	WMIC.exe
Token: SeLoadDriverPrivilege	1852	WMIC.exe
Token: SeSystemProfilePrivilege	1852	WMIC.exe
Token: SeSystemtimePrivilege	1852	WMIC.exe
Token: SeProfSingleProcessPrivilege	1852	WMIC.exe
Token: SeIncBasePriorityPrivilege	1852	WMIC.exe
Token: SeCreatePagefilePrivilege	1852	WMIC.exe
Token: SeBackupPrivilege	1852	WMIC.exe
Token: SeRestorePrivilege	1852	WMIC.exe
Token: SeShutdownPrivilege	1852	WMIC.exe
Token: SeDebugPrivilege	1852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1852	WMIC.exe
Token: SeRemoteShutdownPrivilege	1852	WMIC.exe
Token: SeUndockPrivilege	1852	WMIC.exe
Token: SeManageVolumePrivilege	1852	WMIC.exe
Token: 33	1852	WMIC.exe
Token: 34	1852	WMIC.exe
Token: 35	1852	WMIC.exe
Token: 36	1852	WMIC.exe
Token: SeBackupPrivilege	3848	wbengine.exe
Token: SeRestorePrivilege	3848	wbengine.exe
Token: SeSecurityPrivilege	3848	wbengine.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.execmd.execmd.exe

description	pid	process	target process
PID 3088 wrote to memory of 3704	3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe	cmd.exe
PID 3088 wrote to memory of 3704	3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe	cmd.exe
PID 3088 wrote to memory of 468	3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe	cmd.exe
PID 3088 wrote to memory of 468	3088	7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe	cmd.exe
PID 3704 wrote to memory of 4536	3704	cmd.exe	netsh.exe
PID 3704 wrote to memory of 4536	3704	cmd.exe	netsh.exe
PID 468 wrote to memory of 3676	468	cmd.exe	vssadmin.exe
PID 468 wrote to memory of 3676	468	cmd.exe	vssadmin.exe
PID 3704 wrote to memory of 3160	3704	cmd.exe	netsh.exe
PID 3704 wrote to memory of 3160	3704	cmd.exe	netsh.exe
PID 468 wrote to memory of 1852	468	cmd.exe	WMIC.exe
PID 468 wrote to memory of 1852	468	cmd.exe	WMIC.exe
PID 468 wrote to memory of 1480	468	cmd.exe	bcdedit.exe
PID 468 wrote to memory of 1480	468	cmd.exe	bcdedit.exe
PID 468 wrote to memory of 1164	468	cmd.exe	bcdedit.exe
PID 468 wrote to memory of 1164	468	cmd.exe	bcdedit.exe
PID 468 wrote to memory of 1316	468	cmd.exe	wbadmin.exe
PID 468 wrote to memory of 1316	468	cmd.exe	wbadmin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
"C:\Users\Admin\AppData\Local\Temp\7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3088

C:\Users\Admin\AppData\Local\Temp\7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
"C:\Users\Admin\AppData\Local\Temp\7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe"
2⤵
PID:2576

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3676

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:1480

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:1164

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:1316

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:4536

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:3160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:412

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1848

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions.png
Filesize
1KB

MD5
eedd2d13e3671d589714446755b78b38

SHA1
2fdd23507187a259f5a7edb01611a37b6b09f4da

SHA256
467082e15a8ddefd51088e12a6189f9923dadfdf363ac1b0448ec43dc483cb3d

SHA512
ef47a62ce6ffb0c5b34b2c6d72f5874dbad4109b98aaa21f56b8b2d83471f5ebf983f6dfd889399abe4fead6296cf2ca3f409a4aa4badad8cc3c48f688323837

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\remove.svg
Filesize
1KB

MD5
b651e9101be833e87337050028831efd

SHA1
ee594ba38a6324369ffc7b4dc89407d3436e34d9

SHA256
4717e5fb82c0ee85a7c97d022f410990a62efa2492070e42385cfeab67afd619

SHA512
3552858c2a688c95a76c0bb8a6a76b119b744b2e8ae7e7f30135ccd8a145318762faa52c1783a639fb179056317caeaed20c15f211db1d45bc957bc3ce591aef

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reminders_18.svg
Filesize
1KB

MD5
3f16cc51cf788a50e6cc1ae60897bbf7

SHA1
e5a8c8f5227ca6da79589192892e81b6a3f43686

SHA256
30f1d12f90b61f22130b22667f722aeca0aadd59ba3e19d866d72a99a3f0ce3d

SHA512
17686bb9e01aa108b9b62b33bb70bb8aa35e4d88199281aaacbc8d8da7d54f1f353bf31a109dc22a4e404780ece4cb3d23f0ec81f80e9553ef060011e568134c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg
Filesize
1KB

MD5
1bf37c0336c12ccaa1c62386acacc858

SHA1
f1e187c79588e4e9fce931997443d7e5cafd1db6

SHA256
a9044f3c6877f4fa6789bd90f11813a22696bda53e0be17bf52229b70fa87673

SHA512
f75100874b1dd43c49f54a9aa4621e8bd1efa84359ce44ece2444b639c7bcbddf6564f6c4be089f5d656550c7293b9f5ec4a4b20880939fbeb5ebc21e30866b1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-default_32.svg
Filesize
547B

MD5
81cfb9735fea15ca8791a3c34a78d992

SHA1
9b4962166a47f5edc62e5fe3c4f8772446db9296

SHA256
3d89171c24a889bce28f04adb60f08a141584b7c345b158536a72a8070c252b8

SHA512
f6ac853f4012ddcb29e5079ec00bf058343af1a6d6cedbc9613056db0575c77e964b0864c9693a6e02a525d5e13ccc54e0e7fd938ea39c3d2c6005db959b346a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-hover_32.svg
Filesize
642B

MD5
55215e8f92d35f26cca06fa9d5d221e9

SHA1
994838c8df5921e3828749a7703ebfa8383e43b6

SHA256
e94ac27227c8a25c3f8ede219fd80ace01e7176a12111125b31ae1dcddd487ae

SHA512
7972d3fb8c305a1b41f3ec4a618c9904c1e655fc757f1dc83f9d9041433f3c30e6708ed3d4fb3166cc41d9773df3f159aa44333f76fdde28f317676046bc9c67

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder-default.svg
Filesize
552B

MD5
2807924fc18c958c38a7004a5dbd4091

SHA1
85534040543c3306284e6a475999c46249a35e4b

SHA256
0345bffb28f80f4d0ded1a2af09a337b18ab3a80c68205bc8321a6ad4d409500

SHA512
264d29c6b920b3005ebda1fdb0e0ee6e17059c69d63969c61ea4b5c5464022166ccc04b2c1f69b91052c3e3dd551a087e8e5379d2a62c452184a12b278a8ac3a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg
Filesize
711B

MD5
cd5d2472a2bf9ac7eb4e15146b30bd2f

SHA1
bca600423f99b87df44fde9d96ff874017037afe

SHA256
038589c0f8f0b9fbed7fe7835de0237de4a28ea404078955a78c0b8145fa323c

SHA512
dde83047b85cf0afd4ac77c9f4e850ebba48a1e1d581ed78c30733f58a9d5e2e22d34a2b2e57e4527f3c314f84922c3aecd6366052d46e0d6157990ed888a27e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_hover_18.svg
Filesize
783B

MD5
0498cfb8aae1383c049e8ccdd85f3abf

SHA1
c5fbfcc70b441e91a5ecd23295c745aaf076aa4d

SHA256
ad125b854735c81b5782a65b5b006c7c991e28688b6dd8e5998f432976b9223c

SHA512
113f19bf726f79473ae2b4406a76676ec0bc4709a26f374aaa3bbd9d0b5790ee4fdd8ebe1a3ab68995973923ae33df7c1c6798e93bf060643c14acfabd4e9302

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_hover_18.svg
Filesize
979B

MD5
30c9bd1aee3794fd46bc99fc2a359212

SHA1
9817640da0b98babc461d277a39b323dc9a76cd3

SHA256
4b10fc416763ad7b65a6d6fb3c0016505ec5aaa7a117021a26e4dd6d11fe7d1d

SHA512
bae367b7555f5f7f677abbad1dd548225c2580ffe21bcae5022f8eecf8c97cfe8f7813fd86c31a7f9052c174610ae9d2ae21ac22b381701975492e2386f67f94

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right-pressed.gif
Filesize
56B

MD5
e3c4dd21a9171fd39d208efa09bf7883

SHA1
9438e360f578e12c0e0e8ed28e2c125c1cefee16

SHA256
d4817aa5497628e7c77e6b606107042bbba3130888c5f47a375e6179be789fbb

SHA512
2146aa8ab60c48acff43ae8c33c5da4c2586f20a39f8f1308aefb6f833b758ad7158bd5e9a386e45feba446f33855d393857b557fe8ba6fe52364e7a7af3be9b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\ui-strings.js
Filesize
3KB

MD5
0d3a12fd3f68decc694da04b57e61d8c

SHA1
f73d4d591f6ef0b2b04fc90d2e840329f7590743

SHA256
ee0352f75df1009fa6f5eaf323a1ed55c127cc679ac6b9de70b1b3f8dc9ece76

SHA512
2c58a879d4022b441056c85c301ce26401da5f7bc9619debd35fa3bd98b5f1cab8f21e2ae5a177865c64e741dae18f39f99fac1cf00c468ba0e281037d5e883c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ui-strings.js
Filesize
1KB

MD5
68b6f0644d50595a97c9fd60b8d8e697

SHA1
a4d0edf9264ce1922dc419c7f3b3cedb2814bea7

SHA256
bf9b3f1f9a3a163d41b1b20a2c410355e6ee72ae97725a7bad97ad23993b0b5f

SHA512
d1a26cc27c302f06419abf97507c0a4d06729aeadab615acaaac0c3fcec6d7715e10642121a4d773ad3d5f613030728e49fb3d07303fad05f7a342352ebad003

Download Submit
C:\Program Files\7-Zip\7z.dll.id[99FDFE8F-3351].[masterfix@tuta.io].unknown
Filesize
2.5MB

MD5
e0d6d9e900d722549a08d5992d12cc33

SHA1
5d473cb4240e618422ffb5edf2c5cfff0a19d08d

SHA256
deb56ac9f86d663119375fee8cb2817c45e0c6404365a6924227cebeabb44164

SHA512
34e059fde6f3a717c82f3f3d8648802b5d7a510e245e876a242897dacda26897ec92ad26efbb29406fdd5d86fc2d5b008d594b21a3db553b5828ae3f7786fa74

Download Submit
C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md
Filesize
2KB

MD5
ddc4cb14453391bcb5f4d645b2916a6c

SHA1
c4738d174c90c285e17bf51a9218256f45f96ea7

SHA256
0c19ba9eeecab3cbbdf38da08c3fa0266f10ce8166e056715931efc543335eeb

SHA512
34a32b92ffb2945608439653b5ecacba49fd3312ba5487ba14796c75b07655f0d8f735453dac117d46d204d3f810126f8a189f82c015fa8bb6ea37d9b8e0e30f

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
Filesize
190B

MD5
c5b7a97bda04c48435a145f2d1f9bb42

SHA1
bd94219a79987af3e4d4ce45b07edc2230aaf655

SHA256
07ec9bf950252d0254d4d778698c2e4173f36dbc3f57f51f34d1b85a07c2eab0

SHA512
7eb1a26cf8ef725ba6d1934ca4802f70cc22539017334c1d7a6873afeea6236bcd643b52630f7fa9d8a9e692f718ba42cc704ed5f8df17757028be63c3efad80

Download Submit
C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif
Filesize
153B

MD5
d13b5ffdeb538f15ee1d30f2788601d5

SHA1
8dc4da8e4efca07472b08b618bc059dcbfd03efa

SHA256
f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876

SHA512
58e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46

Download Submit
C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml
Filesize
744B

MD5
809457c05fe696f5d34ac5ac8768cdd4

SHA1
a2c3e4966415100c7d24f7f3dc7e27d2a60d20c9

SHA256
1b66520d471367f736d50c070a2e2bba8ad88ac58743394a764b888e9cb6f6be

SHA512
cf38e01d3e174ff4b8070fb88ead7e787143ce7cf60b91365fafd01cacc1420337654083a14dfb2caa900141a578717f5d24fa3cadd17c1a992d09280fd8dc44

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK
Filesize
114B

MD5
301657e2669b4c76979a15f801cc2adf

SHA1
f7430efc590e79b847ab97b6e429cd07ef886726

SHA256
802bbf1167e97e336bc7e1d1574466db744c7021efe0f0ff01ff7e352c44f56b

SHA512
e94480d20b6665599c4ed1bc3fc6949c9be332fd91a14cef14b3e263ab1000666e706b51869bc93b4f479bb6389351674e707e79562020510c1b6dfe4b90cc51

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK
Filesize
113B

MD5
b9205d5c0a413e022f6c36d4bdfa0750

SHA1
f16acd929b52b77b7dad02dbceff25992f4ba95e

SHA256
951b1c95584b91fd8776e1d26b25d745ad5d508f6337686b9f7131d7c2f7096a

SHA512
0e67910bcf0f9ccde5464c63b9c850a12a759227d16b040d98986d54253f9f34322318e56b8feb86c5fb2270ed87f31252f7f68493ee759743909bd75e4bb544

Download Submit
C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html
Filesize
1KB

MD5
3be680b6a8edfdeed37bf5068a37dccd

SHA1
75bc261fc558634731e683e431e4a31c5b463107

SHA256
1777e4f7955cb5900c97d92081efc4b11704ee3b265717a7d7152972b49a36c4

SHA512
a3c8a91689105a14c49b020826944d32540353c56fb9e9a011639ff5107d25e1d3466f0fc487ef953c6bbf0c006abc5204e3a8f0093e1c633013a547f8ecab21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db
Filesize
24B

MD5
1681ffc6e046c7af98c9e6c232a3fe0a

SHA1
d3399b7262fb56cb9ed053d68db9291c410839c4

SHA256
9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0

SHA512
11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

Download Submit