akira | 2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2

Resubmissions

20-06-2024 08:48

240620-kqs3fasgrl 10

24-02-2024 08:34

240224-kgll1afd31 10

Analysis

max time kernel
52s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
Size

573KB
MD5

2cda932f5a9dafb0a328d0f9788bd89c
SHA1

e27521c7158c6af3aa58f78fcbed64b17c946f70
SHA256

2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2
SHA512

3bcaf2bda26b22b67edcdd5ca357c8e0b7124788dd905c7bf6cacce080ae3f24bd09e1e9260a3ebf3d4d62ea749f7a8b965193a2ebf6db85a563735874511880
SSDEEP

12288:BV0qnXKTH2P6rxTcQpXDHgswvodgTAdA:BV0EMm6rxTcQjos

Score

10^/10

akira execution ransomware ransowmware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\help-you.txt

Family

akira

Ransom Note

Hi friends, Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption. Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know: 1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal. 2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help. 3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data. 4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion. 5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us. If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions: 1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/. 2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion. 3. Use this code 1482-AF-KRHS-EFGF to log into our chat. Keep in mind that the faster you will get in touch, the less damage we cause.

URLs

https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion

https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion

Signatures

Akira
Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.
ransomware akira

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	4644	powershell.exe	83

Renames multiple (7599) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell command to delete shadowcopy.

execution ransowmware

PowerShell

T1059.001

pid	Process
1852	powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-phn.xrm-ms	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteNames.gpd	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-80.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-150.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated_contrast-high.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main-selector.css	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-BOLD.TTF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-40_altform-lightunplated.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-black_scale-100.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\WinMetadata\Microsoft.UI.Xaml.winmd	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\ui-strings.js	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pl-pl\ui-strings.js	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sv-se\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreRating\StoreRatingRules.xml	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\sat_logo_2x.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\mpvis.dll.mui	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\CottonCandy.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ui-strings.js	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\AppxMetadata\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-100_contrast-white.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SpotlightMail_2017-09.gif	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_contrast-white.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_scale-125.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\Fingerprinting.DATA	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\MSFT_PackageManagement.psm1	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\msdaorar.dll.mui	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\lua\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SplashWideTile.scale-100_contrast-white.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MixedRealityPortalMedTile.scale-100.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_01.jpg	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailLargeTile.scale-150.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-36_altform-unplated.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\localedata.jar	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-32_altform-unplated_contrast-black.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-36_altform-unplated.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\uk-UA\MSFT_PackageManagement.strings.psd1	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql90.xsl	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-125_contrast-white.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-32.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\mixer_nopic.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1852	powershell.exe
1852	powershell.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
116	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeBackupPrivilege	4940	vssvc.exe
Token: SeRestorePrivilege	4940	vssvc.exe
Token: SeAuditPrivilege	4940	vssvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
"C:\Users\Admin\AppData\Local\Temp\2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.zhq

Filesize
1KB

MD5
84eb4788eac7677ccd357fb0d0fa37d6

SHA1
11eaafb77f0f73a1c840d612c327d2105cc81e79

SHA256
35a6e93900f1d94bd4d11205edb8e20b247dd8af32b9182b22eecd7ea4f4f5b6

SHA512
a1bba7b7bcb40ba82a1e8cd7d85ef090336f28a62d024ee8c32cd7898880a9faf96a6aafd5d4e9e38c8b6a010cc1d46718e50a9286df2f4a1053a2c51560e6c6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.zhq

Filesize
1KB

MD5
316553035ba704b8dd6716ba84d6c385

SHA1
0d1e6e4982fc150e004e4af4754ea03e4fe925c0

SHA256
f0bcbb6b7edfc19537faab9774567cb9f0ba382e1d902ca561b55dbb0754656a

SHA512
58a4b59d3f19922a382bfade813d95c7f65a0011e5b6e52dfc9e63ee3c43024f4a2fb22ed11a3433c323d7a2c72b2e08c02fea5e994263dba25a3998dd181c54

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.zhq

Filesize
1KB

MD5
9381e979577894c73f88ca3a360a2fb8

SHA1
ebefec1483d8c9628200845408cd9f687871795b

SHA256
327212b6ba92ced9f64b6294b117bd1064112c2eb380d0d4bf76715fd7e03539

SHA512
1d232094a57d6aab7e9699147def58c885c43b692cba691dca97a536cf4abb2fec2be50869be063e3cc21eca60f341bb111648a352684bc9a37dd3f28b427fc8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.zhq

Filesize
979B

MD5
6b2c5e4de8579313f29ed45ba809199f

SHA1
aa6b900b7a5912d1032e053aa502e4d8a13df6a3

SHA256
2cb35f1f28427ea9c839a4ada1271628eaa28e61834bf6551e1b17dfba846cb1

SHA512
cd23a39a1ca5c45446c6fc601d60357ca41c3807a436b35779ec4c7d8c1aad4af73d9c50ee31170722c337027dec1527f500dee23902dc3d7cc5c5343a627aee

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.zhq

Filesize
1KB

MD5
8421a275f1ebfd254abc80abf020eb9b

SHA1
0bfd944df18312883b69098b050c27c4ede5438d

SHA256
6cad996e27a098c411ef6c2d43a5c152c35d6b16b0c32365faca679c19b44eea

SHA512
cd7ff490a5f34d44fffd31c6e6fdd0ca73bb4569b8d8634e962dac8dd2656d2a24069ae37a9c590bc3ccc4d3f6bfd56cc99f9bf9813ff5896d0d0e5d8f77db9c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.zhq

Filesize
922B

MD5
ce1603db4007fa29a92c19e4ece63726

SHA1
83df9abd843b2303cd2b6e83a17e8f38bd618732

SHA256
181e5589adcf376556cd5abad46d2b5fa15395897010d2e7b899a47a308d1618

SHA512
95822d7916d813aef80913c53651e003d419cf406ed3210b013fe5806c84b23dbb10a2342e5ccaaf2d2b342df39e81a3574fd33696946499d3bfc8c0f0b39029

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.zhq

Filesize
1KB

MD5
f87f3b3a217d94bf195c3fd05693dd5f

SHA1
c11fda32854c7fe6f370f089bff60a12f5e09484

SHA256
ae9d94c924e328330885cfd6afe5854b71b15de7229b29ee13700291bca57515

SHA512
20a1ba907c6135a1751814cb970a3f658168d0d83d6293cd1925040593617e20b2fa4cb2272336a9d12b888c84cafd82a5f8c7b60c66bdc866ab1e8de26786a4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.zhq

Filesize
922B

MD5
a80f3219fc47788500bfeb06d9293490

SHA1
634a34e143571496a8c9f4360272d23948b2fd6f

SHA256
d46c448b8e8355da8738b516624d320720880505e2e94f1dc688208a46d755c0

SHA512
10af854a48f46a8d644d689a59237f68de191ed8695f7a8a74c39fbfead9e9e4141b4c5e3c1615ea175872fc3acf1c47ee9dc89873e3ee4aa478b703b44a81bc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.zhq

Filesize
1KB

MD5
1462593885e88c9a5b59b78041880ad9

SHA1
9e3a4fb2f120c609d6d654b730113204685c0317

SHA256
8a21dbe0b9b7a4cde3ce21d310e6e3e01ebd8710fbf5becaa72aaaccaeeaca4e

SHA512
251f71f608d52dfebd7f8b811302423119341496737280c83294222ccd5af95f9cbaa122339765aadbac720844af5296e0ae9de59d4cd46045b2fdaf36bf3977

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.zhq

Filesize
922B

MD5
d3a50f2287b70277bc8447d61595a7f0

SHA1
b3f2401f3ab305e0300647eab9ca0eeb75afc5cf

SHA256
9aced6f0ad0c64e921b55ed4d253079de621599bccbb873157a1b3c70bcbe52a

SHA512
f256fb0322e78410a0bfa8c3266bb57f535589b9e4939bdf5773ebe7ccbec55b35d2c5d6c53e87766a35921ffd3630a51fd15823e4ea57401029281280c0832a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.zhq

Filesize
1KB

MD5
ed511e09b41bc9881b5e6628123c36ec

SHA1
6b8db23ad28716673513e7b0d45b1417eb666c43

SHA256
ca2f2be6b5ea509a0e58f9dae403d06d55c4ceb6dea1c73c340968f82cf76efa

SHA512
ffa8ccdaa4e30a54ce926087bb512d70d3a8b2e03d868a7d107ffc62df5ecd311e2b25ba746e44adfd8adbb23435955edff8f4479e5be0325c523a8d84a624c4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.zhq

Filesize
8KB

MD5
4128c6c103c638b4ebc7d85bb7d7bc71

SHA1
0f1ffcbd9ff8ef0d3246cceba37073a17eb4ca72

SHA256
7da3aabbc34b324b9673852e301f63906d5a057ce39d5a9ff5f40cf60b81b37a

SHA512
8a73165f4592be957a394bb1e8f89c6cb5ce55d8a24dbb61dd380c780824a22a248ff051b42654df4d77724df3ac4aa65dd37f4fb961eeada291d4b1e4e5c2fb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.zhq

Filesize
8KB

MD5
9ed0eebc18b76661b8885800d91be9c1

SHA1
de7ca29eb6869cd9b0a6f27fcd69dada6318db96

SHA256
3b2cb892bd81a13e9c170b6b92997a02c159c5b32ac4f90effeac04bb0459c86

SHA512
72436f2ccc531680137fb2cf847728009e52911c0f005492f13d877d9d933ac4757c8ec1d861b0458f8fc1821ed70c9c5ea872ab8a3a73730859bee4140be849

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.zhq

Filesize
15KB

MD5
b2769f0a28afbe35161fb59698f7e6e4

SHA1
bbc8298c5c461bff1f7d3388b62b70d71a8d552d

SHA256
e615f1e0fdfe14dc54fb942346bde7f4e910cc28dbef5ea7643c549328568bf3

SHA512
f528ec8bc438b83ca389468ea45ac101394d84d6abd1d2884a6659f97add31ce54e5e78a852343e108d6207c462e51eb7f2cb2b7e557647d0be12c0437877246

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.zhq

Filesize
8KB

MD5
cdaa7cf0ad0dd69ef7870df84f69432f

SHA1
f95994ad99807de1a2219e0d37a93f4db3f99e97

SHA256
a55086178f280e5c75b80f16b5ff81cf0422f5bda186494e942fd520c43b5a1e

SHA512
0834822168119eb414def60ead5a41a963c2814fa993f3dfe77c441e3c6b76100fd9aba2754bb7499767060c5eae3d2b9af88f485467f68064025fc3884d61bc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.zhq

Filesize
17KB

MD5
c6cab424ebcd9db347adb39ec0601f5d

SHA1
93231680f8056b4be269f48bf50392cff19920db

SHA256
21f5a9f858e3ba58dbbf181c1370d213599b69b8d101eea226c0a872db8d7d38

SHA512
617214123c384fb0bd59e9dbf410f7151f3f40911c4e298ba533794fa1a72ffc7cc64a18cebe7bc58a2c83be45e1bd20605a4f9022641561a777eb3ede0e7a7e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.zhq

Filesize
713B

MD5
11b3b8b01b2e4ffaed8fe9cc43350773

SHA1
0ba5c63a0a5c8a7214e85e47532cd80e2ce1b78f

SHA256
b823df262f750646d54f4c98f92691bb4cb14e59a012e5eaf20142e568f955a1

SHA512
774eb328510a9bab575ab9e1a41aa5fd15481507d664452c2135e131661272f591b24a963a3951a3f2c30cc3eaa734c638c90513a1b1574fca280ef4aa1b6086

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.zhq

Filesize
1KB

MD5
61cab5265838ce43f1c8005d98acab1d

SHA1
481b8f935b790fddd6dd6c9873fb4771fd73f0d5

SHA256
86d6086f8b8cde75ae5653f894ece380ece3f33984f282ed24b0378eb4e41c29

SHA512
64388d5a98c45245edc4d391308a11d479c1407b983b4d3b826aedb0b6718e17068441ff89295cce7a3c9509e19134c6c9e7c9678f96f1121ed06ad7208ab70f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.zhq

Filesize
9KB

MD5
97e930ae438c38e6f9443154b2c29555

SHA1
163b6f2cc404440e41d8225eb10e321e70b685f0

SHA256
a6f61bb6c8e8a62075b10b429f7869cd1446e6ffd21ad549fdab9a60d6b2ab04

SHA512
2e621408ca1247cf6efcdb8e607fd182f7938ad50dbadfa7fd630b7d0a02c7071fb4b18035a54db005447f1611ab85e169e257e3dc1c08c84f52ca90a86ce603

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.zhq

Filesize
19KB

MD5
4c9dca97f01703350317133a8cd8360d

SHA1
f5e166a50cd1ebe013419055b5ff7a4e2ba23b03

SHA256
9a01c2ef6c78110c425a3e0e43224973e0f502debe54cdbb47323fb0dd1354f0

SHA512
e8c9e3cb4520729a4207d7118f9d07e97f92e4436ac5e4e01fcf41f98cacff522e49d70b7d8656f5e0b64505c7ccc6fc33cd697c1603ebb025b9b2e66015a1ad

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.zhq

Filesize
1KB

MD5
d36cecdee2a42a0e81d418760d63dcde

SHA1
18fed7c5b6cce9bde44c6c8aba3f5bd0cfc564c1

SHA256
f42f9d2e608577d78cb2848fea444bb2d29a35a7c349940e50b7e1b85c6bdbe0

SHA512
2ce35dedd9120fbabc0dc64c7280db6a034a5332e4af149599bcc65cbf9b8dbba8b476f0caa15f2a0d7b7f8d0323d44c57510483378d0ace372fcb763665fbbe

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.zhq

Filesize
1KB

MD5
b397d6a0477e4b00f6c8de258ba2ffd5

SHA1
7a869ea5c8ae09736b8166b0a90b218fe64d27b6

SHA256
2cb765d96a034f1e580867c489d5e15e20e400499fa087148f58fbcee7b4d7a8

SHA512
76d5f36381431c75091d63db9c98e422e654a756607fe728aed87c326459231b2cea597245409b2bd79ed36a1b3b7155535cf738f7ed964e21fd684e6db86cb4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.zhq

Filesize
1KB

MD5
ad25ca142e7e001e4422a0fbd74f3185

SHA1
86f1eb3a4a1eede4c3662dd59f8cfefdbefa213a

SHA256
b1b55f9badc720855baf1e42e0919d09705d053028413fe201bc6b0c0cd3393e

SHA512
ebba4e509b01d42d21891e1dd267a8ab9bef631c3df72f096459a6904bec82d36816596e900600b3114f9d2510d7aadf4009c278816d846869c2e17da350750f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.zhq

Filesize
1KB

MD5
cc0fc18149ad5f93ce9bd28f79fa74c6

SHA1
eef645fab6e366f2bfda32b9e5d676e6bc94a477

SHA256
b2e3f2122d63a204d011ad6b36d7749638411d5836b6902042bb507f82f544ae

SHA512
35fce173edda109233016849b47214b55ad2a09feadbfffd75f9b20539920576744ca69b4b0d14496bca9fbd30ed2e6cc4783c4280d99034a5181742ff7488cb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.zhq

Filesize
3KB

MD5
e7b2204b485514f84c26b351bc912b43

SHA1
308b705de6d748fad0ac4245b1614e511f0c174f

SHA256
78e5179ca13fb6c6846f2db6b73ed84dfc6fc5e70b51ae07a76fbb80e5663473

SHA512
7ca6cf574a464e874c7312cab98f458a4196d2e89355ba6514a355d12d27abdc687eee496e906a666f286b083d3fb29eb95e8af1695154bd119aa0a169b6e17f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.zhq

Filesize
2KB

MD5
3b31f9d52196839eecfb09acdb8f8dd0

SHA1
bdf43e9f565c4393d2b549a089584f4d3c4fd55e

SHA256
bcafbeb0dc8a9d8cd350e82a95ec8c8bc6ede5b9a166f71fedc03ad0df0122b9

SHA512
92b8f5f8eb8646904a3c8991111ede03345689353712f4bb9a110c896e5240329427ffc80a879bd52d497f964651a4ecd83f257cd4227b259a2872870425778a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.zhq

Filesize
5KB

MD5
0fa7d4455efdcbd66bc1061dce4cf86a

SHA1
811c4828d3b644198dfe28a11e119ec55776e597

SHA256
1ad3e3c6710b2b0b710ae0b356f2197d8a1190b486938e9fcb31f42cc0ba1749

SHA512
050834461cac89f91327d77b7c8429b238e6b15d808206544aa98506cc377f13e9d581a3c284167b49d608f13743c7e3ee1c89c3d1353e251a2ecb1aa04a4144

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.zhq

Filesize
823B

MD5
e5eed582accceb8417e079f7da31865d

SHA1
d2a33ebb04d9551e435e17b43bd25239742bf647

SHA256
f015386b49c32597c4b88d7fcd27b9d848896daeaef3d1f9293f760eb25b596d

SHA512
7941a42a580cd6c5e3de32e1c2088becc6956faae15cfde899a797090526de56a37d216b3a81290e662833e873bf61a46ee8d19537040d67b5d32ea4a54d62ce

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.zhq

Filesize
919B

MD5
40ea125791bee05bb4646c1b9f621e45

SHA1
e9ae22bfcbc3497aa2721961b4277accf715b0c5

SHA256
c37274991131bfa7867fbeee7d00280ce897c4b447c4b1f62493c5f5686adf63

SHA512
c0b7613b667e25053891b26983f5cfe895a8e287e7da7e2c2a6013cdc631662c9aca35582b9068b687fdc1bc1e16b38439799399e80dc0cc80d9bf309e821331

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.zhq

Filesize
1KB

MD5
9bd2cc80984b72f55adbc862f4570fcd

SHA1
25a6638a8af6cb21791be5d96f54d7474f7ed016

SHA256
b1a75a34ba588e8f76c0cfb7b78555d4da2914f1a86b086daf0205a2b01c9952

SHA512
6925e27a6752400c6e3b6d4fd321e73de509f4c1c2276526452e2bc9832d2aa284e310569f90e3e43d96e7ee3598fbf77ff32f30ad2fe2661e217280e83c90ce

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.zhq

Filesize
1KB

MD5
2be02c7c656f72383c29625576589ea3

SHA1
2e5dedcb9d56c8d82add10b8cbf48b52522ea1fa

SHA256
460f22cb46001105d5893555a70d2f216174662f2f54b0de93bffa04550564d6

SHA512
e77b596b32930d79e71aeb76e428d2d99b65bcfc54f52db18c38128b7f6b8577b949de3134f683a9510dfb5ba6fe5ff39253f68c91d09110eca4699e34eaeb73

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.zhq

Filesize
3KB

MD5
ff29dad831b5f166520da1a5957d4635

SHA1
a23c0d19f73ec7b8f3e542ec565a01ef039a58c9

SHA256
ba644a04151f473025899916719b5e95ee3703f6a18fc652ebefbc143ac73685

SHA512
88604d2ef486a98b834ea292560de354cf3a5bc38853fd76103fe07bbdbfae8c7652a51c6b8b89d025cb0b8704944235dbaf67be82a4079c484c5d1a59377dbe

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.zhq

Filesize
1KB

MD5
edc865507a6aa15808b124bad71cd91a

SHA1
5b70e0c31d524eec5aee1b367901fba26db00c64

SHA256
bcdfcc8141929d336931f0d10a92aa035c21626c6d181dc8e6076a73bdf582f3

SHA512
255640da8b6a9911f268d48ea555cb5d109d1d2b9e24bb409d0886844db15c3303f9e8ec136672be3dff75172d07e59d09bf56754c93c13ca3e6abf38146b46a

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt.zhq

Filesize
33KB

MD5
a0f77430f3b6f7c1aed18cc68b7c7714

SHA1
3d4a484c04e5271cf3be4e83ef9f7568ab5637f5

SHA256
9c5a01c04fe25b81b849ce752f29486396b140b64a2a4bcaa8900626cfcfeceb

SHA512
0a438eda1cff97ed4189cc6ec0481e2ea5204f26aad2b01fc309ba306c40c12ce019f796be7ff5cb5cd4f4ca0aafd4ab6a243727ebb6111c10e50429367c583c

Download Submit
C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif.zhq

Filesize
687B

MD5
04a6860d6ed9bebae006e98c5b3a07e0

SHA1
8afca0752ff4e21dd75b77ab90a6d2390b525ab2

SHA256
3468ca0d8a86972d11de4e52630ce3f71aca9a88784d0807391294235da3b7e9

SHA512
4257995e757a8f7749fbe84ea53265da98cbcdd564248cc4af2198bd6ce0cdad389589c0a2a85d914516885878a2c0ceaae54dcba226116928473e1de48d3f35

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.zhq

Filesize
648B

MD5
675798018ae259168a2fb7ed87254c65

SHA1
b87d70e58769d4d149e6ae9a87e78148e02676af

SHA256
70a3d7748b97abd184057332550f5e2b3ed482697ac3938dcba82e978cdb34fe

SHA512
a5c78007247e280f0b36b58c8d271419100e605f9adbcc4218e801e96ca4ffc08ac52ffd489f55e3393769819e495f6a32fca5b616f710e7955a7050cc6d9361

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.zhq

Filesize
647B

MD5
314419fe2123a1b710f5f6a128948bd6

SHA1
ec0b4a8ece5c58830714ed9b449df91f2ad3150f

SHA256
5eed89d933c188fde1a8c862d3cf5edb322070a3937658a560f9ff4581b2b009

SHA512
abb0366667db73830258c2e5f4fec165bab67affa272abe09b240251cfc16f748e0f2a51c8b2c973543440ea6f1eec1863a0d6c2ceb894212743432f2f7698cc

Download Submit
C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo.zhq

Filesize
614KB

MD5
faff40c10c980f9017de1551b81055a7

SHA1
a2499b8381cab0f9d02c44ac160f85c4327abaae

SHA256
15adc8cec0b872e422e59fb4c8d1b2b4c3613144791637755d99cacb374e7dfa

SHA512
415b87eee48ed637d024d792953752ff6ebd4843a2b656893fcfa4e8b61361d546c755aa3d7f8f1914f8ec5da1688aefbcbccabf7a98907ecc5d3f13eea6d5ff

Download Submit
C:\Program Files\help-you.txt

Filesize
2KB

MD5
a4d54eaae8d6e0e75825329fd216b836

SHA1
3dd23b09f2fb318e8ad6bfbcd5937a928207811c

SHA256
e366a7512389c1f73a47b9976854b28a73224cde2a0495f3bbc530cc4100bea3

SHA512
1282c30947707871b79d7c10a4e6ad556219e19656a426edb6116bad03059fcef8867d79f6cd558d0b084f193357550bb8788df34fdd750ade432d2a92adeba6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT.zhq

Filesize
550B

MD5
3cf544e9141f17b73285f8a0b64d7036

SHA1
4640f28b4a5688130f1f3f46e4a484f412dff8ea

SHA256
97d8971b6c9a3c6fef071f62974a021510b59bed9931fbc5f9659e9f2577aeec

SHA512
3f158ce1c10170f5bf2812ce1ab0f7edc4a97b757967d51de482d8f604c8351a62bb57460c7f572f4258a52300c814d67eb412a557ea67a80b7cfce1d47b1c1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001.zhq

Filesize
575B

MD5
7ac757ad686c6506333c9c5e7bbd6a08

SHA1
002cee186e10503a212c76d0d1bb0214397020e5

SHA256
3d15e578bcb15a9b9709fcb2cc2800239ed0e5e4d50261956a22f29d8bf03036

SHA512
58a293e9bf65172a4f77abb94ee65a0f5977782930102939f49e148c8c67fd7af5ddfa454208362c74c3ff6466db6217de4b2ae18fb8c5230bba88f9fdc28150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2.zhq

Filesize
8KB

MD5
b512b846bad3db3c90c0ccd93ac69332

SHA1
2cedeedc38c16894f31d311faeff9b9bfd4230d9

SHA256
2eb66bd37b72fa1c25b070a9b31e2464e55e9ae64b49310ca3dedb7f587590c6

SHA512
b79df471153bf12c49f691aacf13ba156a4173814fb6115d5bb4e0361e2d45e9a49cdaae305b49da8d995a0bf3e7f7c4ead5057ce84954153915d0fcbb20bba8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0.zhq

Filesize
8KB

MD5
90ad05ac34aa2313560a1e590d0bfaba

SHA1
c56ff02776c0cfbff7a7af09e411b55ae1556653

SHA256
5420f33d8f59e0b5d5f05c5fd438f6edc70b5be427db55742a9e03f29f3734dc

SHA512
2dbb62342f10dc10b3912cab116811a16b571d25ebcf6578cd26eadeb340e442e7b31431c0afd99302d671fadb58a73f7d73735e1392f9cc622d394be4efd2ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1.zhq

Filesize
264KB

MD5
f7aafbd63e3a5d23fb49effc6a823db3

SHA1
e765390b48836f1eb690e6f1f8ab99cf85391494

SHA256
65935c1af9f349de7e2479eecfd944b581096e602054bea80404f71e7b633aae

SHA512
98bae061c231334c4f1204d4512407865ff2a9cfb2c619dade20ef7fff4355b35009675976baeac700ed3368d9426b1d04cda0e4cfce14fad962c5527621e56f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3.zhq

Filesize
8KB

MD5
5e7e5ef7dc5ce2d4b1b7977bf15d707a

SHA1
cabb800da0bbb170a741f98fc21618bc844ff5e1

SHA256
2c6cfbf55adf7f8e241ff3a2c6c196f08a5938085fca46e61b06b2cec3e05c32

SHA512
771bd85f36b2464e4fb2d2fa803392bbd6494b462e5096b3f1c065c58e4add82df786c8e2641f516500024868a4fbb4e781fb054fc48b5049f4afdf05df3bb63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
01ae564e35dd35db3164666d86f817b9

SHA1
8b90bafe5c2a4d35101c09f715a908d3d29bb472

SHA256
1daa5180814cc25b71c3c3da36eb4ca9b5163514344653f9cc005a87907189e4

SHA512
10c2d925999e3b419814ef6da8cc7edda09308f38fe08541804f01be3032a30d41da93c56f269732ae1297373d85728340b7b358fe7164b8a6bde3265a5b32f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index.zhq

Filesize
558B

MD5
f087f1f9cec460e7e83afc1ad16a5d75

SHA1
48630440cc48347f36db29366cf2778919a86194

SHA256
9684ce75473143f2128419864149bd905c48c6b28cdbe9f7538642aba01bcf13

SHA512
9759ec6c69fad34d386f186d0eccf6b48439eca2f8d6c22521c3dd4fb4738e8f0147b00313bb93709411060fd38aaf73fc18ee860f12b2d06e6e24b8684176f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ned1e4nd.gud.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1852-12-0x00007FF9346F0000-0x00007FF934A45000-memory.dmp

Filesize
3.3MB

Download
memory/1852-16-0x00007FF9346F0000-0x00007FF934A45000-memory.dmp

Filesize
3.3MB

Download
memory/1852-10-0x000001B5CE680000-0x000001B5CE6A2000-memory.dmp

Filesize
136KB

Download
memory/1852-5-0x00007FF9346F0000-0x00007FF934A45000-memory.dmp

Filesize
3.3MB

Download
memory/1852-15-0x000001B5CE730000-0x000001B5CE94C000-memory.dmp

Filesize
2.1MB

Download
memory/1852-11-0x00007FF9346F0000-0x00007FF934A45000-memory.dmp

Filesize
3.3MB

Download