96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a

Analysis

max time kernel
94s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2024 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57504bca0f333befa73476e449f6a8a0N.exe
Size

333KB
MD5

57504bca0f333befa73476e449f6a8a0
SHA1

c207f136cda100bb9b319d3276914f697ccb3499
SHA256

96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a
SHA512

cfe9f07fadbf874b9694990c631c8562ad511bbedd7ea91451d80a5c934f4c1036596b0043e441d3078a37cfef6bba818264ef64044606d77657e7a4a0c29bfc
SSDEEP

6144:AemY9cZrt2pF+M9htFl/1M0lpj9G/OaZE8A8otk1:n9cm+M9vFl/1HrN2otk1

Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">ZQcEAKXtPfpIK5Nb2BGn0h0KxmiVyWwH/c2BFl1D4SWFkWvFmqzr1GKhb+lRNcr4pPu64dDIud60C+cDMaY6kwZZuQn1dd404KKzJ1NLoE5+W6zWPQUWsSxHWyWQ8HVD/PesHMCjoSd8qOTmyrAEWaM2Y45ZMpjTmJ+PD+QikzZ/yYiSEfbWdNRRQD++gBYOLwG+WVyUAyVuNyfve2aIU+ETj3ZbMBapL+5F8OSgfarJxrp/0OKPmoh9jlz7RKZJyC838OEg4YPZ6SnAvz2kQVMVdaaZR/CoNIT4550LWG0fATbMz5CgHmGlWUZDvG3uU2KDqdT+S7RZi/DB1aVBiOkTSZ9Dn685a87Febu3CX5qO1tecWhygAgdc4YcQNXOBS5nsYxh7FK5i8l0OM0vtCfp2uJqnIOsM8eIRMu8Gsur/vRGGafAkyulEvQQIWCYh2EDeSxfJ5R+KJ4rd0yvu9cqJLYumpWYSV+vBC+J3da/c42Sr52/pVLROvRWhuy3MipVIxpajxInheN170gi9f4zq39ibjlyRsIFp7DSqBISjEy+s6RNOrtu0JntXe8XXcXDhevGSJ/Xe9R7dM5O1RXq9VuApDicncGTfbX9qb6ScrCoOH75TFCx9UVWhw29NLYqrWiBLn47SNqTg+lDe/4UY95OOIsKARCdGgv7K6Qj1H6+tpVLVpu67tUPpHV9cRer5vsw3L+Lp3u+Ej3z53+tyTBvgy1/AEQW0j1JK3ZjW0SGXB9AQDWrtsWlwC915oC4HOL7BGu1igLg1pI37Jiz/bGWlmSlf39ISXziacdlomElX5hwCsfgp+gyFVIpewYT4GDhR8QQeQNnPfFPC6wH2iIfAFXNYg8WotK8as+W8hiyJZU3q83nDJ++UsH4fbabbmOSL7Q1Rz3LhvFnL2ySGWDxPtkG1gXCp+i4JYJER2uOqTskJQqQvQwUQBygxSjTX2ba6l3YvV9wNZAS04pf0k6NPTZAIQwG1Aq8T4atQl0gQoKmF3jy7J8L86Q3aJu/GuGUfxfLSwJA5scNTcN3v2xCH7755qmBfl+FfaqHWPPofSHOQ+f3YK038OalQfoZHpK9SNursKbgrHIhxAZAZ11452xKdVpbhkoW2XOhmgxGjFXumgkHBpHZAfas7TGwbNhS1998306HeVh/9pA3Zz+DKn+ZZ0D+Bpn5M03VLO9XOjYH1chXLkoa+t+RM0lPVbiKdRKu8FYqtoAUWd4u0TgC3bHv5+XkOWU6knSyiFFoSRH350DcU3MVUXwGJqW2Z8RYy4S2Hk0WDxsjLFALCe9oQcFHpEz04L3lwyar7tavKEWqyDecCqSi0fQ7WCxK34N3FMMsupDTdCrQPtiG4MGsYvRkdnk5k4JyHcr2nC6aNCpWX+i5wFW9UZbMQnfh/YN/EXGdOjEUrRMRd7rjoFiUOV7bJdvXF+kQMSIsfuHO9lbIKGZYGe5AV0qipf2WJEz+/D1FpOHHuaFnCB1ysNUxPmEfBKK0/udIPdnAbkmVuspXRTrkjUWhTUNvl6kho7MYs5CVxXrr/Z9GDOM8dqtRJyqE6EpzO8BuxsSx7xEtaFbfZ3I0Dt+OvDxei5ZqgvOxB7MatjkJ0mBxV9p0bpsrwjUCOXFjRa/DLys4L018JUtB+bcMq9KHAtKqijuLQ1orsAAsEIycV0RjJx5SDTkl2A3avK6uHJxCakY=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

57504bca0f333befa73476e449f6a8a0N.exe

description pid process target process

PID 464 created 3464 464 57504bca0f333befa73476e449f6a8a0N.exe Explorer.EXE
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4568 bcdedit.exe
4856 bcdedit.exe
Renames multiple (6581) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

description	pid	process	target process
PID 464 created 3464	464	57504bca0f333befa73476e449f6a8a0N.exe	Explorer.EXE

pid	process
4568	bcdedit.exe
4856	bcdedit.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4384 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3332 wbadmin.exe

pid	process
4384	wbadmin.exe

pid	process
3332	wbadmin.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

57504bca0f333befa73476e449f6a8a0N.execipher.execipher.exe

description	ioc	process
File opened (read-only)	\??\E:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\G:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\L:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\N:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\S:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\X:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\H:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\R:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\T:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\F:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\A:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\I:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\Y:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\K:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\M:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\U:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\Z:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\P:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\V:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\J:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\O:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\Q:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\B:	57504bca0f333befa73476e449f6a8a0N.exe
File opened (read-only)	\??\W:	57504bca0f333befa73476e449f6a8a0N.exe

Drops file in Program Files directory 64 IoCs

Processes:

57504bca0f333befa73476e449f6a8a0N.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_CN.properties	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\LargeTile.scale-125.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Resources\GetSMDL2.ttf	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\css\fonts\segoeui_semibold.woff	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\WideTile.scale-200.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-336.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_radio_unselected_18.svg	57504bca0f333befa73476e449f6a8a0N.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\How_to_back_files.html	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteWideTile.scale-100.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-125_contrast-white.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-125.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60_altform-unplated.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\ui-strings.js	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.tree.dat	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\MedTile.scale-100.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\virgo_mycomputer_folder_icon.svg	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Square150x150Logo.scale-200.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\FetchingMail.scale-100.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7dc.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Generic.xbf	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark2x.gif	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\ui-strings.js	57504bca0f333befa73476e449f6a8a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\How_to_back_files.html	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutArchiveImage.layoutdir-RTL.gif	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-32_contrast-white.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\jit_rich_capture.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-96.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.tree.dat	57504bca0f333befa73476e449f6a8a0N.exe
File created	C:\Program Files\WindowsApps\Deleted\How_to_back_files.html	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-16_contrast-white.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\ui-strings.js	57504bca0f333befa73476e449f6a8a0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\How_to_back_files.html	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\virgo_mycomputer_folder_icon.svg	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.boot.tree.dat	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreWideTile.scale-100.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-64_altform-unplated.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-200.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase.Component.winmd	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlOuterCircle.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\openssl64.dlla.manifest	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.winmd	57504bca0f333befa73476e449f6a8a0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ro-ro\How_to_back_files.html	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-125.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-256.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-200.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\WebBlendsControl.xaml	57504bca0f333befa73476e449f6a8a0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\How_to_back_files.html	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\StoreLogo.contrast-black_scale-100.png	57504bca0f333befa73476e449f6a8a0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\How_to_back_files.html	57504bca0f333befa73476e449f6a8a0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\How_to_back_files.html	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo	57504bca0f333befa73476e449f6a8a0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\How_to_back_files.html	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSPPT.OLB	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\ui-strings.js	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_contrast-white.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_contrast-white.png	57504bca0f333befa73476e449f6a8a0N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-lightunplated.png	57504bca0f333befa73476e449f6a8a0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\How_to_back_files.html	57504bca0f333befa73476e449f6a8a0N.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.execipher.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe57504bca0f333befa73476e449f6a8a0N.execipher.exe57504bca0f333befa73476e449f6a8a0N.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execipher.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57504bca0f333befa73476e449f6a8a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57504bca0f333befa73476e449f6a8a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2456 vssadmin.exe

pid	process
2456	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1940	taskkill.exe
376	taskkill.exe
3584	taskkill.exe
3976	taskkill.exe
1704	taskkill.exe
4948	taskkill.exe
2544	taskkill.exe
1424	taskkill.exe
1840	taskkill.exe
4320	taskkill.exe
1124	taskkill.exe
3248	taskkill.exe
1228	taskkill.exe
4756	taskkill.exe

Modifies registry class 2 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{6406BF0B-F930-479A-B340-3FFA32EF3348}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

57504bca0f333befa73476e449f6a8a0N.exe

pid	process
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe
464	57504bca0f333befa73476e449f6a8a0N.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	1124	taskkill.exe
Token: SeDebugPrivilege	4948	taskkill.exe
Token: SeDebugPrivilege	4320	taskkill.exe
Token: SeDebugPrivilege	3248	taskkill.exe
Token: SeDebugPrivilege	376	taskkill.exe
Token: SeDebugPrivilege	3584	taskkill.exe
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	2544	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3792	WMIC.exe
Token: SeSecurityPrivilege	3792	WMIC.exe
Token: SeTakeOwnershipPrivilege	3792	WMIC.exe
Token: SeLoadDriverPrivilege	3792	WMIC.exe
Token: SeSystemProfilePrivilege	3792	WMIC.exe
Token: SeSystemtimePrivilege	3792	WMIC.exe
Token: SeProfSingleProcessPrivilege	3792	WMIC.exe
Token: SeIncBasePriorityPrivilege	3792	WMIC.exe
Token: SeCreatePagefilePrivilege	3792	WMIC.exe
Token: SeBackupPrivilege	3792	WMIC.exe
Token: SeRestorePrivilege	3792	WMIC.exe
Token: SeShutdownPrivilege	3792	WMIC.exe
Token: SeDebugPrivilege	3792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3792	WMIC.exe
Token: SeRemoteShutdownPrivilege	3792	WMIC.exe
Token: SeUndockPrivilege	3792	WMIC.exe
Token: SeManageVolumePrivilege	3792	WMIC.exe
Token: 33	3792	WMIC.exe
Token: 34	3792	WMIC.exe
Token: 35	3792	WMIC.exe
Token: 36	3792	WMIC.exe
Token: SeBackupPrivilege	2224	vssvc.exe
Token: SeRestorePrivilege	2224	vssvc.exe
Token: SeAuditPrivilege	2224	vssvc.exe
Token: SeShutdownPrivilege	996	explorer.exe
Token: SeCreatePagefilePrivilege	996	explorer.exe
Token: SeShutdownPrivilege	996	explorer.exe
Token: SeCreatePagefilePrivilege	996	explorer.exe
Token: SeShutdownPrivilege	996	explorer.exe
Token: SeCreatePagefilePrivilege	996	explorer.exe
Token: SeShutdownPrivilege	996	explorer.exe
Token: SeCreatePagefilePrivilege	996	explorer.exe
Token: SeShutdownPrivilege	996	explorer.exe
Token: SeCreatePagefilePrivilege	996	explorer.exe
Token: SeShutdownPrivilege	996	explorer.exe
Token: SeCreatePagefilePrivilege	996	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

explorer.exe

pid process

996 explorer.exe
996 explorer.exe
996 explorer.exe
996 explorer.exe
996 explorer.exe
996 explorer.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

explorer.exe

pid process

996 explorer.exe
996 explorer.exe
996 explorer.exe
996 explorer.exe
996 explorer.exe
996 explorer.exe
996 explorer.exe
996 explorer.exe

pid	process
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe

pid	process
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

57504bca0f333befa73476e449f6a8a0N.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 464 wrote to memory of 2652	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 464 wrote to memory of 2652	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 464 wrote to memory of 2652	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 2652 wrote to memory of 4920	2652	cmd.exe	cmd.exe
PID 2652 wrote to memory of 4920	2652	cmd.exe	cmd.exe
PID 464 wrote to memory of 4048	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 464 wrote to memory of 4048	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 464 wrote to memory of 4048	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 4048 wrote to memory of 1300	4048	cmd.exe	cmd.exe
PID 4048 wrote to memory of 1300	4048	cmd.exe	cmd.exe
PID 1300 wrote to memory of 1704	1300	cmd.exe	taskkill.exe
PID 1300 wrote to memory of 1704	1300	cmd.exe	taskkill.exe
PID 464 wrote to memory of 3360	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 464 wrote to memory of 3360	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 464 wrote to memory of 3360	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 3360 wrote to memory of 468	3360	cmd.exe	cmd.exe
PID 3360 wrote to memory of 468	3360	cmd.exe	cmd.exe
PID 468 wrote to memory of 1940	468	cmd.exe	taskkill.exe
PID 468 wrote to memory of 1940	468	cmd.exe	taskkill.exe
PID 464 wrote to memory of 1568	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 464 wrote to memory of 1568	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 464 wrote to memory of 1568	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 1568 wrote to memory of 4824	1568	cmd.exe	cmd.exe
PID 1568 wrote to memory of 4824	1568	cmd.exe	cmd.exe
PID 4824 wrote to memory of 1124	4824	cmd.exe	taskkill.exe
PID 4824 wrote to memory of 1124	4824	cmd.exe	taskkill.exe
PID 464 wrote to memory of 4740	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 464 wrote to memory of 4740	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 464 wrote to memory of 4740	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 4740 wrote to memory of 2412	4740	cmd.exe	cmd.exe
PID 4740 wrote to memory of 2412	4740	cmd.exe	cmd.exe
PID 2412 wrote to memory of 4948	2412	cmd.exe	taskkill.exe
PID 2412 wrote to memory of 4948	2412	cmd.exe	taskkill.exe
PID 464 wrote to memory of 1220	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 464 wrote to memory of 1220	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 464 wrote to memory of 1220	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 1220 wrote to memory of 1716	1220	cmd.exe	cmd.exe
PID 1220 wrote to memory of 1716	1220	cmd.exe	cmd.exe
PID 1716 wrote to memory of 4320	1716	cmd.exe	taskkill.exe
PID 1716 wrote to memory of 4320	1716	cmd.exe	taskkill.exe
PID 464 wrote to memory of 916	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 464 wrote to memory of 916	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 464 wrote to memory of 916	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 916 wrote to memory of 1756	916	cmd.exe	cmd.exe
PID 916 wrote to memory of 1756	916	cmd.exe	cmd.exe
PID 1756 wrote to memory of 3248	1756	cmd.exe	taskkill.exe
PID 1756 wrote to memory of 3248	1756	cmd.exe	taskkill.exe
PID 464 wrote to memory of 3964	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 464 wrote to memory of 3964	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 464 wrote to memory of 3964	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 3964 wrote to memory of 4160	3964	cmd.exe	cmd.exe
PID 3964 wrote to memory of 4160	3964	cmd.exe	cmd.exe
PID 4160 wrote to memory of 376	4160	cmd.exe	taskkill.exe
PID 4160 wrote to memory of 376	4160	cmd.exe	taskkill.exe
PID 464 wrote to memory of 1432	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 464 wrote to memory of 1432	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 464 wrote to memory of 1432	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 1432 wrote to memory of 1552	1432	cmd.exe	cmd.exe
PID 1432 wrote to memory of 1552	1432	cmd.exe	cmd.exe
PID 1552 wrote to memory of 3584	1552	cmd.exe	taskkill.exe
PID 1552 wrote to memory of 3584	1552	cmd.exe	taskkill.exe
PID 464 wrote to memory of 1772	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 464 wrote to memory of 1772	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe
PID 464 wrote to memory of 1772	464	57504bca0f333befa73476e449f6a8a0N.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

57504bca0f333befa73476e449f6a8a0N.exe57504bca0f333befa73476e449f6a8a0N.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	57504bca0f333befa73476e449f6a8a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	57504bca0f333befa73476e449f6a8a0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	57504bca0f333befa73476e449f6a8a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	57504bca0f333befa73476e449f6a8a0N.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\57504bca0f333befa73476e449f6a8a0N.exe
  "C:\Users\Admin\AppData\Local\Temp\57504bca0f333befa73476e449f6a8a0N.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:464
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
      4⤵
      PID:4920
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1300
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:468
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4824
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1756
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3248
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4160
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1552
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3584
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:2984
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:2976
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:4568
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:4808
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:4184
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:3516
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:4756
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:1300
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:3860
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:2468
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:4348
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:316
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:828
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:3192
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:3432
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:532
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:2504
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:2964
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:1724
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:3484
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:4304
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:1600
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:1436
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:3320
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2144
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:2124
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:212
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        
        PID:3332
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:1636
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        Drops file in Windows directory
        
        PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:4632
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        
        PID:4240
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:5004
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3792
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:4596
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4856
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:5076
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4568
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\A:
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:1092
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\F:
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:4160
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\C:
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2764
- C:\Users\Admin\AppData\Local\Temp\57504bca0f333befa73476e449f6a8a0N.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\57504bca0f333befa73476e449f6a8a0N.exe -network
  2⤵
  - System Location Discovery: System Language Discovery
  - System policy modification
  PID:220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak

Filesize
1KB

MD5
124c7a66c73711547bf8316cfaf5eade

SHA1
6affd5042a2be66ad4415b444eb0d61824cec710

SHA256
a2b70e0df91af5bd697d05f0a1a2d0e3479b5ebc1c36cfb47959234d10ec491c

SHA512
d4dcf60fc9ac242d93aeb28e85a21e3e5608f1c4ecfb9a2c52004c970aecbe6af310a51f7767b3e2c43dea314afa8879fddc0aa93ddc06f61784f166098bf4b7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

Filesize
52KB

MD5
5b0c71144c9738d909465c2fc4308e53

SHA1
e63ad032b34e9e767166cb67074b3591195b4d11

SHA256
f8d5b3e3ecb43b74643851952f6424d9e9debc51281f5b33a39b11f2051f7b44

SHA512
f3959633df19fab203ba688467f7e7917ebf65a117effe10a0409895ce5da58f2d8eb081d077673f9711c4f5a0a5d091394720aa70810b74f5e88d95d3dbab5a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_remove_18.svg

Filesize
2KB

MD5
34207b307ab8fe2b533a58c8021b1a80

SHA1
1929145993bd1ed288ed229183516e01f2f50074

SHA256
84dc1c4473319aab9e26e1eff0bcd3a1a7bdb169b480b4dedb31722b01219096

SHA512
7249c15e2e0e72c7060f15af577bbe340c628af3eab869a3a4db62ffc01dff6f2ea67a365221834fe523c2b758511c98839480f7a395d24a30d98a9a0ebd59cd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_fillandsign_18.svg

Filesize
3KB

MD5
03fe4bc0e26c62150e4c830e35ecf514

SHA1
b7e63d0b8de914b6083288cbe2e734fb8ae2bc74

SHA256
cc367e58d198ef6e763c8bc6b55a4b2901cbd2356a4c13389005461ca66d1267

SHA512
0f51c26e0644fa854d95a18ddda37d31f92e48b4c0e056f80b89020fd5c1c99797ac81abaaa5b71b3c6b7a977a2cf9485594b0e78924647883baac1554eeadc7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-default_32.svg

Filesize
2KB

MD5
96f3e5e17e961f93d6aa6bbd00c1525b

SHA1
18ff395456aa6a87003830ee522d5fc7f6b356a8

SHA256
69515ee728ae2a90f4d327635b35d366761ba3378e488e75f65821081f861c66

SHA512
b4f496a5baeb359a78cbf8fa84f19b960210824c035887cf05dcd8b232f084f5513e983597774b219011b8fb09378f28215efe99b147aa70f3188123cad123b2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_move_18.svg

Filesize
2KB

MD5
e276333caf8394334f77a9b18ad8bbd6

SHA1
99cce5e8e13455ce829fe1b28dd9fc8234b28ac4

SHA256
a4d2c7e29c05d141b90aa1d2295c5d971e3209bd77419d65713b2c8a654aebd0

SHA512
9b3df079e5565593b65a3bb39db9e528eaa96443f7ebe31ac1e246ac85145d7a599ba30f7f056d285b38dc89ec5bd7c337ca5587d05684696b6dc225e7caa851

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nextarrow_default.svg

Filesize
2KB

MD5
31930349acb81962884ae1fea0075e81

SHA1
1e59f65e4afd5802f7da3f3fd846cd14d4a48f69

SHA256
19a2047f3acade7ee25faccc0f5740be7813082a01d092be076797ded8f25294

SHA512
23e01a8606c13e31c4653eb09acc636931a205d1e2c490becef9089d1e465611d9b88f0b60fd4eed53d0290d47c30c520806fc507020bbb75fced547324082ca

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_organize_18.svg

Filesize
3KB

MD5
3ddfb43cc1b0c84b471933d082fd6e2e

SHA1
1f194f33c71c544dc0e5f061a71d3d383dcdd179

SHA256
02661211a93e5da06a5eaf25f7352f56ec0cadc3bb2aa4e467934dae27d6547b

SHA512
3431f5af381ac69cee406d8595f56d2444bf2a307674ef92b7335fb1f2e6b73b696cb8d3ebf27be139f685403f95764f76e444c9fbe58d8447f0304bf956f42a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_rename_18.svg

Filesize
3KB

MD5
92744a12cb7fa59506416e00b68ddf51

SHA1
d2bb98f087609b6b589101ff891977f517495677

SHA256
f8ee66b3d0f8903b82c17c3272c35e4c2454514790e4be6df5484d3d1b453dd0

SHA512
4ed9aa0d75c11f39592272b8e1979ad49b1ba680355ca7656baa38991ca7a32a2defa2e5757e73484ace4e6c334e673b1cced7d42de03f785613c6f69a28a2bd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sendforsignature_18.svg

Filesize
3KB

MD5
39dd9b85e0d35eb48defdfdc5c4f0e00

SHA1
30df6408ed10e2a01da5f3745553060941f14a10

SHA256
ff2544e3cb20e77a7904ae119ded9a831b904661bb39ebab0e8fbd945922bcd5

SHA512
c97cccdec9bbb4fddb7d295bdfb98e735ad7dc3171eab6d3917a53fcbff7bdbd19f4cfb2a99f5ff1d211358d7e09c189f36ab5641997554ef52bf417f5f5ba8f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_share_18.svg

Filesize
2KB

MD5
9297aa5a4f9b33c8fa472af27a67d2f1

SHA1
16122a0dc164b1544382f0795209806e3f7354d9

SHA256
935b3f75a65802a2325cc8563b39bdb6b9730300f41a476c17ba7b89d274ea69

SHA512
adb26b9366cecb7e1504414f43de2ea8cb42162ebf685e01457b50eac789f97e0a118e381f3eded91be93032b062fadabdcfb34a604f0124be129fceb4a3604b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js

Filesize
5KB

MD5
bd93a2c6e7bdabf8f8c6051f226eef9e

SHA1
2131bf3cddd5947f97e9c0062fde1bc333d0dd37

SHA256
8ab7cf02dd3ee5eaa87fd4493ec8474229d285b86a678f99dc05101681926c18

SHA512
0f544416f6f21d14b70930a2955064d410cafdb28bdac8b8fce8ac300ebc71c2af184ca6e0dc04a3e23d6d3f75b835ef902478b409c90e2b23c7893c95642bf7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js

Filesize
29KB

MD5
a764dcbf834c36249a73fb4ccbacf8a7

SHA1
da98209b1d325cc5faefbc1780644d5f2a4936c3

SHA256
2a004acb6c5c01a3798d60414e499388d40e4d36624bcd3a16f31c99536fd391

SHA512
2602fb165bb2cbc6d27826ae472e8192a8a9b55e4f17c168fee1e898fabafcfb81556af878e0bf9903e5abb04916882698e21810112f5b26e0ca262b90fe37a5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.js

Filesize
9KB

MD5
028dc36e040277216b016a092089ed13

SHA1
c46b7323f1e6b5cfff1ce56c8275b74ca90e3634

SHA256
7edbe4a27a77884a8f9efca418dde01fdfdcd615b820f0026f24118e258ea3b4

SHA512
ff414902447db85897e60402796cc7999f2d6bfd436d02cb27040ff763d7bec196ad7396ed7b2f83a03b0ff7ef8e1f9a1d5b91218a80d447e567d0ee66c07576

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
e7df6f5284df7f33184cef5de76600f8

SHA1
a0d51fc363e8e48547e589238872804654a5deaa

SHA256
8514927c49c69327dacff4303bd6a8bcd539e1066bfda054d5b18b497046b65b

SHA512
5e0040af11523ab72d2ad7564555da8793fff3b9379a6a20ee52a9dd08589740aacdd6620ac2e0371d724689673793a09d805740ca6fbe3131f5d39578613e31

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\ui-strings.js

Filesize
5KB

MD5
c1cc2eb5208f576c495204e16c3a3417

SHA1
6b8486cc63d0dab654a94242ba73a84ea728bda2

SHA256
a5cfe145b59684eb8835838c1695709ddb87c69b8e67e0f5cbb3bef27a1b3632

SHA512
2938e27fe3350604426f592a5de8d8954c4ec839d4b09fb6e86617aa84b1b958e06720dd681c35a42dc39e3285aa9807425778b3f5f1f160844345bebe01d8ad

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js

Filesize
3KB

MD5
f0f35bdb9e6d02651bb0934cfbc2757e

SHA1
0b8402c0ad1118d3791e90738a94bc7f7bb1631c

SHA256
7ea5d882f3ee41b12c356f571125dd674175a9d157eb57c9bfb69b1049ebe209

SHA512
05d2f7417fe0e09e4c727250973204efec90217436ceed33ee0999aa1f4bbea43d7e39ab29406b6e5708a1dd6a6a69e2019f9474f6333528f65c69dd5fc43bd6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js

Filesize
176KB

MD5
cd66fc98be9227faee3c338f1e3e8c33

SHA1
eea20d2a4592bc6a8e82de5770a2d4072a6be4ae

SHA256
efe0d345d68de156309a9fb7ea656a372f9130d49b14d5c1b4e8e488a078b927

SHA512
b8cac6dfc8b154ffbbf24c16a82f7192b9d94bbbcf2c89de29a188fe140427c4e591d3b2b3d2b83d9924e0f6aadf5c56d328d88fc4d9c06fd075a45967d99b38

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js

Filesize
377KB

MD5
1944c956723ac15444c1f9bc63f9d267

SHA1
dbbe32c584325165fe952a169c2022c42c7e7063

SHA256
0bb9c2d657525d1d87d4a3f2ff69abb5acd40803d035f21d06f8ce9577a6c0c0

SHA512
7f28d54a2b96a1ea3bc907a2aa636a35a02e9e79d3459d4f64089adc07f850577f7a128d6518c1e9f5522e11224aa8b3f82146169bf89afdfb6d546b7708e25b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js

Filesize
4KB

MD5
7655456b6ed52598ffa5928238d21217

SHA1
e62e617e4266d5167a354377f14607372da68d05

SHA256
107863fc2ae2c5382ff194445545cb89e5e4db16f004d0411e012bd381bde731

SHA512
56a6085b54d28273bae8b036633549fcb28b14d8a6f8920b01f1873baeaa12fe7f9692fd6b17d3111153a9a68498b03dd6d53da14d5ab448e5e0becc93b584ad

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js

Filesize
2KB

MD5
363e76a66edec58ecf80aa417b8ae614

SHA1
378e5f8e1a042047ee4c50e13234cdbe468a073e

SHA256
0f03d2aa01cfffd202b8022090b0315fb0c3678ddc8df77e76783fd018cc2361

SHA512
2d0bc562fbf3fe1c964b2aa4c2c1374a0af92ddb1a57b961014698b593110c6c6100e685912489d5fffc209ba1dcfa7f5702e7ed59fe874cff10684b893379ee

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

Filesize
2KB

MD5
2dc087b54852f903435643f961dd37f9

SHA1
ac9b006bdeacf92a2a9bfc55f1196cacbf48943d

SHA256
f1c8ae60b8232bd4b21c166c7f9b65bf6d05fe051fca36719510b3c41b46c0de

SHA512
f8e7d254fe7ec0b8a03e22da244fdf5ef72c3bec7fdca430537ee2712dee2c692829827633a3b3d1a3256d29b2f0c110f08e3c360912afa94447d6bd376cb383

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png

Filesize
2KB

MD5
7883ccd8a7d75d90921350a1ff420cc5

SHA1
51db803aef1b3c7dfbd53e707b5df3466fa36e89

SHA256
9e8778a2e9c3c0b1b23d6a16673ef9f2e81a84847955fbc6350bdb440c82f77f

SHA512
29125c7f5dc9c3acc53cbadcb0780e847fc5a8e981df78a700dbe8508e7e23df515ed166d4fd7b95e9f37f54345e4ae4c4f297bde730080a9ab8f8c0b75c40b5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png

Filesize
1KB

MD5
0f23f5d0f85c790b78de7b81c94f65a3

SHA1
846eb36f2062ebe20805986a4c62c79e2beec4f3

SHA256
cf54285760914d8e34b24929f36e9a73702597e63b3bf7037371694194bfd064

SHA512
d6c213c9f53514347ae7fb3c8b667455eb29c70f0116fb0d5115cbb02739523f3a5941d44997a6734140fc0baa16414cc6d5945430a8efc1102896d73364fdcc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png

Filesize
2KB

MD5
c988c5ada0858a13c6181dd33feadef5

SHA1
21424a105ba0bdc0ebce299c227595fbfd449c59

SHA256
faf33a0cd7dd358ae568bbe24dd1e1e92ecabe1a2136c6bb66690dc050c49111

SHA512
c7f5df72a782935923dccf7b6282e4a518074adfebc8141425e05068de26ec796312b6913b5409ef40d6564073eb08761b9daac4f0671d75f94dbacf7bee8ec3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png

Filesize
1KB

MD5
ef5885f8e7d3a375c669d3afb601ec88

SHA1
b1ce24f4fa011ee758486ab1726a553f935fbd55

SHA256
783760429139a6306840bb6590f98573a0478de7f8d18c9be45d64f4a56b7c9f

SHA512
74a0fa05ca81de0944eb20d3d6a459f684a3af59ed915ee14e9d1a1568b6f398e0e57a815cff0baadb909370ea7311ad24907042eee5505b449e26bcc0d6d59a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png

Filesize
2KB

MD5
549445f3792da31d03b2a2841067f4d8

SHA1
1c81b0c2b5d5f1bd557440fa16c3782a493ab158

SHA256
7bba22dd34963e0abbab4f97dd9c7d5ac79cbeaeec8a8a2c2057a51c37030087

SHA512
2064581ed2be19f2109b16e29c39f9c0cdc1996cd1b15c18633e13a100c4079255f1ea46745928a7fcdc40d33568f09b0d3ae12e4ede6c096969420499939eb0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png

Filesize
1KB

MD5
b15616197fc1097b2a06853fd4a8d5e0

SHA1
162cfdae8477d3fce96a44636415feb9d5a84cd2

SHA256
81e827c52282c36d51f75b6a78e4aa99942aaf5d42ff53e01e83be139b65e2de

SHA512
9ff576717f7abaa260bd33637f61dd8df2edd1824a6111f2790d0f5d14563fdf0a2a0be046edf7fda4f632e5f6e1604cdd26feb4066b4af103bd3b32c3da78f0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png

Filesize
2KB

MD5
3bbf1c88e31f9962b34bca5bbabbf187

SHA1
7ca4fab3e0eb3d9a889ece67ce382e58290335f0

SHA256
8e9923de18ce2a269610072b19409520864701985e578152f9ea7d53f10e783a

SHA512
a1b5ef61624054df51916c1dc45628a9d3e4c63037d0ad7dc89dcc69c32ed9c5c0660c1c7eb81611998615abe20791b781b7a83b674c647bad6f1cfe6f1b453e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png

Filesize
1KB

MD5
d4a1e85d275a259689253b7d6fb4e2f4

SHA1
4a5af97ce57beb2802b175dff8f6b393122d10d2

SHA256
a5c522f3bc9e05365fa8d9afbae72625f090c9cd66d17e441a39b7b04b749a43

SHA512
315de3e77563f705cf259f3d085192cccbb673055b4c699144c4186f0a69d25804971375dc6f54932a0effacade09422241db955241d3aa355f8f2ad9d8be79e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png

Filesize
2KB

MD5
89930adff02b1095df3baaf7a5af54bc

SHA1
0df91546276c4c33aece53b3b72ec50b0445a5ec

SHA256
2190501c8a0199cf7d53018344564c4fda9ae28733d20a889088d54a170d7014

SHA512
1da0f76e019be810ceb45f87aa68a715631db8fe9bf793f9c3bbd1a27789c081125add2512c7ba6800a22301d5f6695c5e0ff66f1c0fe600cc564e0a857b7023

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
2f15b3fd081afd6041d8d87b530ac415

SHA1
f537855477a2956b1750f3205d08f38fca482201

SHA256
b08e2210f07c27aabcc1fe3746846d21ea21126e2d800a0df6d3930715118418

SHA512
96d8d5ad8635fe5742538bb73aeed9a1da947fd55d9351691155f06b588bfcabb1ae8fa2b4cdb7d95824aa962f66fe7ce4fb4957cc0f483be537dc7fd912359d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
542f2c54510c3278b82f60ce82810c33

SHA1
6695ade79d63a76e7f0d97880ba19dbdf8acc651

SHA256
106c985606ee3b936da31298e32433a01f1bc365b7c4747a0a875963edc3a2c2

SHA512
2e533a4112744e4431009ec4934892a54b348b5d8688cad7f1f99538b52b8fc55c563041ef818fc7879a4980e0985dc8dec93ab409ea1502442feb6ce0236dc9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js

Filesize
10KB

MD5
264522bc24e93c6d46035a8735d12990

SHA1
bf7f32e9ce6e433b61c72492285dcb13f76b482b

SHA256
9d58de3cf186f16205deadccdfe4776545183d58b5440ef401254af00e235a77

SHA512
cbfc0422b85e2452a8d3eea1de0800d37e50f55f82c79b0930702b5346fceae7763cf215b753e15e8e3d1ffcb30f8aad403a03b6eb477a1c7334748726b074b6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
6860f7644424165dd3910914eccd27da

SHA1
23017e4af0680f3d1d1b9ab16625fab3d2005e63

SHA256
010b5a100518f0fcec762a7d58fa74f64093325aac750edb000163ef49bcec99

SHA512
f4dd47d852ee253290e884370721227ee7670811177931dc505642c49beb9c924e60f5810f106942fe3ce50213f62edaacd63d2e435d758a999aee3dc6e90d72

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
529f6a510b444824d9acc460f49c580b

SHA1
49a020795d2f61c2b5d26a24418cfcd9f1cd25fb

SHA256
4a1d24c9850bff523bafd7030a630fc9af9cfc752e917cd4a0067ea37d9be2bb

SHA512
f65808d54f290657a75cc2a075af5ce6b6e99ac7d01d5874c84463bba5f7ace3280cc76cf95498cad9c8ea20189aef1a6d89a6ad9f98856d1ec2d4814a586af7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\ui-strings.js

Filesize
2KB

MD5
e7df4e9c36c6537bc9eb201358134cdd

SHA1
be855f1ac79b155976d576e69a96b76af73728a0

SHA256
f8bac31702cacf0406da21e1496d703c33d751f6e7cd3c52acf8b5dd66390eb1

SHA512
7ad49ce4bf65cc9644e65fb92e6883b9e8895933a16d23c5afa3ae21c7519af5262194dd60f069e1032963a3314679cbdf4e09e5320b3c0072c17d6d0d3a59d6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png

Filesize
9KB

MD5
5c773002e6461c7ebf6069b3e7383ba6

SHA1
df0e8bc7b246e3d40bd92f3aae7def55e1a0c7c2

SHA256
b937f8a36c5295d2344bf1bff0ed06217725f927968b83c1ea3352a66aa9205e

SHA512
ac2a0973d5729ed0ec66d79ce95948ab94013184b3dbdab143089917c0c1ff32dd1de447f23d0530099cefaff3d7a997158fc687ad8f1b9e3cd6f3e3a3ceabf1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif

Filesize
9KB

MD5
a8282160092a8a1463f250e98608cbc3

SHA1
962b0614098d7e7dc87312c40dc476ac720f3571

SHA256
5338a40e578b6c0a13ebbbe5967df6ec0a7b5bb5159187e3e43230300647ec68

SHA512
fc7d9744d17169d1d219f1e590ce5e8210ef286033c782894dce362019f5ce5d3629295c65cd1772a1175d5269f8664882258b77e53bf1528e89ae5c73a03ab3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png

Filesize
16KB

MD5
3f3a3ef98bbbcfc62cc66323aacf1188

SHA1
cfa62ab305bd1a283ad139305ddb0d3bdda05375

SHA256
e8ae1011edb2903538bc73490ac6e3705f7cb217603eb2365b1632abe242eacd

SHA512
aa59db6d98b6e33e23ff9ca2262826da353f4930cf2472b7376831ee5a5b2ef11164aaed6dc8d25e55d2c5928faca1d9163ba127c6a7f094166b783fc9ce9d19

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png

Filesize
9KB

MD5
0ee0a12a2c0b37059157ccefc82f64bf

SHA1
0ba9c8da0677f5eb7054325636b3a55a1dc466a7

SHA256
a64522ba5f9f2785cde7f37a23393bdf89bdded3bd78a6ed2aa98ca1b99291c8

SHA512
cb61f76172079b3bc72418f725bcf075f46bfa171fff779fefed5b2c34bb4b0b65aafafcb5a7814decd13d71269da38d1a5b3bf4ddbefe7ef122010535f0a1cb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png

Filesize
18KB

MD5
b6727a9e7725d0004ff703d02bd4e33d

SHA1
9c5be6959b2b0940d4aa954ba9cc58705b832a34

SHA256
8328eadd5dd0f05109232433b778f5b5b481d2d2583358ae930ea6602b485c5a

SHA512
3388e16427edc2dca68fe6fe78fe84c9d20b132c7a6e02ef9ec93041be88488d08a746fe6f0395aca53d0bc7811b21e337a19f7044dd02c291c48df349d7156e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\ui-strings.js

Filesize
2KB

MD5
a07bffb309d36351a2f0a84bffa2adb8

SHA1
af74c9b5158a98b5c614d5fb76bab4b7b4e1d287

SHA256
664ed08812bf5798a21e943a153ab983f2bdf600e40c15e65370961ab61c1171

SHA512
08ee2bf0cfd10c82f313237c447cf402de76e6ff189215f9d366660dd12505d3713f4320ab9fddb06c7fe9d94fae87183cb4cc0c5f44278b14276e40e699c7fd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\ui-strings.js

Filesize
2KB

MD5
ddad8a80313efea4ff71de7df1aaf895

SHA1
c58f5fc62974d5dfc4dd5020e81c43c84d8460a4

SHA256
d25b60e041b3f2064e25a950128e748d332995095faef056d065a6aa94e261ef

SHA512
63b90799ec29b00061236194f5bc897cac4c8e9b6dff2c0fc7f0e331ebb5de8c3b35bbf74ac9db1a21466303ece29ba2a3f1557ae5cb0f5505956e39f5dcb86d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\main-selector.css

Filesize
2KB

MD5
56dcdb06f134e9d1c978ffcc4c562c3f

SHA1
6605dd73ef0c94e0f5bdeb26b2b585f739bfee3f

SHA256
04170bf75c26337f0844f087c9cf3e7143fbe52eff812afa1f907150d9734fb4

SHA512
e259430ecde11a721390db4c80fe0ad0b8fdd10fb9110d78e6aff559dd3dfc5f11245f72d0bac433c8830885ee1890d96bbf3de7d558c7b7c117481c11f95769

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png

Filesize
1KB

MD5
34e2b59d72878ec52087086b2c1d94a2

SHA1
896bad08e802d0fc8f5d2be8919fe353a5593cfd

SHA256
a0785aee86c47f34b9e791979672be2cfc5b913add76a8c0263d1151a8b8479a

SHA512
f712d858a8a9ca4b477a7a21e0be3d3fc18b5d1f141fb68665cb518eb595075819abe4b4c86ff1d744c4b8b3c91382efa6bf093166dfd972809e99e849daace2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png

Filesize
2KB

MD5
d5e716904bc34e8ca361b6189b6a4815

SHA1
913f6ce61ef9b3f81182047a38c862ff341a2d46

SHA256
3d441c08f21d12d17673ce667056c2f2abf311acb709c03d3b0d5ba49235ca87

SHA512
852229e261b1381a32fe366d3b9d424fbd4c72aa9e9d0384c28352f4bb95dd262f3a2b31863cf93dc067948cab63625efd3064d3bcd0aa0b62beda1149c19168

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png

Filesize
10KB

MD5
d506dfd48f9320e1d76f8a424895948b

SHA1
d2afaa7805e5cf1eb36071c3c7e8d3740090e7de

SHA256
9423ac68b9b1f73b1e21a272e71fdd964fba66b4d38075b1ae6c14d0df41f304

SHA512
357316ebcdf7adde64477bd8e03e59ce30845df0086ed4db0e8e830d8c83b3a2fdfff620c9941d45c5ab6ce8916f00223ea197e415ae10f4ce444192ff07c34c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png

Filesize
20KB

MD5
3fe9e368e3c1a5df09b6c11ed14a0992

SHA1
bcc92d129f4d333ec384477ceb598b0afaf160c3

SHA256
a9265d39e40b08bb017b177c1265161eb14a5a73f0192397f47e358056a3730f

SHA512
e120df1b5c15e19ce37a1cc026f6decfbfce20f838f9eedc8907af27d4f7dc5b17adb703fa11b363c253a0b47ae15bab2e9b5486fb2593efb260eb7fca922148

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
55f71ac471b90a3db761b1716023da11

SHA1
93aae17124033c16a30606fd17a75cbbd5f13c4e

SHA256
284325923d2048bbb88dfd813187c644b185d4cdc39054af3c13bf02215a8914

SHA512
5b9627deb5a11f35e3e6f78d065bec4d5b265e977c8965904ca2ff81bfb8bd077bcf3753408e6dcd27392297a47b4b7a85627639dfa4320adcfbbce56cb53ca4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
198668642c6b93ced9970253031b3619

SHA1
f6ab8381ffa156b5badd1a7a4d09aa77fa881088

SHA256
8c30a169c9b9de544d982e9f062a55184f574a600eadea1a2d9518fe10ce54eb

SHA512
dfb116df9c139341ba53cf1f30ad9dafbb5e63ee2692fdc10da3dd42fa7d7bebe76f86f22972e561f26a454cd693926558c19731365e40e5969a6542012b116e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ui-strings.js

Filesize
2KB

MD5
1fd9b4e1e668af864b212bbc8638008c

SHA1
4349b3e2f8bdcf285ecf36628abfa1f57d09d1ff

SHA256
ab3aac08116d1ec770bc2f35a8ca748bb7076dce611ddfa9342670b7d2a5160f

SHA512
118b2ff9ffaa532f7aa483ec3172b0972e0a89975184b66e4014d7d0a4ce5d692633c08052e57338c0c52b86cd8417527347321e050611442074db4018c19159

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js

Filesize
2KB

MD5
7433a1d93edfc556d4c790205ae85d03

SHA1
6e078a9778698340f8c5732f26edc8a249d8ff0a

SHA256
ec79900c0b8bd52e785407113fa15e1abdf3fb2e94b04e74b882486197b4924f

SHA512
1f3cd32d7e71229e86cf3957348b72ce8aa3186dfc0c6aae40237c45ddb8625efe6fec1bd529201f2d8914d1a5ee22107d134e0bfbecaba7a85914b1f16dae67

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js

Filesize
6KB

MD5
37c028383f825338b07fed6c77891ca0

SHA1
94bb51731913d7a6a4713504729fbde10bd53ab4

SHA256
2ca6d125f1f2380248c5944e5f272ea8a5ea010634699956154080048c7ad7bb

SHA512
72a556341b306dadc8468d2119f706369cc501db4362487f6b97cd46e40c5e89b72336b7471e6b54da7a1ca0cc8eaa57bba9de0e5db51a853c29f5865a94e837

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\PlayStore_icon.svg

Filesize
6KB

MD5
4aeb3a554d70ccb7eb87509c8ee021c2

SHA1
8440dbf901affa7244c07a7352517f7a9219ba44

SHA256
9263ceae5b86f2c00acf3bd0aa1027fbfd4ab5b52b8ffbdbf5a8a34de1dc2013

SHA512
0a1eba6e7f366922ef085a9890a274794912def97803180fcde8de54eadf59daca1c2b011a7d23c78a09a3dc4a9892a3e978387c87f7edb06f50fa62ab05d637

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js

Filesize
14KB

MD5
a9fdb428e0bf9dd7e7902bc004d5a3b3

SHA1
9d230367e2ce5372929c2359042f4df814c9a2da

SHA256
9bc69bf9756da8e85d82558df881f7b3cfee5edb8d213d69a4b8da520dbdf0ff

SHA512
1c6c6487a835db0f8e2df21b87ebeccdd786294e1e9727ff0fdffcb78dd5bc4429021ceefd4564ad540c142586cec5861de492ec8632fe07c45750c9a9db0c54

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\ui-strings.js

Filesize
15KB

MD5
81f5ab81352e2aec0013029ced2bac13

SHA1
b01abbd16789b4e0813587f46eec719e610fcf98

SHA256
f6844e7998257a408fb7f49448c0d28f2b6992c33874ce0af4212eae526e836f

SHA512
2648c41e3356b5794deb75ee200f7c423e3931b17a79791dc5916e0b8d15e76bb4603e83226a8b1b98b8b3c430c6a23bba1ad0ce5e79f26e4b48c1ac5c9de55e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
6214137d88101f25497c1cde84420c9f

SHA1
5f15a3a0dd18dd62ba1ef4e0534390d4cd712f21

SHA256
b64d94f9dbbf133ab91b4a8bad323963ac7569b5eb258c43b6092ee6870807f0

SHA512
69105971973e57d9faafcc3d9fa953a56ae518c808f11a1fb435bf486320a90ea6a0b3dc7cbbe3d3450e4fbb711b68006ecaa2649aa5db6fce7ba0062610ef2f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_fi_135x40.svg

Filesize
19KB

MD5
bc82a1aeb9cf55e865a1d471e5077a55

SHA1
a0d8e7b49a282e541666c78f48593143cc921d2b

SHA256
d0a2101c37f0b7ab69fe10e606ab86223a8ed12d7d5ae4c7d30212b0ed4b5455

SHA512
dcfb9ff2bef2334df42b0319e7abe9c6de3e775769aeeeaae432c4f74aab922c28602ba606b7913773e144ef98f3eda780ab0425b22d012b1efe7c86625d1721

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_fr_135x40.svg

Filesize
27KB

MD5
fdac7327af282c02fd022690fa94c517

SHA1
740d7882a522ee5b081e7aafe4c6e618339692b7

SHA256
2090227d834a9b805ffe8219e59eaa840e2113a4631711f9f4143cf95845a464

SHA512
efd4b882732191c0968cd1767b4bfa3bb1ddad5bde9a67519741befd2ab60689d1b50bbceaaee62d81cd67c0a9ca42231152b9f604d3454fa9b11987d09d6f60

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_it_135x40.svg

Filesize
21KB

MD5
339187502de923a043fefe2913cfcd38

SHA1
ff8a38498a1e6aabcec308d8d452b29033cd416e

SHA256
eb907c98075a598cabfd1e861697e22b15899a3bf0112dc71fbd0fef11087619

SHA512
62e9545e3c63f3b82b9389554f2d8ed6612118527603283541a59fd175e81475959ad18695de5c06da5b196edcc563a62b79a64128197f61cd3aa5d55968118d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ja_135x40.svg

Filesize
18KB

MD5
efa97d5b349f3cf3b9fe7202fd2928e5

SHA1
daf783de99096de1b1f7d8086f532b2c385d88a5

SHA256
13ea417d67498dd52157b5ce1e86a4d1ceb2f3c751a133175b8ef71852ec42d6

SHA512
b4ec37534b3a607fab9e85759d4762991563e5a6e6f1a4797a3be2e3f9c066a5b9c27fdfe8ad8bdc11df50d132cd4b1409d23b91972d6c155519ef36b6da0764

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ko_135x40.svg

Filesize
18KB

MD5
468013524b449a54e9a7051923f7e3a9

SHA1
10ee606f83a848aa0104d080be4982a8c115e9a8

SHA256
1893af8617260a5140bbfda591d329c1d3664910e347d73299e71304d84a2742

SHA512
5407414afbdb22021795c915d6e3a237f5bd7a90a16eb5e1fdc0be0273666087dfd52a7847c9a9872bce89925f8cc4674f6590f9103a6c0f2033fa1ceff05c8b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_nb_135x40.svg

Filesize
21KB

MD5
861c9f0c8cf5ed621633ebda84716282

SHA1
c8d30f9a756a6b2b57b429d58f7ca5cc192c2bd2

SHA256
a7b3cff81fe4627cdd0adf1ff5e1637a6bb59236e3e64c522866ac155605a36d

SHA512
b37b32a487333e282db3d50c6e547d57fa71084bf2fb86480079a6e34ff9377e33a3a88bb29e3f71acf8d29e8845558f7e08bf18da96ca9a19c9e2ae3e9f2bd3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pl_135x40.svg

Filesize
19KB

MD5
8bc280d01132dfcd3f6e14ae95cc60d9

SHA1
feec9bfafb9d5a97a1289c32701c4595c90ffe77

SHA256
aa347972da5f5e2e8546840ff3eae24592b2ce6814a2e3d2c80baf0960cf62b9

SHA512
6512c9324a2ae4dab3f939fb8fcf8760ca4d60b447f7db039b289f87c068984432e650f7daeeab49772924f6d78a13125584cfbc55e579362edd7155c499b888

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pt_135x40.svg

Filesize
20KB

MD5
0061d6d77160fc6da054b76adcaf636e

SHA1
ef038a56f5b4f78ece84a8f1bb59f67d138f1de0

SHA256
86fb03c1c636cdf3912c4a9dd7350b73d737261e4a72d06efe5885d1a086c14e

SHA512
b4303f0ea89ec4eb80d5bf3fca400e3b21ed6e01d4378d7f02918df9579cd81bd4371b5cb107681ebf9926ca0d9e3cd7055f6895057624d8b397aec934bbbaf3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ru_135x40.svg

Filesize
24KB

MD5
99fe41938be9228bbf294fd4ffa9ae4c

SHA1
f806cb0818bb71b90019519183e8b41719668521

SHA256
ac6f29a6d2259f47a66ea4ff95f5e3cf165c00f44b27a8d50830229810968a49

SHA512
79ea235e21dacf807e48643fc1015c471412cc84a014d836ddfd837f4addea9f8aaa941c3ad38fc4177cc6bed24c6383734ddd96b347aeb3d2c34d5b6466c01f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_sv_135x40.svg

Filesize
18KB

MD5
6111c48142f60af252e50ad354860ce8

SHA1
102fb7204d599d1336bdb54d094244f473eebe23

SHA256
47c2e53942b749b98f501924f7e5f6399ce905d0121b239cd509bb8c2e93dd62

SHA512
fdf3d773dd96524be801790cf57bd3bafed916f77cc81bc246f41cb98f7967559e5d150eed94b9ad367d9dbf177c0d5c75cf5f07ecd61f91094f87de7d6c142b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_tr_135x40.svg

Filesize
22KB

MD5
c2a6ddf1b7c4868f4e86f1348d2271c5

SHA1
95cc364f867e92a75b4ddfe32c04eeeb401dbc98

SHA256
e23ada3d4a531592eebbaf3e94377b8f00f10bdcc4e9f4ba2e019aaa4ed4c45e

SHA512
f1756681e13fb8e77b1e9953edd488daa1f590c69100dbcbc4312c046f8bf3d2dba547b816eaf22ed2a4ddd0c916f0515860d2f28cf644b47624dcfdd27aa682

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_zh_cn_135x40.svg

Filesize
15KB

MD5
1f8da8318c8747a7b95b061976e89b78

SHA1
7586732343210b03aa3be7f4f802d8f9a7397f22

SHA256
8524145a3ec054f6cdbcfd0f7353f7472944e4023fb271139dee087c4214eef2

SHA512
685c56f41d25b6b1426c2ad01bfb70bd937c2a675bfe3111bc7dfe391039f42431505e5eb69b740c2284b17dd2426179689dea9524615ef986faef546eed14ae

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_zh_tw_135x40.svg

Filesize
16KB

MD5
aa385688837b327a005035b6860b73e7

SHA1
7a07fe110121555def49cc8fafa673c3ec2cc61f

SHA256
9026e8a2f8324a0b899ccacf91227c478cc56a0915eed0ac8586be633b7e8c15

SHA512
5b2e195fdc128ae1b6c0df9651d03365b70a0e937a71320c30beda6bd9c01c7545c5bc1551d97f6b8a7e4a03d6581968a982fc5b5267579f3469112d6bb288bd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\es-419_get.svg

Filesize
8KB

MD5
5dab945ec53a9a4e6de745a8e3e7fe0d

SHA1
afb57b1d3ce6315f17b1bdbf4e27537780cc9c49

SHA256
44fde459e9f986fa2b3eef3dd2c47c445c830352b5169527fd70860072d236ff

SHA512
c905dd4e1a0b02b155dce6679cb3d68f03b72d5dcdb0fdc285b44e91cbacf6f9f2f7ee67cfdcbb94faa96484e5b146a71ba13d226a0b8efc3fa552051e88f708

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fi_get.svg

Filesize
6KB

MD5
284949b061d1ded89f5b6befbaab07af

SHA1
ccd11f0d082d9d0300d0a465451cac1e5536eef8

SHA256
3e61afd9bab7dce68c8daaecf4d0832135d07742055b94dbafc531caf48639ec

SHA512
b085ce5d922cac19f02335afe6cb56bafe8a7a0635ab8768edb391d045c6a58e5883eb3fd73ba1af9e8069292eddbffdf11121caa6372fd29648550997b942b9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fr_get.svg.itlock4

Filesize
9KB

MD5
111899ec938a6f60494827580929ff10

SHA1
a2370ca6142ba72886679c4732d7bace6af8d440

SHA256
0d50b3b18576569056afa48aec6bc0e5387186af46634bd263f229164d86126c

SHA512
a6b60c68bd84455630439cb176bdbe4466c12c2b62411417ad771126c623a4a132c8f2951d86b15a91d1fd3c2b0ed657adee059e5fa9c5f8371091ea19448013

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\it_get.svg

Filesize
8KB

MD5
24d5b06dd79f967562a4731cf4a69da2

SHA1
db8af277770501f15d63d215d6c9ba8dfb004f9c

SHA256
b895c6ed5e66102ea218841378b90117a94da8f8213edb3b51052fda87919479

SHA512
8e15abb3e2704465b469ce168bec74f34f438c2ce3cf897311a8d9f2d7821a836825b9824ae95c2eb6b4b90b1aafd9bce409fbdb7e0ea75bfe448e089799a462

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ko_get.svg

Filesize
7KB

MD5
3694f853aed8b02cb94f24616b868218

SHA1
2f9c2afd8f65f705aa1ccb4ea6dbdbfe3eff2847

SHA256
e295a366ae6514f3d59495dd2b793bde655a58ddf3052a839c697a4d5a228272

SHA512
bcf369ce6eefd7c2cc7e16b0ff3ee8437f1c45dbba6dd21da29fd4331b45b81417d84fc2e35ea6c9bc7f8b07d4f6fa5e5af5081bee9c3953999a2380935f06e5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\no_get.svg

Filesize
8KB

MD5
d252bb2d205f1289cebc86b41e4039f5

SHA1
0e54d555ecd47b3864e8c361af77141a4f0ae768

SHA256
08b13d1def0524ba7e0b4c3b90b4781959f002bf1e375da83b2e4615fb19cb46

SHA512
dc33b509ee26c1527fe988174ce34e5e8913a5c2e11993ea9293b9a6b74307b44de6bf4349d4e7b642f7c3bd0d9c0116e6a0d740eff4356e83946d9920ec5256

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pl_get.svg

Filesize
7KB

MD5
71db77dd915a3f1f68413e73b1b284bc

SHA1
f4334255d28589eae76d618508f4f4abb12cf3c8

SHA256
2186e61aa0e0073b5c89ecae920e9aa8a89e6901918bf21a7dc09646bd3c4d3a

SHA512
f8d171144fb15de92fa61029f9209485f3f375305bade9eea8911f225baa9e270e7b4e6d0429ee68221ceb92f09a5296d30c962400bda351f3f46403f202561d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pt-br_get.svg

Filesize
8KB

MD5
39ab3912cdfb2dbe1ef7024b92baf384

SHA1
b79357282283579665c10a71c9716f5908b57bf5

SHA256
11e4db33f49221248d4d84bfcf77d23159547ad310cbe36eab19a17de745feb2

SHA512
baa03e6778a7d8a939ac0396916344fcda5dd2539a2e15f3eb447d4be28d997762bcea6ecb6b7dc365004e05940c158f5480bda957c3d69b1da72c24c27c71ce

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ru_get.svg

Filesize
7KB

MD5
823e11c0d551e11a4d2e9fdff78fdc9d

SHA1
948b8038a5c399db12d4a07cb4da6e94336c829e

SHA256
76efda7224968aba314b482b024dc151cdf06f4b0748d56711ba6d63ba06d503

SHA512
8d9b06da59231a88baedeb469276e98511d2b7f845687236b917d092788b1d4504efb190493ac6e74b73bc2d2ccc70fae9b804355727c5009e2fc69380f58c20

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\sv_get.svg

Filesize
7KB

MD5
2cf39c9ccd29d6a6b5fb3089649bd9bb

SHA1
aeebcb2b1314a02250e0858f52c05c556bd35b23

SHA256
6efbc73dfdf5538e5ac257abd7b0924618c803ab1cb312c20f71cadbc0b368ed

SHA512
3f5e24f6046382b322436677b6740393c3e327100dfd95a39002578d15bf62f9bc4bca36fa3434d5445441df8ecdf4dc4a110ec2db511c53cc0bcca30afb3fae

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\tr_get.svg

Filesize
6KB

MD5
2cae7e4178e95db9a1bcd3f874c7bab0

SHA1
c402caf4989d77f5c91f0496565398fbc10fc66e

SHA256
3119895450db97f3ed20462c99eb959ca5106c301f61f778087b614e76c2da6b

SHA512
5e4013b3a5a3c18071cce01bd16ab0d76cc294d7ed743c1369ffd0303d5241cfd7fc142d1ea0a4ccb259f3951f7ccfbefa8f4a6ff4f5497f4775fe62148217a6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-cn_get.svg

Filesize
8KB

MD5
7bd47132bb6ecbbe7b676a2cb31ecf54

SHA1
559505b4f4234feb884ae7c32e0fdbb34e902c39

SHA256
f3ea68c4b0b21a9d1e6dc3fad981baef4632d29bf232e7df30018ebcbdf25eb5

SHA512
5f1fdb6b21c6191a10b00c9f78d6c3d2538ee04fcc7375518cbfa963a88e7f4d9a0f501fe4924bc9908f2c9d09cb83174591903c012b3e2760f240c8c4230202

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-tw_get.svg

Filesize
7KB

MD5
23347167ed6cf5dadadde2acccf9a6b1

SHA1
0b6b4ec0877abe9c6336d6a47857674dbda16d16

SHA256
03b006782d3c62a9dee98f4e8b71648e0e38c08fe96b80e0f92b3ead19123766

SHA512
b8219802c57d18d21267fadfb6abcb81917c07b7bd73976e5a3e66b7a707d86dd57e31da3ebf50362af2497aaff16d9571de62ab1aeb1c568cb39c25d227d835

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
89bce5fc199afc92f0476d94f7634055

SHA1
45a9ace3cd54c4323b71ac607d3b15d2b2a18a97

SHA256
1ae7d9bc532eee698aa57250b76801886587cc735a51c30d2497dbafcd0a3514

SHA512
28b8a1339e57b39367dc9021b6aa3e9a9ae61c5a7208b8a815a6be15393660544da96f11d6580faae1c522c4c52fb8e3e9fa87d410d27795cdf03f8950e622b4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\ui-strings.js

Filesize
2KB

MD5
6f8ec703d41118d2efbc9e2ce79b4f88

SHA1
4fa7175857bcf04789e49635ed5d0e474acd56dd

SHA256
824032b9d8dcd25b5eb950e20a7ca2453f732c0f6384b7c449ffb516f5b75df7

SHA512
45ec7dfe0511d60feb8b32126f21b2c0a46cad649d0fef759c901eb6e8f2976a6cc3150c67d0ec5834272d3c89f7010aa1c30e807f46024d60723a4097a49ff5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\ui-strings.js

Filesize
2KB

MD5
1fe9c442c6516f0365e5d21db8644081

SHA1
efc8c941049e79787851086ad505a1bf90b6c996

SHA256
073e283726ef262435b26ac938cd867b2e5f31278e4f78a44c54662315a3b52e

SHA512
19b6033cabd4d79cfaf4e56e6d1a9c6217863251ab91fcde9a6b041294fe11b7d7fa09500ff0f791cab5ec7624f0aed6bf85b792b82cb7072977568920b3516a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js

Filesize
9KB

MD5
8beda0cecdb6471445880b41929433b1

SHA1
650ea92835bd26d38ded4df8bfc6f0de491c8aa1

SHA256
14d3ba040b0fd4a0230aded549686b2a0bc5839fe0765d64e7199ea6d15ee1c0

SHA512
4d30689f3c3b77d05c8c6d511d83a15b50dd499b6562d4d472b6e1eb92567ef03706e5810e13ca51aea05e8baf4ad11533364ea5e57a9c0af2cfe2bf19cfd029

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js

Filesize
5KB

MD5
514402421a861be7736bb2d0554f4ca3

SHA1
8cecad7aa17c8bb9d0363156eafd6b933da9f685

SHA256
61011ef7da194080234d3e4f4453454e22c0ad38200aa9a1aa7c45ab76eef816

SHA512
5c08f456f14e08f2a43e70434aa5ca6a888975672ff84a949b403628e3eac3caff96ddeade2ee24821ae2f6340f07bc44ded6fe0bb6dc3369c42e4201ae40874

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js

Filesize
2KB

MD5
3516946c2f0c2babdf65c376076f80d3

SHA1
c3eb1929c486040c01e4b6121ea8f842525e806d

SHA256
6c62bb3fc501a27e503b1d52f33c61567c3c0b9541db6e433dc808d2a116cba8

SHA512
ca1526938c79f636eff48a7bb4c180746156c27751bdceee9bfeb34d34cfb4ac8d1f7d173fea47c3408f886234f43c6872e812780b2a7b548284ca18abe40e27

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js

Filesize
15KB

MD5
1034736f9b92fa2ca5dd8afd15dc7ead

SHA1
196334971c5e1e25f93f887f1d069464447bfe29

SHA256
8dc79b2638e28138138d1878dade9484a8977364401300c36d115f291f5b1665

SHA512
476aefc3f5f11af45b608fdd23a055499c85edc4d7c81ed5a1ed4a67d0b959214031822e11ab6053dfcf101110d7c4fb0e5f25dcdf5a3c200e85c81105b54b4b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\ui-strings.js

Filesize
2KB

MD5
2c285be762a69d377a3d21ce8df9de7e

SHA1
94f86bdc29aa50135e1a489f13fe44e0031b95dd

SHA256
450c2eb9b90dfeb19177ce5cbd1bbb1fc24ef98ac0a558e693dc57aa61dca00a

SHA512
b4e6254d27dc83ae22ffb50844274d72a1686b982843d938ef0fbb56107df5709abb7f97459286cff21677987c9f4bb74205d896eb8147b959599a30bc955930

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png

Filesize
4KB

MD5
c1750670a32fc493458459a170d806c7

SHA1
72abc45efa0d8ab4645c9a3bf94baa6a4d15ca81

SHA256
1989057dce0292cf1a2e75eea6eb246c74574108adba4012eea10b1cc372a9ba

SHA512
466cc140c1bc8b8366f317561ad3a1193dc8d83fb3c2416c426cfe4631cc1352b8784345720bc26214b625c94f2b7cec0b3113cd6ac0f8427f49757bc17368e6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png

Filesize
3KB

MD5
89c10320b3db9a939d1c3f66f2862df3

SHA1
e29e3d7d92a2f87b185011f2cb71373190e16eda

SHA256
9e1fa1fed737aa57d3913df421bf61c67a7827ca5031f881184ca5658bb7049e

SHA512
f8940bf0ba844dc4c86cac2c394d813c83297f63a174546a7fd63e603ae8b0db38335bcc1f69e9be37ad61828cb89b1be199effa75edb6a40e8acbac1e64bb4b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png

Filesize
6KB

MD5
45c9b808370622c9e6bfe680e4b11e4f

SHA1
065cb8685f49f905e66640c0981197e7ab1cf1db

SHA256
fea0581324722e658a98bf09fb6a20573e3393924104fced77bb37bd6abac925

SHA512
65a7a953851eb38a40165efc2e6db2dfcf9a6b573c3d74baf8dc468d498d56041f86caab6ef5dea43b5e8d8cb1238ae26696ddbabfe3e6b257ea5322d5c66c1f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png

Filesize
1KB

MD5
7824b2b19139a2011d8392b30f37822c

SHA1
eb767578c47dd346938141ef6c73fc7e5e7cc792

SHA256
3510ac272406de1d54af1935128ab5f1b31c6b66e1d8fa2f9ba0101a3766b413

SHA512
d48bd65988366a23068134b0a60ea09d8ff83230dc00f7549023edfdb941acd845374bcbea6abc3172f6492092c6e3ae79c8ffef2bbe4fbdd04c8548e5e799ab

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png

Filesize
1KB

MD5
1294326d62631ee14ec03aa415898b7f

SHA1
5e06f2ab5fcac74b2e0ad4be39b1f58baa2a4d5c

SHA256
6461f675d3cd448066231baf2eb4f1d3e780ee4c3db188fb4e15c68018378227

SHA512
98bf7ae66515fe362f50ef36c9ae5ae79a576a78a61f083d415b9d8f7c7509c4e4c6d9f3af39bef02feac151e5c8cb0f6f99e6bcec882056ce20cc5932c72c5c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png

Filesize
2KB

MD5
e0d4cb7e0998f74063b28eb422f15424

SHA1
8da6fe89685b3bcfc16ef0ae474aba68e1881683

SHA256
ec30786c29bc8a83bf22b8beb6bcc5656c8d9300bf73407c325f07776955ce01

SHA512
30194845cb28982f50e13cfc8ff1ebf6ce971f0ad438c2f270245ab5ce68be7c06a801c89be02787c651ad2cd433681beef58cd958a1d22d0a76ed6fc32c9810

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png

Filesize
2KB

MD5
340a9771d158d4f12a07ff78f020216e

SHA1
43dae3d673d698387de45559a051dcfbeb26d8ce

SHA256
dca2254cd6f2288a6cd3df222ffe1048349db86b85b0341b1942d7fffd71bcf8

SHA512
ab99ca71b869845a35fbd244955ff43d87aecec74baa0c40c016c81925345ab949351402970a0d8360928aa840a7b97e4f16d21dc58b23fc345dafbf97533036

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png

Filesize
4KB

MD5
b50b771114c096c763ace941b52689f7

SHA1
3bba060768d6b6bb54e7465f4a2fdae1ef7c69ec

SHA256
738d8b2a64a8348f27d6c702cb785294921b94d4bb853c2e253616ef0c3f5a3c

SHA512
b2c128335550e9411a818e7c41641e6630eebcc420688855e7fa683ea51fc725719cb011d2c8cc09cdca73e9cb38bdaec8fd22099fc4d8de15ca797aa23e879b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\ui-strings.js

Filesize
15KB

MD5
e6210c08c8ce5adcef6e86fa5ee867ef

SHA1
445cafc0da0c98f6097027d29ce6cb4103e399bf

SHA256
42371327031077d6b18eaf84271c6cd5376bfe8e1e25b45e53bc095ac6270292

SHA512
16992fc858059f66b7d22a6dc29ff65c5d7948879ad766833eff83f5d6d0d0e14bb3237a7bbc337cf6782a1cc6aa69ada5b41499c3368e4fa8be6f9a8225b3ac

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js

Filesize
2KB

MD5
f1af72d0f485e887a19043bb00c99106

SHA1
61b1da39f0b5246f27bfa7d5d2aad8a63bd9270c

SHA256
7ee197a651883abe7277963ce3f1fb95af6fe079392a2f0da0cd6c0703711ff0

SHA512
7b5c877ca25a71b5082c31f9c7a50e94cc53c39a539c982478dbec3be8cbb301994154fdf82992c18649fb92965f6bd53a5c6549420d3365934e37d0c56da5df

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\ui-strings.js

Filesize
19KB

MD5
6fc58266093548ad412d6f7ef5c4dda4

SHA1
e136c1fea15d90dbdd403cb3ce27b46dfa82b825

SHA256
3153782b6864159bef8f47685ddf1b4dd67bd35bc43eb2fccca54d8292ee7c4f

SHA512
6bc683e1cb4769e56f00fcd141667ab3d46f4319bc1f264671fdaf5170624bb0fe679043e2cfcab6f507fa37aeaaef6e74b4a7c26ef2952497af9005df1657f7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
749b5076517379a2284e7d159f336629

SHA1
7753607010363c33ffb4c0d0bdeebabb0ac48228

SHA256
af9b14af5f7eefa82cc777436eb70faf2737de5cad9dbbd4b2def244a4c4f431

SHA512
ee5d05f2411e5af6362a429d0102959ccd37b30564ff3647b74e069d6ad58e57707a1521b40f97d25952ab7c5177a14fa0424075b460f7a92103484f49a34ab0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js

Filesize
3KB

MD5
53a908c950e249a644a640ab4e99f75a

SHA1
6b4c510e62cc383ef97a450a6020aab01302c3c7

SHA256
e0684dca6b1fe139b1fd32a866544b107f8cf324d04198605757866739ce63c7

SHA512
0b0640e40b01cb28f954bab3e42f9166b30751adcfbf182a4864a9781058fcbded9fa3020aa5b73a5d1264d051d589d1cbb2c971112e97128a44820877e42dfc

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

Filesize
34KB

MD5
f0e815a00f0bd502ce1cb4b0c22d1f61

SHA1
0628bfc0eaef73c2e0b67eda2036fbf82968a170

SHA256
e4723f810e15f1dd9c5f0b282edc72e0e7aa4d84ca935dde12e4e76140798b3b

SHA512
42d0c90cd171f822f7487d66b2b0d9b5d0d4a760a97242e99b67d2b0141b39ebb363e7bebd1874aba6e3ae0be491def3bd95f366c8929695d61accd3a8a04d7e

Download Submit
C:\Program Files\How_to_back_files.html

Filesize
5KB

MD5
22fb04c5256c2c114dc4012a40b2a1a0

SHA1
ee65d946d8b2d88ac7a9083761d9b7e370c9d926

SHA256
8f27562db94adcd921738571727b4a9d2da6c969c18e71d5a1adfc96d37d7542

SHA512
947dc489bfc139ff35b1c2f152e28d2e8193ba2cef31ae3445719b6bf9ffa764c1d14f641aefe4aced6b1bb8e46bf9d55347a99da8092aea557dfa00267ef549

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
6a07327a0f62702716efd050ac53d8ff

SHA1
408499b0f0cd2ba582ed7f52ec09dfde47a2acd4

SHA256
3aa132c25b3f3f41df78672a7c602e770c24227042592144320991be10e4af4f

SHA512
a059a9e8af97365babbf84dbced4229b57b589f90024936b2800a96eba7fb8c6bbfb0a18d8c82fc9b7910a35c4f6fbb70ca98ebcde9aaa51dcdbee0bd98fdd1d

Download Submit
C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties

Filesize
5KB

MD5
0908eb374dd9bc92f70d676da69d4a18

SHA1
ee5e72af72575df23ce38bdc181e20165180ec6a

SHA256
ecef6ce2aa19a303e9a7058e8af88440bdcedde76529e7cdfa9ec1a652b9ecd3

SHA512
afcaf33e213347c3ae2b3eb8fdd1e4681a396ae01bf11801734a7f5318522cf03f9245b9a6ce30c38c6d7c05f42eb2af8218d2c016e679b17047da4bb60d497f

Download Submit
C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
20ff891adee94465e0ec7eb1e73aa214

SHA1
eca12cef4623f6bba190822b4f90388c920d42d1

SHA256
562c60d84a5242396ba96761ec0b61de04e668dfa41bd88f23ab5377774d6f15

SHA512
f1b9dde545cd6930018a44ef2636c0204fada376a133cd89a542a0b8e02f52b6140d4b7497e6b9675ac115d3d900ae6bbdf2b73410bdfbed438fccc5e0c4da0b

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
1KB

MD5
46387308a30f3f343c6f37735b28264a

SHA1
a3593d87d3fb0521d449038f602fc6823b3ef07a

SHA256
7a926254ffc4fe3648cbd12819571b7bee4b0c10000d5c7ee8566f88a6527c39

SHA512
94a9c3232867465f32fdc0fe445cf3ad08558bda22a9723122df81ab3d3dcdc9c25c1e66f3e29c249b89034c463dbdf2f6e354172fcb908501d8a5712935059a

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK

Filesize
1KB

MD5
f4f0b8c8aa23aadc765c29891cad8d83

SHA1
327d070115610476ea6a114c8e9a599b66829bd0

SHA256
bb3971e74ce755ae12901d1aee721363bc4cdf0e1438a7f137e5e3afd5b86635

SHA512
89ed5fef4c7161e4dfa256eeb01c975c9643882c1626f45e173f5741b7d1129d07b80de03fbcdcb9383a17a6653a473ea8a4408210e818de5e1c55a97a8279f3

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK

Filesize
1KB

MD5
f7573f9e5ead6d16aa4d550c96245e07

SHA1
1c343792c19d50b2ebe84ac259917f7412304a71

SHA256
ea0b3cbe2ba7bac865f3da930c55c20cc30d28de9f485126f16dfe602f970bed

SHA512
1cf30b73fdacc8566989998488a5983dced7ed6b12be3b65ddfc7f506af137fd2a4d96a0f82fc62337bc77ab12ef6c9a666856dde4d080539e8155584324f405

Download Submit
C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config

Filesize
1KB

MD5
55b723857054db2fc8f88ac9a6391f73

SHA1
7740424c321b3088560e3fade4c5fac0e0d54b26

SHA256
791c4190b15f163560c11ad8d451df54a6446326521b7bab7c4496e91a7407d3

SHA512
68a7ca1523c16629076ce8e756a6806ef9fea8f9f0ab44dc0de97638c8bd35637b489609c0ace7fc713baf6b9171e1db4384d1961b804422678085f2831b1ed5

Download Submit
C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL

Filesize
246KB

MD5
0f0c0041082bbd737d897b18e42aefa5

SHA1
07b365ce4cc06f54ac564b1e59f9850a8478effb

SHA256
f32649deb00e318643fe905be0a4ad68d7ddba93b14ff22d92227e5b3051878c

SHA512
b53b6746d9d36ff1bc0486b7f95ddf282395c580b6ad81e4ab0f777c9df413e8ac5a459f9ef121fd513cab5c98932a3114ebcd70d18961d30a4becd1bc24a8bc

Download Submit
C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub

Filesize
1KB

MD5
daa95f18afdc02e5abf37f25e6fc362b

SHA1
bcd0958d85f897ac1bba3498b90990d0f558b237

SHA256
00623f5d45274d052b39bc80789a7069f757cca79a285461c614ed7726375dc1

SHA512
f0aa4e26d35e74fe99e9b43472a932b3ea12e237d4906c65ab46215f222fb66138469df269c85cf9ebf1d0acd8c59c94ff1d862466be873bcf4c1c9ee22a3c2c

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi

Filesize
3.0MB

MD5
3f43f302da5c50f4ee08d9ef3af87a6f

SHA1
6299c8add47e5991168eb1ccfdef7ea71b744435

SHA256
1589da10711e743a126acbca6809076dcc681106c632bc1cb893bc2a939dc896

SHA512
b5e61fc0ee5189794adf3eab4275eabb7b1cd5a4b69b17c9311ab3f7f3511f5c40659481aac146e4dc81740bf8600f35a5012f91ab27d5f3d8f79443db053c94

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Informix.xsl

Filesize
32KB

MD5
b0f04b928a0160fcb6fa8a35d8d949cb

SHA1
6c5d92a384b9c83cc21915807df02a8a2532b4c0

SHA256
df8e87c26d6d3ccff3a1db4d3c098f7d96a06fb98edea3d6dab5453ff274a29e

SHA512
5b80252e35df6cc43d705562314a4186dc0e92dd1239f34bac5accea8336febdac9432f97525221b79c2364033a42b68ac252e5eb7bf1259ab9ea939e3e32a28

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xsl

Filesize
31KB

MD5
0836635d733f6a4ec47466e4f9f07b21

SHA1
01e92ea97f76872819bee8ca375c25a314c67f9e

SHA256
7a0a4dfbd0c08792c1901da9418fced098de42a13e8f6432cddb49c2372a9f23

SHA512
6e824e4ed4d3682f8342aaaa3b6deb9211f310ee2c151d828b081891e1d1a60ae5acf02286440d8bc4c6962a6414353f82cae2bb146e19a16e02b06d5feb3fd2

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl

Filesize
31KB

MD5
1fcba46ad2b246b254d9d4b058be5116

SHA1
bfafec2db4a170be0434869ef3a095c819d86ab8

SHA256
3e40f291d845ab4aeff7303cb71f9c05e7c40c245f35cc5d1e1da7bf6fc2d1bf

SHA512
304a334dd8b0b27ff4dfafd087a4d63ff40e2749bc3cb28e621a7e3f578f8c645157790c3de15b1323e88d02dd2f9fa25f0a8cded49cab14cbe4ee944f554ca1

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xsl

Filesize
35KB

MD5
312020ceb65c96f23afcfdd5a7b07df3

SHA1
1c6959b9bff900ac6332365dab46dea42214b210

SHA256
cc2c2f3205bd04ce9d963656689b34e57dff704479dfc945b5ba6dea86c08784

SHA512
f9c603fa9d9b5e9d79dea00e43b8205503c27ee5e4272d78a747578ce1ea64a953c0fb866c38d5b77039ee07d9801a23bb9f450d9b371afa0a60c21fa36bd716

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xsl

Filesize
33KB

MD5
654d8345c6cf61e74b28023aa37d9253

SHA1
4b2f5dd2fbeea7ccb27f3f1ba04242e8d934a187

SHA256
b50f6980241416da2c0364c5c5619cfc9409c0b36eeea8555ad14ac4642f3317

SHA512
667cd93ae71ef43ad09559a64ef72ec3d84be477e62873cc69202e07ff915c4e341a87f9f1dfce48ad4948a587c799994900ded3bc215c61805cd0cc72d60946

Download Submit
C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

Filesize
586KB

MD5
4c5bf3baf05dcef36eb5fb93cead68fb

SHA1
5ec7e1f961ec3166ff63eec196c3522852d19bc0

SHA256
eadc1742869e2b077109abdb7852076ffa8dc5e2d5299793bf5bdbbb446ab5f3

SHA512
3adf0050edba403b70d62e0f3f1d781bd868716ec760413fe54b606a1c12df7d82c43bfda89f860ef7955cac1a47e22c8a1e4d2dbda4045c6e816ffd92858366

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo

Filesize
617KB

MD5
d12e5cb29164f0b902fccf917f51cfc5

SHA1
cb01140f195d4fda56ecc19b28ff4c86588ce042

SHA256
d94fc68a0185b4ab9bc8586aa31ead9043676dd2d3b1eea0b96356740144f130

SHA512
f671e78b9851de1828721b659192884405669988adacde60c09dfaeb0411fed18eb4fbcbae2d2d1d6e2dcd5756a0cd96b69890322b26f0f763e531596dea36a0

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
c94feef082355644e788059b4e840aaf

SHA1
f8ce5674eaaf24f8c0454fae84221673b856dcef

SHA256
837ad70b84ca85a7a7d562455879b58ec3664f3f21e8cc1b783abf481196ce89

SHA512
77f2b3f009687718b5854509a58bc5edae26247e4c449c4357e8c6f04f650b498bf0c70f65ef42f2d565eebf3306c70999f81c01420b63825f75b7bf8dc115d4

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Admin.dat

Filesize
1KB

MD5
7d62de3eb7fea582c9a67345bc63e252

SHA1
8f9b1ed71fb83fe11a6bab696d085b042287a430

SHA256
ca38477342876f20956da927506b824d8ac4a49105b53801da61cf8a1c0f5e18

SHA512
b643202f09bab15269d92012fbed4e68a6f6d79716c62c531f05e88bcc15e70ff4a2ca8c29796a59f3dd89a0de675635f81facf06ec02b8410cf543860529938

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.itlock4

Filesize
624KB

MD5
2fb5ca3238a5ddc478e64dc334778510

SHA1
595d4e92fce01c4006ed30605d691cb688fc3b0a

SHA256
061f7a67d2f59584c5c5a903553aac1f90d8d4e60c998fd3856632f86c9a0961

SHA512
3c5aa58685b5ee36f0236ccec2ce42fae6524da890b34d2ada4dc725956cce3f0a1f59b6895935fa580b75c5655a8114e8781880456d44b9b6519b311d2f452b

Download Submit
C:\ProgramData\Package Cache\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}v48.108.8828\dotnet-host-6.0.27-win-x64.msi

Filesize
737KB

MD5
b5fc42cb520d8a49a037758ef41dc125

SHA1
2bf66646b2d92af1ac549cf25dca413d4f1d1908

SHA256
1020dcb16e70bc748d20d175fc36e1ff208beabbb1b466f888a33a5be521e140

SHA512
51c6e59e2a2ee03bb51ddc301eaa416091e2125160e0e593b566dd5a7cf2bad09930bb721709614bc310207b542ad99caf84459c5e27eb82d8981fe499b05856

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

Filesize
181KB

MD5
0bca6a1d876b340e33a408ae75c3e714

SHA1
13c8817b79e5ca0b73c158f1bf652f532eeedca2

SHA256
7345d5ebba58d03f85702953dcb8469b354bfcfe0f3c000e4df32bc9084b0d3a

SHA512
f280442e977de5bfcd6016a6d6d021640915f22be25c8c2a7633781e1a34808f81768f0bd659c30b7bf807d83d163f9e9a67ab910658f3f3b0a6cb051a87e47e

Download Submit
C:\ProgramData\Package Cache\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}v56.64.8781\dotnet-runtime-7.0.16-win-x64.msi

Filesize
26.0MB

MD5
0ee7fc713bfbb9c58565dd2d52fceea1

SHA1
524b1a3c042598e1cc5ddd47e85c7c08af414d34

SHA256
28ea265e00dc1d68fc155dc620d69c300996e902776b10938bbc4b913e90a9ca

SHA512
0eda71ccbafc4a22d1354f350042d5746a2172d07e877f310a6e9345cc814e41074e4091cb02d50f17e249efc1dd5612c081d4c8a21c7c0beeaff2cf31cb6fbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOCK

Filesize
1KB

MD5
593cfb44cc67fd0454524bed3aae81f6

SHA1
85be9e2df21ab90672183e9b9756511d6cc09baf

SHA256
a81e9e518eecb91053c8723935c8b820cc4406323a84f1d50f5ab2c8b9b96424

SHA512
bd08a42d73868703e535f1a15b71b3f58f697090c696d63a190f1f291d896730ed6959856e0951aefe50f43b3ae4b20305eaf942fbd7ca866f4fe195e934000d

Download Submit