blackguard | c81e2a3b15785a5fb548c5552be839fd92e2fc5423b372fba2f890ad488371b9

Resubmissions

20-02-2024 04:33

240220-e6v9vaba5w 10

20-02-2024 04:30

240220-e42c3sah9z 10

20-02-2024 04:20

240220-eyb61aag6y 10

Analysis

max time kernel
349s
max time network
352s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
20-02-2024 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UMF.Installer.exe
Size

10.4MB
MD5

5a7ecc12107019e47294f27f4d40572c
SHA1

01891d681fd8b6baa0599e335999d427e55179db
SHA256

c81e2a3b15785a5fb548c5552be839fd92e2fc5423b372fba2f890ad488371b9
SHA512

77da7350f3cc4358e07250ee9c6cbd035a9a27a934c019967942841cbf3d49839cb765dc6a22bc121e34ef1494b33050dc5752beff5e1938b82848b3190d4ad1
SSDEEP

196608:DJ06wpSjt1RoahEDQH6TdBy5AY6TdVp/6TdvpPC:d0xpqloDQajPTpCppPC

Score

10^/10

blackguard infinitylock wannacry discovery persistence ransomware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
ransomware infinitylock
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB0FF.tmp	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB0F8.tmp	[email protected]

Executes dropped EXE 11 IoCs

pid	Process
3672	taskdl.exe
4172	@[email protected]
4020	@[email protected]
2984	taskhsvc.exe
5484	@[email protected]
5560	taskdl.exe
5036	taskse.exe
5576	@[email protected]
5860	taskdl.exe
5868	taskse.exe
5876	@[email protected]

Loads dropped DLL 8 IoCs

pid	Process
2984	taskhsvc.exe
2984	taskhsvc.exe
2984	taskhsvc.exe
2984	taskhsvc.exe
2984	taskhsvc.exe
2984	taskhsvc.exe
2984	taskhsvc.exe
2984	taskhsvc.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3440	icacls.exe
2292	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gtrvezowimmiwnj209 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\""	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
43	camo.githubusercontent.com
43	raw.githubusercontent.com
57	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1473553098-1580226532-3330220195-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1473553098-1580226532-3330220195-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\vcruntime140.dll.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\it-it\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-tw_get.svg.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\da-dk\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Locales\devtools\de.pak.DATA.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\root\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\main.css.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\BHO\ie_to_edge_stub.exe.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Locales\lo.pak.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\inline-error-1x.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\ml.pak.DATA.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.MsuProvider.dll.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\RHP_icons.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\Locales\kk.pak.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-focus_32.svg.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\VisualElements\Logo.png.DATA.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reportabuse-default_18.svg.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-exit-hover.svg.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ro-ro\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sk-sk\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{ED1B096A-BFBE-44E6-BB71-13DB33EEC8E5}\chrome_installer.exe.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Locales\hr.pak.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\acrobat_pdf.svg.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\dd_arrow_small2x.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ru.dll.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_et.dll.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\identity_proxy\identity_helper.Sparse.Dev.msix.DATA.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_da.dll.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\multi-tab-file-view.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\bun.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\it-it\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\es-es\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\uk-ua\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\identity_proxy\identity_helper.Sparse.Canary.msix.DATA.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\VisualElements\LogoBeta.png.DATA.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Locales\ar.pak.DATA.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_forward_18.svg.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Locales\sr-Cyrl-BA.pak.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee90.tlb.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ca-es\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\file_info.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\gd.pak.DATA.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\Locales\ug.pak.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_FilledDot_White@1x.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D	[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	[email protected]
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	[email protected]

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1473553098-1580226532-3330220195-1000\{7015EDFE-5D44-4D5C-8EB4-3E2899B20012}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1473553098-1580226532-3330220195-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1473553098-1580226532-3330220195-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1473553098-1580226532-3330220195-1000_Classes\Local Settings	OpenWith.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5640	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\InfinityCrypt.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCrypt0r.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2060	msedge.exe
2060	msedge.exe
964	msedge.exe
964	msedge.exe
3200	identity_helper.exe
3200	identity_helper.exe
4332	msedge.exe
4332	msedge.exe
4628	msedge.exe
4628	msedge.exe
1428	msedge.exe
1428	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3512	msedge.exe
3512	msedge.exe
2984	taskhsvc.exe
2984	taskhsvc.exe
2984	taskhsvc.exe
2984	taskhsvc.exe
2984	taskhsvc.exe
2984	taskhsvc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	UMF.Installer.exe
Token: SeDebugPrivilege	3860	[email protected]
Token: SeIncreaseQuotaPrivilege	2840	WMIC.exe
Token: SeSecurityPrivilege	2840	WMIC.exe
Token: SeTakeOwnershipPrivilege	2840	WMIC.exe
Token: SeLoadDriverPrivilege	2840	WMIC.exe
Token: SeSystemProfilePrivilege	2840	WMIC.exe
Token: SeSystemtimePrivilege	2840	WMIC.exe
Token: SeProfSingleProcessPrivilege	2840	WMIC.exe
Token: SeIncBasePriorityPrivilege	2840	WMIC.exe
Token: SeCreatePagefilePrivilege	2840	WMIC.exe
Token: SeBackupPrivilege	2840	WMIC.exe
Token: SeRestorePrivilege	2840	WMIC.exe
Token: SeShutdownPrivilege	2840	WMIC.exe
Token: SeDebugPrivilege	2840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2840	WMIC.exe
Token: SeRemoteShutdownPrivilege	2840	WMIC.exe
Token: SeUndockPrivilege	2840	WMIC.exe
Token: SeManageVolumePrivilege	2840	WMIC.exe
Token: 33	2840	WMIC.exe
Token: 34	2840	WMIC.exe
Token: 35	2840	WMIC.exe
Token: 36	2840	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2840	WMIC.exe
Token: SeSecurityPrivilege	2840	WMIC.exe
Token: SeTakeOwnershipPrivilege	2840	WMIC.exe
Token: SeLoadDriverPrivilege	2840	WMIC.exe
Token: SeSystemProfilePrivilege	2840	WMIC.exe
Token: SeSystemtimePrivilege	2840	WMIC.exe
Token: SeProfSingleProcessPrivilege	2840	WMIC.exe
Token: SeIncBasePriorityPrivilege	2840	WMIC.exe
Token: SeCreatePagefilePrivilege	2840	WMIC.exe
Token: SeBackupPrivilege	2840	WMIC.exe
Token: SeRestorePrivilege	2840	WMIC.exe
Token: SeShutdownPrivilege	2840	WMIC.exe
Token: SeDebugPrivilege	2840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2840	WMIC.exe
Token: SeRemoteShutdownPrivilege	2840	WMIC.exe
Token: SeUndockPrivilege	2840	WMIC.exe
Token: SeManageVolumePrivilege	2840	WMIC.exe
Token: 33	2840	WMIC.exe
Token: 34	2840	WMIC.exe
Token: 35	2840	WMIC.exe
Token: 36	2840	WMIC.exe
Token: SeBackupPrivilege	5212	vssvc.exe
Token: SeRestorePrivilege	5212	vssvc.exe
Token: SeAuditPrivilege	5212	vssvc.exe
Token: SeTcbPrivilege	5036	taskse.exe
Token: SeTcbPrivilege	5036	taskse.exe
Token: SeTcbPrivilege	5868	taskse.exe
Token: SeTcbPrivilege	5868	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4152	MiniSearchHost.exe
4172	@[email protected]
4172	@[email protected]
4020	@[email protected]
4020	@[email protected]
5452	OpenWith.exe
5484	@[email protected]
5484	@[email protected]
5576	@[email protected]
5876	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 3856	2060	msedge.exe	84
PID 2060 wrote to memory of 3856	2060	msedge.exe	84
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 1484	2060	msedge.exe	86
PID 2060 wrote to memory of 964	2060	msedge.exe	85
PID 2060 wrote to memory of 964	2060	msedge.exe	85
PID 2060 wrote to memory of 3816	2060	msedge.exe	87
PID 2060 wrote to memory of 3816	2060	msedge.exe	87
PID 2060 wrote to memory of 3816	2060	msedge.exe	87
PID 2060 wrote to memory of 3816	2060	msedge.exe	87
PID 2060 wrote to memory of 3816	2060	msedge.exe	87
PID 2060 wrote to memory of 3816	2060	msedge.exe	87
PID 2060 wrote to memory of 3816	2060	msedge.exe	87
PID 2060 wrote to memory of 3816	2060	msedge.exe	87
PID 2060 wrote to memory of 3816	2060	msedge.exe	87
PID 2060 wrote to memory of 3816	2060	msedge.exe	87
PID 2060 wrote to memory of 3816	2060	msedge.exe	87
PID 2060 wrote to memory of 3816	2060	msedge.exe	87
PID 2060 wrote to memory of 3816	2060	msedge.exe	87
PID 2060 wrote to memory of 3816	2060	msedge.exe	87
PID 2060 wrote to memory of 3816	2060	msedge.exe	87
PID 2060 wrote to memory of 3816	2060	msedge.exe	87
PID 2060 wrote to memory of 3816	2060	msedge.exe	87
PID 2060 wrote to memory of 3816	2060	msedge.exe	87
PID 2060 wrote to memory of 3816	2060	msedge.exe	87
PID 2060 wrote to memory of 3816	2060	msedge.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5020	attrib.exe
2076	attrib.exe
3000	attrib.exe

C:\Users\Admin\AppData\Local\Temp\UMF.Installer.exe
"C:\Users\Admin\AppData\Local\Temp\UMF.Installer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffccba33cb8,0x7ffccba33cc8,0x7ffccba33cd8
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1404 /prefetch:2
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
  2⤵
  PID:328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1848 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17505180125256304251,17864793725155021192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:2268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4676

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1808

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4152

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:2244
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:2076
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3440
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 66041708403204.bat
  2⤵
  PID:404
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:3000
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4172
- - C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  PID:3336
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      PID:4812
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5560
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "gtrvezowimmiwnj209" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
  2⤵
  PID:5584
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "gtrvezowimmiwnj209" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:5640
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5576
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5860
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5868
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5876

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
PID:3308
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:5020
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2292

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5212

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5452

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:5484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
16B

MD5
86cb85992f3b22ab3bfa7cc4422fe106

SHA1
639e0a4321775e2a197d2201ab85d0c3e5a25b77

SHA256
297acaa4fd9ff95566e5cda06678589a56cf47e353b29778362e9d443d3dc3ab

SHA512
e846f445282880c023c6a2788f6a9448ab71d99ee5756cbcdf8056f44b5e26d6ac50242319b79b05655e0864a825bed650f28fb257f49c97707bb414110a9000

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
720B

MD5
014c5597bc3d8e2820daad7df5a05cd4

SHA1
4afb79a449103772042d4965271379509802ff28

SHA256
218f67ba424bd78f61062e3ef87dfcd11936be4ec5837f2bc34bbb0cb144bf6d

SHA512
3f86d8decf08b8cb23abc98a90e98c3a74349ea43dcb2aac0762398457c5b9ca6a40b4cba8b4dc2e855ec5b917684d75ee75df0dd37dd842c53f599a147641d6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
688B

MD5
6a954877812d74ac2759b005d9dac675

SHA1
9618c9582f5358c075c74333fa7b7201eb9fdefc

SHA256
5c01b8fb1936e20352be492c3a31daac37003af5c3cb270723fc992e404f4ba7

SHA512
46b50eff1c6efda4c89bb4e85de7d69b9bfade9cfb212e10c9f5a5694478112639077fa966c60b327cd59836a9d544340b3ea7e81f48b50688380ad8751e492f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
1KB

MD5
f718a7a672d4d74a3e5a7adf42e4ffdd

SHA1
8693da6fccd76589b1ac430cef935aaafc08a57f

SHA256
842e38d490c40e68879773a2523d68e3e7a7c3f7748f0445888682031ff68a21

SHA512
29c1e85845ce6c0deaa4d2d74326bcc76cffcf352894c75f5582f03991b4d3a4589844e2955cb59aa0bdc8ed74b2b943910537fa2179c8ef26bf2403cd38d4d7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
448B

MD5
cf219de626b449c43de4907487479ebe

SHA1
6334eb591079213ae4f945080187f886cfa74fd8

SHA256
5644b702ca6551b228a63ffb59df34b571e3333f65ea1fcba7b056e05961ba22

SHA512
ed00856938fc2ffd693a1aa781e4c43425cbe3becf02c499a65525278e961b647b774cb0cfea5efe3c52e562532c9f756eb9b267e09796c1ae888cbaf07f2e57

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
624B

MD5
b0c4d8d025af33d0f90838b6d8e3e42c

SHA1
35e4731983b19f0dfffe7f68b46d7e2c188eba3f

SHA256
4baf27f907695d07dabb72bfa9941c71d441d329ccaf6db4ccc661da58f7a9a4

SHA512
12679fd62f06002c27870de187a8146a60b3f9692b3cb6c74c742eaa129c7be3f5a499d34a2ca867ca25cda6c349903fb1b65f059ac795f0b37f83a07735dfb4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
400B

MD5
a3a716e034a9ea8f061e00951ca27ba0

SHA1
2d6eb08e62839e9411f4fbdac9c67c4efd05071f

SHA256
e7ce93395dbd50da4726e63e8e139f4e178b751e52cb0de3c3d5e7904d1762d5

SHA512
aa46f07d507d73401080ea3d805148328a0d7648e96cd1b830badbe375a6dc477c83ce6e1a4763aeab6921da94bd927d044125cb93b019123f8ecb6cbd5aefa9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
560B

MD5
a2e23414e1de594fb221cd4c7ad2cbd7

SHA1
c25f0867219079b8e8b565e5b6a1ec84d06a42cf

SHA256
5a71267b815aea35c6c46777dbc6d0c6ac8eee678e94386ef3a4026991f96b9e

SHA512
393438594dc27a7942fd73f1a1abcbee504efd45d0b045444f35d81362c0d83d5062e420ac961844858a4af9a7a4a2ad410e928a66ef7c005e34ad5be9d614f2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
400B

MD5
bc7e762e2855898cabbdd4e6712cd2ee

SHA1
ff80e90639f34d8daccd92fe4131cb2e8aaefeb1

SHA256
a01a711228aafc553930c149ee02fc8fc4f11d770f807fd4b829bdb584961594

SHA512
1dfd9e18bc39105b77dabc42be677dc86bdaab1521155944f9f2adeda72877d501f581f8c60d3d0cb57ffdcc7f3042eeb606f1035360e25eaf6dd8511227e5e9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
560B

MD5
97cb5bc05edefcf1978308f51181d855

SHA1
fc2f3a3363cbaab2291a66ba3813d57adfa00b4b

SHA256
560e91d1265a33d18276f951302d52d6a643d260573c9dea1d8c18483a5d8c0f

SHA512
d2cad3326148a42ff9c3fc2a147bd5461e9aa9de023144395b431b1df6c9683c615ecaa12d1d40cc67a094f306e90ce2d944d467b7655d0b13402befdde3ceaf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
400B

MD5
578a769eb54f6330723d666ba430275b

SHA1
6ae683f2a49d44fcbff8201b4e767552b5df6ca5

SHA256
07fdbaf8ad5a0d2c37cd3c354db23305d3b5d779a95c6f37d8d955bb67d866c6

SHA512
646e4db6f65139429bace17a34d7fb8504703266ffca15e73737ad6dcd2d84c186376fa81ca125b41fe4205731c391bb8136a94094fc7137ca63c3646876c26f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
560B

MD5
d8d14a64b12dbe99181d86391bfe255a

SHA1
b60146d24fbd022851df9c5c4669ff1bd407eaaa

SHA256
a287cc7a49bc4df2a1d9884394277ae0f3980ff518d839bd3991bec2211d0cdf

SHA512
a3a14412196f1a9ba4e3e19609c5379bab66cb490b41016af687b70cac19f12e8ae276540c444bf13f1228cd4c08627ed825873a2ac4034ad32661b5bb42d592

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
7KB

MD5
6c82a70686a0e730c59e06c260e8f162

SHA1
2eca15e97cfec8336a29f71dfb118795d8e22372

SHA256
bc1c6f695c7f901f9a05dba3aac0fedf1d0e2b5d31c68381371cbb059ab5eab6

SHA512
028f09b8c669bb9f9b3e2a42225117a56a8ac0e7c7ac94cd89f35143b8f8df6b1bb7c4b0a0146cb88b9f4d742909d727a5d16d83f9d69e2779d0d645488677f6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
7KB

MD5
e04a928894262cf775e26e766226f333

SHA1
7888e6e483cb67178f8adb2dfce089be7e3c9263

SHA256
085505b3199c400a86d730102b07dd02349401e18158d1783c9a096b2fb33149

SHA512
47fdb0314f00fa3f5f4d4337c9d0f595e8c764ec38698f91f90b7288c417fcf2757d0322020a2e526f79264ac7736f8dd6aa0d286192a3806ea05515251d09da

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
15KB

MD5
3f3b318cbf7de59fdd3e19bede89ad32

SHA1
f7e7edda06b5f62bd4d33d66fd97a09a07544aa3

SHA256
19417f3d56cb942e6eba8749be9eedce206bca57158a40135df34cd9e773fbfa

SHA512
32dc864f734b1f921aa7066f0b4cf1a9353a216a7cffda2764edbe6d67e30a59cb9beff8913894704264a2562a8037c2555df0c26adcda7216ac61fd935ea996

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
8KB

MD5
a823221c10d21b3024397940450ecfaf

SHA1
aec024e9a876fd80e29c35572d6868ce9bc036d3

SHA256
69944d14197dc4065f3292e971d8142f6d21fd66dfb3f7e2526dd1a05fc6b29e

SHA512
0b514f3a97f5503bc92502caa75cafe0bc5ac338e678611493c9d7268a19c9e896213cb430ee8d6719231d4109e90c9ded343a68a05641190449f0a89eac4def

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
17KB

MD5
dc7b0587759f0867cbd43b9893ceb89f

SHA1
61303055adba0411f598ce5c8e66b55e80c8eaf5

SHA256
c7ebd629d67989a95ee2ac6f14996c1bdb8121a75c2559ac899dd8d13c37e5e3

SHA512
3df102aad92e083e10c1f202dd021f4e64a7cd69fe636934a3d15c6edbc15bf6abf1b27ada63cecef4a7f998b292fd9b340c7b8a93a51d4b69cf598f2231e49d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
192B

MD5
20678e37405969f827bf79ea26e7a99f

SHA1
3a413e926081ace543666b575b407224b84b5995

SHA256
7c27ff4d6a1ad4de51fd1c33c36fe2e5a7b8bff284ba46452778db4762d86638

SHA512
81e3dd5553b3af4e865b84c237ce8d4daee43720feeb24ea2089b1dd1df91fdb2b2821f5769f1166a5cf93317d3583083cb105bbc7e81872767fdbe048756e84

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
704B

MD5
8e7e9d1a77cc590a009a8b5251b72a6e

SHA1
bbb56a5d776834246e46e5dcefa2ba73ea0f07ea

SHA256
436da5d3704558863328464771e4b0a2e3bb9387cb883acb2356864d4d7a78e8

SHA512
49c0c0d9f9d83582a039ef65ed645ca3fdd4017cee3dfdd64886e1dae0eecb9fbaa7d59da9d577286d6a65db9cdda60720564643b6ad14d9ad37b65b8355ad95

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
8KB

MD5
290ea332e934d45ac237daa0352c9f5a

SHA1
7bb67ae274fb4480b450661aec9a766ce6d06ba4

SHA256
6227654603aa41b1a012a2b5df36c6aca1006c0d5dabfb2d1474a8f80836591a

SHA512
3c690fe0ace0968c6cbb8f0b682d94673193fd7e0934877fa3f7b2cacee3f99f5da66a096818f943dc913ccb14269ea8b23dd9caf3231ef1bd22fee3ee281bbd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
19KB

MD5
c5afbfac4995f19fa4310e4da200ba8f

SHA1
0b0707ab8f5bca84e3b1b2dfcf1d12a273224b35

SHA256
8516a524c5435e6dbbe3dbf311aa3e6eb3baf9b3b6a6ac763579062bea6cdb09

SHA512
3d6060136b831e73bf787e44bb64e564f8f6b51f6415bf252e00ab196fa5a733c35e340744d0d83f003956e84c382bef6a5700b9d3cf21c93d4a44ac66409807

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
832B

MD5
908887e68690f88d5f1ff1b3b6c36b53

SHA1
9b89da4b80c1594c6a529e33fe7be6df888e5d4f

SHA256
5b247729b0a18911bf95da60e99b2b8fc0ba93a9216d0ddfc3bc25114d620555

SHA512
e16bbc2e62371cbdd8bcc65d328297b522a75fe956e3340f819a9d70f17ed1b4eeaa6b64d9c56bb1c6618cf7e9ea5596e740ecb8bb232396f74c693ca82bc52a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
1KB

MD5
622ff173d59f623102599fb82796321e

SHA1
d1ff8f26bfe0b7dc4c6069e25687180c437bf5c3

SHA256
d9c603d51c39b773cd7c073d1435531e82ac1f748eef4eccafd3d58e0387f40b

SHA512
e002db69fa6bbe56337ff3d8bc716eb87a4f678bcb513724fa65d63b378cb9b0f19411246d03297c56da73d6516ba345e5e646cafecc9f4a4596fe2ef24c679d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
1KB

MD5
cef3812d167984e649c36bc48ba53274

SHA1
b163aa27d194ea57127909f7425b03c4e61af92a

SHA256
3b22147f2eaf7757fcd060aa1aca7f0b65d23b3d78041408148b6c22311ba3a0

SHA512
23a331719f607730f378ca607831baf2cd7f3597b37dfc905f752fa54a1b71fe0ce64025feb69c9e5881c5ba1890bc756938f2c0ad8ed209f2c58092d55f8adf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
816B

MD5
50e8f25ce322cc7f3c47af666f26c191

SHA1
38e4f2e0f33d293f82f5f07ad8054f4bc7cf1f0f

SHA256
e7ff714b4c2c5f3965a4f79afd37a4aba55b748c78e716dc43a2633e651f0143

SHA512
2ce9f25008b7bcf2bba7db7ccff4cab5044dfd429920ea08101706a43a26318aba5ba593c00e413d7a3261f534a12baf064359e88208c74472d1c59237754b17

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
2KB

MD5
fada27902512de5871d92c6d599fbd49

SHA1
1a747be68d6b233e1bfa898c283eae077a094ced

SHA256
b40463ea4f579b57093d0d56e4bf3074aa6d3e253c95facde3b2a1206208affb

SHA512
62e37abcef2d94ef1297585c6cc563e29c3c397948090c0850e75648c1862741d2a67ec82ab6fbab1e267a4584450833df9323269aab25fb2f56c53b153e6719

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
2KB

MD5
f185bbe40c3f6b6b240404fe40226723

SHA1
870b1eb33acddad45cb489cf5fec072f2be51c3d

SHA256
3b7301523b219860afa40504a1d25e4cd2f64d70f60ae1bf2ecc668871236013

SHA512
6e4a72fd63969b723460e2c71626697e9b847509c78dc29fad4154223cedab4e58baa8c42e4c8b7a77f4def27d0553b5a4df6f99081230c194b9e3e2869ab5e9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
4KB

MD5
b9bc7ab5748a1f7a3b0ffe418c5e74ec

SHA1
6120a6b05b506a06a191e96923372e56abbfab6c

SHA256
4fbb124697ddc213f13b9380799ec95febc467a5cd919f1406290e7d7bf4a450

SHA512
191ea199465f845b0a823cbba629a62abcfd5d444ad304fa88bcc2d7756933c393f38131c05a6782a67ab36792068b0d77176f702217873da5b7f717e3a35f78

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
304B

MD5
71873ba529d002880bafe6dbdb04adfd

SHA1
a93ae34aec80640f83b495d33dc7cdb496c4015d

SHA256
fe7bd0a1fdc6571bfc02276bcce5767051d707b40d0168e0e717c650236f2132

SHA512
c7e68af2990ce0c53ff73cde5f419ad05752754ba4e17cb466ee1721702319b52515ec9a6cb6fe7fd620366c10fd6f745630738e4d9f2bd46f98d7db922d5860

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
400B

MD5
f75f9013c340a337528e8f0b68ac26a1

SHA1
ed6c86878ed139b8fe96464bf6520e71378474b1

SHA256
f49bd7451749818e78d00ef0faea882879ff118ffccfb4a0f9da994bfd56f7d0

SHA512
522213b32ee62bb28cf07833b16d0542f8ff94b74c0ee0bc3d5617aad9c5677cf39df8fec77d38fa0951b1d9620b6e4443025ff1f11d5b9badb3c2f73ec26166

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
1008B

MD5
918c8ec833d288b1b3c9fc52ae70cf57

SHA1
0194f18bb955e6542cffe47298fe0901ecfd515c

SHA256
6b564c75f30f60ac12283d486aefbec2bb8d0c30b890fda2fc1159f70d7bee97

SHA512
e880bf1dd79ac043b0c1f124fc62e7ba489dc5f69bb1999a6dbdb11e7239b8a1653a31c098762a1c4358e85f99a6bfd7b4d456a85115bc85d2669b101c570bb9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
1KB

MD5
435b46f2d3826c0ec6e24d065bb08a0a

SHA1
8b56e56626062aea976400209aa4fca4e12da78d

SHA256
2394e76a001bde6f8b9347f56ddb615c1a0ac18e2c52adcb757124dc79de2664

SHA512
fd56a4f95c64e05a94510f2b948a472a66ca05b48645b20c932547a23b15d9de85ee4f6f585009f23ef7b7bb019f95af326e6293c2545568318de9e230f51c23

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
2KB

MD5
bcaa6cf05d4ceedfdbd2b2f957aece21

SHA1
8d1fc76689d3d3fe51c26444ba3a5c744ecafb4b

SHA256
a86042d28ffc6b0d5abff576909a47e8b309ffc79f248241ca2b834a7cd4ec7b

SHA512
2c9d44d010ce24756d36d9832153728b90cfe1aaf9da83cf0a12516a6f9c0b40cb759e80ae8820f6b63abc5bdcc6bdcde7293d9e405fbb6dde41cb353eb466c9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
848B

MD5
77bea43e310d610fee7dd02b5092cfb4

SHA1
1bdab434f417ee6859349432c2ea00f1b822b1e2

SHA256
d35ab7a4f945a3399f131cfaa6cefe1bcfff0e05efd9f3a1c13d29ec86ff2035

SHA512
ef347e9b8bea1e68a51d99d785c43d3f02d86feb1bd343d60fcde841c72a93e632aba32a65d1bbcdc1fc243c0733fd1782324b87b1717a67b3ba5fee56de68e8

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
32KB

MD5
7b818f1001b4e4664edf285f9a1bb2c7

SHA1
ac648448e41f550596bb79efab6b27b7410fc2f5

SHA256
0fff8fcd7e707ce7d956d5d375e2e3e4e3ddc525f745864d1021688d044d1a2f

SHA512
1f3b356e37b269e04a47e5bf298e7dbdd298474a7deac9a981bd0ee57f6004c0c1aa2f715d9689def9afb89721df5c820370d7a71d268d3da5177f57d424f177

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Trust Protection Lists\Mu\Other.DATA.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
48B

MD5
4a955a44fe19c61cfca34efd70b82285

SHA1
09977ef31c818e91a0abe86b809860d28ab2867e

SHA256
3132d2092e6ea9e6c27e75e71eda287c2028744fe6674fe87cb7280aa60733cd

SHA512
bfe5996f3696340c76c9c673d2e368baaa740a7c003483c67b4346d6010e39f7ff2dd826166220275baf3b47266448a3dbfde04efedaf418cbd6e96e9a66c9bf

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\identity_proxy\identity_helper.Sparse.Internal.msix.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
55KB

MD5
4ee8b67255bf3d5a2342e2885bf83c4a

SHA1
05c41198636af098c314e24793d2bb6702ed0b92

SHA256
c961ad30f9725937cbec8d6f90f2c58a837b595039819659b9cf547804eb7a30

SHA512
89d0cc4256d8aa1fc7f05f30d9601ea0f4215329c616102278037a14216a65ebd26345fa38f43bf03f87a42ed9932f06b323cceaeee5dae4faa6d6b7f540e6f5

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\notification_helper.exe.manifest.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
1KB

MD5
f32e931d9fc0ba9c6331a87f260a6d1f

SHA1
0d1fa1fa06d8d644dd03d9ff6ec9b6c9fea7719d

SHA256
a841afa3cd37e809b91dbc287149eab8518dfa1eb75ac7fb9a67fd66636e2c74

SHA512
2ef4ab247a5c576dd11fddca9c62b86430ceb687c314a1d64addfab83b9d3bdf799736fe045a9acb59097461f4706bdb82673ab6992df1cfae3bb4d4d275a849

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7d4bdd41d7150644a9fecac756bd5298

SHA1
cc6bd77ecef146f18a526ab6a1167649b2bf526d

SHA256
ae1f95fd0cac26454941f0578d73b695849ce52ab2ef95eccbb63853cf9103ce

SHA512
ba873b94e850c6fa0de096961380265ec833778854612e938ace2c4c1772423793d0d22a585533180328478cc23aef6971be56eee2256405636f80076ed2c796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b45626ad5f9f0b66249d71fe179e0ff4

SHA1
80682327f8e4a74872e95a2e1df187292cba50f5

SHA256
2a0ed9f37dfb7cfc52e46fcd253e9aada12769678485fa855753a5470d6a156a

SHA512
2f21936bbbf005a8f0b950d4940bd184b0a56687c7f5adfb1720275fc07b23c5270e65e6074bb1bd42d40c52bef10f8b9edceba0d7831b8e35960022b217fc11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
98af2082618172e968531a141a333ba1

SHA1
4278494469970bcda1e51e8ed564c0b272fdcacb

SHA256
824431e7691e83d90151ac2d3f747bcc4acdfa767518196bdc741736f60ac48f

SHA512
1c15ab71351efc0f94c6f11d03340d52d79928f559196bd7a7607328c00a79e6b054e8a56bfc580e62ddffbc6f7e39b3c2d3a58aa7210c4e24369987932441fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
944B

MD5
0c7c3e44facddb2c363e56792b6d13c3

SHA1
dcd658963e0f111df6000819e851fec9ce247133

SHA256
7e22591a5745bc6af235045ccaff556cfb9eceb30f863da337d9f7112e945fa0

SHA512
d6ff1faa8ec732aa6d3ded719e2c24f80cefe87bba9cdc86146697d923b2c53c63382a6c087cdf50171c7d5da609e599864fe87adfd6775d33dc196ab43ed18b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
861B

MD5
c9521136e3d85780e0149032eb8b34b8

SHA1
03ab363251b1ea2e83460f774c0ce5dd7b4f53e1

SHA256
2893cd14559bfe98b78e351014489e3e87c07d7fd513a6eeb03f53e468d06dc2

SHA512
4b7b195443a2f3881bfb766c30c0265c1a31aad175ea4dcc3079be637c62e4d1baea21316c49c5151f09db06857e0a563f3e5cad50d77948506a2dac0566ccd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fdc2280e0a83afedf1d0ec22ba74699b

SHA1
346d00af0567d824c1f14554290c526e30802f59

SHA256
ff2be05dffab0ed405dee34fb427a911d864b1b8648896327f8335723ddca349

SHA512
ab1f556919e3fbe532511c60cbe926e2432c0e9e658d7b44af23f2dd0970fd93970ab35b658634f8d98813724556c9d52a1b7051926723d6e995b44c281114fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8a042f79820ae4715995b5e99e621446

SHA1
580f8fa4c65bb9f64a1ebafbf475a2f5d6bbd506

SHA256
41af21c67db50a8e37c7624d189208a4f2937c92dbc91bfa0b9e8d54589dd948

SHA512
f246b489c9fd35928abaac68f12c0345ae904353d6bb337dc2dae2663b63b7d1bcad49514a746536817a8c4f843dd0ec5680af585718c139592f1ffd7c024fde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d0347203f986024d17d1f9ac6c4e6c65

SHA1
4337b1f7ffa843ff60f412ff848275c4d8f24e4e

SHA256
1068ecfeb0ab6b1213d9fbaa9b2e3c69aaccfe1c95dbd7355d6ae8c39f95fc79

SHA512
64a0ea69f107c0d773ef9a786fb7a17d2a0fde553159429f3034d4eb287489819809fe4ac11e4a6094fcdee58725db80a84594bb794d321bc987d0cbe55088d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0a6c351f3b3bcb37593db5eb67558e6c

SHA1
0609432d6e64fc2b33f73957078888da9079b490

SHA256
12cddf3e032a95f70e8d874849200fbe9cf5498220c5454b5b675af8518ffade

SHA512
f7b19ad3838cd964a3d915cd3836ae2ad06b4ee3c069e20368312288f2baadf247025bab61a9d41c82d69f76bc4f5978b790ccfa955852717a9e7db340788aeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
00042df6368289238bc60caef1baa46d

SHA1
981c49ac7b10bd2a9d159daf00844110629837a9

SHA256
3ca68414527ece019ac110954726207b8a46bebe6180c2615158f7aebf6e6b1b

SHA512
8f549ecc6a1ac0cc153fe39759b8fe093af520dd94e37b8c32e7fc7e87263cc5b2bf404bff31a5960ad9fcf82dabb5a534fa07cc441ce646de2a8b532c28ff51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
045077eb7276b01917435c473dc2ae70

SHA1
0f022d6a1d4588ec0f40f49d067ca4d45d04f7ab

SHA256
b669468c554fdae42f2c89bd48399cb5dd7fd15f4456de556b5bd4b3cd188e21

SHA512
b6d0b8ccad0b80de8d7b53cf50e136cfa008ed5b5dfff56c1cdf15f64ac65ed02189a27ea653e9a0763fd7765c9c18ada3f03556e7b006b40c299f990d2d1b62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
55790a714ec691db60ad1f5006769e36

SHA1
0f0a246870aa80d94a7a3f21c73851baf613e655

SHA256
effdc799a53901ce85aeb9d05fcb104f829cb63459220fa5b1974e14c253fbc3

SHA512
58e119cb86c198e84b84ea47d51bc782a5ec6d5f9397cdf4d4c96cbf51255dd607bd74befc22802dbaa4f0b3b15523aeb4bf92f2baf461a1129c22d8932f5692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
44d1a6ed5093c52a52f6d20c4b63d230

SHA1
eacbc14d8ba234d52e6aab39a0f78ebbf9ae8706

SHA256
e8e7622031dcab430d580131ab509164abebf8f37d07f94a3c99c0ae7a845bd9

SHA512
5c517b28578dc808acf75749656f124c48a0efe9763c1967204f09afe640307519012564beb2977c1ae478064b79868564de35f8c8a02e81e66e398cd7fbe39b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e5c7fd03951b5ace46545726376d63e0

SHA1
bd0832e1eb6a1a6324a2b2460388a026594fcfc8

SHA256
29ca0147c8a8a95ca69f54f574629827d1f8a35bbeff599ce6e032edde8b9269

SHA512
29e93c32d2778f86e738dd22699b464eae363cf30c665dab0ba3b539d5ab3ccda2ba5398ff86ef1fd46230dbf56819966e782b52c39748cd790f0e8b74c8d63a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a268c33a4c06e79f0d591c91c3818d5a

SHA1
f360572acc515ba0740ed06131c5f561239d16e5

SHA256
b3b759b1ec66f3bdf0da67cb0a50f665cfe5487c2ded5a429fb4cb798ac4eb37

SHA512
ee139cde4f53e1a47c3db0b871e32594c1e95f5ac22013d2638c440c5e95bbc299be85aff9038e2ca3acb4c0a06c8e24be2f1af0d887aac657f62b2a3b907414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
69499795622441e49450c67fc363d498

SHA1
22cf6f0ec4e9d6627e2424bdb48d1947ed6e5e56

SHA256
8c55bcc0eb705347b5e4c4c42a114714d398f9dbfca59054ee5a50037248984f

SHA512
553037034122c968c35b2566ac1976d08ce67363aa2646cf338d51fc633f70965e517a928951ab0da9ff74179eb0580afc99425fccacbd03f2886617ebdac315

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584f82.TMP

Filesize
1KB

MD5
f538a813f4a5315a8b3fe4e367430928

SHA1
0fe01d8f644cce88d1bdf60c56f490735e26df2b

SHA256
1213b3cd5be567c44de0321dde1bf52bb37fb34e4f5a2cb9c7c970692ddf6b09

SHA512
231c4da88ffda9d1bdd5c3cc94ce9af0be93bcec33709fb7357bac17a01d45a1adbb68ca6af8a38de82f8b7adddaf04114833ec46cbc0ac0aba91355f12d774b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
33e03e2a66af770f8369af3a5db7c84c

SHA1
44db2f0c9351ffa135800b33c337a5851565be20

SHA256
69bd28ae4d8a90cc511b25be4047dfd3c49c2f1134463af74f280f47c737affe

SHA512
4c2b44174473aa3848c77c36b0c76eb68a2e6b3b9dbbe356811c148b2ebd9952a5a219aa7606d86c30da13dfa03439392192aed6bebbd1d0af690599ce203596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
545010bbdfbfb825dc10f09cf22924a1

SHA1
3efdf50e9e67f33f92ef75e53cfc59db70258c0e

SHA256
ac4c7e528a29fe7c8fc7bebb1c5a845cbdd7bbf36c314194420ef9b03ee357d9

SHA512
a31204adcc424a78a773ff1ab772762da328f3c9293f799b1f713d60a940da278acf14ba8ee0120da6cf38711582c6bd28659035538793e8cbc2903e38b80a03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
70ec1a34612e00dde0ab34c7c8afd40c

SHA1
401cce95c361b1858b21a82df07f267c048254cf

SHA256
f9faf12da09a19257fefbfca2ffc75eb874f6e49d7cd120efcff25277d6ccd9c

SHA512
921a5a5da54c799a659192358be33d38bfe59ce0a79dbf492eef8c80578e2ad8ad47b44301625e11e939ae260445984586dede9ddca70cea60a7a03e4a9f4512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9a67a77f54ddb01e9658abcd6e6673a5

SHA1
ec1e9a00811cee886926a8c0387b841bd47b9731

SHA256
87b502f424ab0f65d748d8e64c4d267e1e28550ee2474bed55e357568a62020e

SHA512
16db94e424309618cd91b35a46151b7bd3207ba3d7c4bc82444c9249b87c3c49f71115e7947c3d8165980c7f43b3ec6fdfa9860f34c2ba43468fcbad8670d3d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
037ef0e8e1eb13e76f91f40fe81aa5ff

SHA1
bb7d31283975193c5fe5edb13866450f9858bc39

SHA256
75e45e6d5f76946b9553a1b2eb76a3bec4ffda2d4cd212746de9a4c895417025

SHA512
9ef00a933e7ba791b64cf34f0dcb9a4a0fe2591d6fe34fbf51ad66369e98b9cb0514982588a2c118b0fed84c6eb140a4506439cfab02b4849b779b8f220c2100

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
e1da4db2b1c8c384110e6b5b5165dbfe

SHA1
4e444c8edf0781526f0397ad4d61edf2aaa2e0e9

SHA256
ae0b28b7185cd16fa9c702df4eb7ed66983d4988d27b820f0975a5334ab950f6

SHA512
0400057b5786ad8e38817fb55274377e878eb878476a4391bbfe7856c77c28fd8c39a2670d477f53cafee5ba3ee2d629a4161381b19e800974afe1c7601b4d22

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Desktop\ApproveOut.xps.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
648KB

MD5
6f1133cda1c731c111dd3f7f798118de

SHA1
eba7dbfb2446748b39ee078234bf4c90b4390c50

SHA256
ddcdcf3914ca42e8634566ae5790a2ad7f6229663eec2ef3a7f67cd75b67fd02

SHA512
24e69360e45fc8fc53900bba8a2fa4c3b942b7cc2e7b4183c6bfaeb63b5ae9c7f52589a1d938975e5cc2e00287b6dafca9e249bae1ec5b821e63a6cb46112e7a

Download Submit
C:\Users\Admin\Desktop\AssertPing.cab.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
319KB

MD5
7e412a860743b9b48a9a2d5c6db54b53

SHA1
61cd18c0f405353a818582cf37a84366e6388cd3

SHA256
69c2a5ae0ec6d2f26a6bb875c9347c0a800ceef7c723d16dd84c9e4322b8c42d

SHA512
e67bccc5c4c304dffee6c44af2eea0b5ff8c0eec82b77cd63033ce373e801ce7a981294ea637f0de41bfbd64a9067f7ed029f444c527e482d308f775f19b3dfb

Download Submit
C:\Users\Admin\Desktop\ClearPublish.mpa.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
337KB

MD5
34f09229207ad02469e197e378649522

SHA1
2365177f8a86d75f08ce8ffd660242fd137ce71e

SHA256
39f9f9a69c1f5c416b7038838dbde58654a8e94ca9a7a8d81cc66040d03a513d

SHA512
c9d684827448cede6da64cd18917e2f6d1e90a7a0c48a990184527df7bab1e2029531197e90c0df68f23500aecd3e754fa87bcee3854529d17f3163c2600a38d

Download Submit
C:\Users\Admin\Desktop\CloseHide.jpe.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
502KB

MD5
ca11cd582704c16494ebbb545e89eda4

SHA1
67a9e30ac7d123893aa5da0792fabd0a15893dc9

SHA256
1bac2f3fa9c1c05468f8eafb08a23d31e3c281377cbe792e16334be2ea1b7be2

SHA512
31ec22f692183411155c448633b10633e13ffe1ebc38ef8474ef43aa5e52fcdb7362044ad130da1ac8a3c81858be2907ef656309a82d552bef734d896ebef52c

Download Submit
C:\Users\Admin\Desktop\CompressRestore.bmp.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
538KB

MD5
dcae573f8fc8390039eb37a736296416

SHA1
a666e65e2f5d199e49b5235a7c909162be23f8e5

SHA256
9aa06f2e9cd7372701793807b638d4c92a51de5b3d0b780b0a04bb54f2a90c08

SHA512
64087e2073115c7f0b58d8b481a15af3d09144823a8066df45725eb9585c9103866a7f3f96dc1b270e00a8d80906b0cef2215cb75a38a9409860107d9a19bb3f

Download Submit
C:\Users\Admin\Desktop\CompressSuspend.mp3.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
410KB

MD5
70a76ebeff3bef46d155a79460a0c12d

SHA1
6d5e11c4c147c7b540fc4b6a95506d52434f9235

SHA256
fb8a6ef6079170e9d2a986702cd30fd7b1aea1bd7773d958c038b88f451f8c5e

SHA512
50850ba7fd27b8ee871442ff7851f2eb511e3e8dea483346b092a3f10a08fafd362064b66262cbb37f95860021121cd9e69fba313751428a3a66e82ad4680322

Download Submit
C:\Users\Admin\Desktop\ConvertProtect.png.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
520KB

MD5
e9f8f2f893f8e60055a64d33c2c12c20

SHA1
03d0ea4265efd7737bbfa68bbfff335093cbc509

SHA256
8c1d24771005936758176ab214a0af26b0a41803aff518b1707b772f4e353711

SHA512
eeaa1f703fa9e206ef31f1b744e6977d6b448de852a804dd90c277a79bbcef4902f72c62b8f4f42b742fa00babf54e57a8c52f47b434929e3e0baad9350b4d57

Download Submit
C:\Users\Admin\Desktop\DisableAdd.vssm.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
356KB

MD5
c2c0181e185d8191f75d8638ac95d242

SHA1
ee256bb20aa76724e19724dcfd77d90e7f06a187

SHA256
00a712fa41da8843aaf627f4b6fa91851a3af17cfc0c4fce12029b323f76f204

SHA512
1a8c5b36baa762553d159f787905139f7aecb88df1822744228a559ac5b853bc019c51414d74068e62acc8c451524504bc17fecb5d570282d7515cdae24726bf

Download Submit
C:\Users\Admin\Desktop\DisconnectGrant.jpe.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
465KB

MD5
1e32c8caca04ed75f5c7d83c11fb2595

SHA1
4cad6ca0bbe1f90f935e3592dd417e93da596e33

SHA256
db0592799ee9b736bc2ceeb0d033a85fab72d3266b6e6501bf8313db81c82582

SHA512
d43c07748769c5b421a82bf0716cac8d83b24444d21ea39e885883b89b85fe03ac5ff3c6bde8746a38ba4edca432067616082350ef77f0fee6c6cba4fe64d1f2

Download Submit
C:\Users\Admin\Desktop\EditWait.xps.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
967KB

MD5
f3aef26327ac28d46b3f1aabc26f7007

SHA1
6c60487678dd36328d9d0b1f171f9a24c39db336

SHA256
96f06939cba640dcda52fd9f1fa0da6f551683bbc4b77ab0cfafdc4f54f65347

SHA512
c237c44a2b91fce9323232580bd04fe6df86ea5d4d168c3d0768bc40c8ad1cc6f9a8964609428eb32b591f7c0ed4cbdcf45f840e5ffcc8c8ff73f1142afdbbd3

Download Submit
C:\Users\Admin\Desktop\InitializeRevoke.mpeg.D506F29AB3AC524F47D31CC474AA88E02BB948417B3DA1C4641DE3384B19C72D

Filesize
630KB

MD5
ec5263a01308fcb12b32bf998f7f9258

SHA1
183a2f13a45fed86df51130958f96700332216ae

SHA256
cc48e6e3a3d0dfde22e374233a0e5f2bb6bc9ee6a0e9b10c063af3b28f907afd

SHA512
635c6d3f280ae3d509e0f47c2af3ea759af94c3452eb3f3149e501c45cfc15dddd183eb667d8ac732c07dccaa8600f1e1338b67604424d8a97805348d612a7ab

Download Submit
C:\Users\Admin\Desktop\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Desktop\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Desktop\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\Desktop\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Desktop\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Desktop\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Desktop\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Desktop\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Desktop\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Desktop\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Desktop\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Desktop\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Desktop\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Desktop\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Desktop\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Desktop\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Desktop\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Desktop\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Desktop\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Desktop\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Desktop\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Desktop\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Downloads\InfinityCrypt.zip

Filesize
33KB

MD5
5569bfe4f06724dd750c2a4690b79ba0

SHA1
05414c7d5dacf43370ab451d28d4ac27bdcabf22

SHA256
cfa4daab47e6eb546323d4c976261aefba3947b4cce1a655dde9d9d6d725b527

SHA512
775bd600625dc5d293cfebb208d7dc9b506b08dd0da22124a7a69fb435756c2a309cbd3d813fc78543fd9bae7e9b286a5bd83a956859c05f5656daa96fcc2165

Download Submit
C:\Users\Admin\Downloads\InfinityCrypt.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r.zip

Filesize
3.3MB

MD5
e58fdd8b0ce47bcb8ffd89f4499d186d

SHA1
b7e2334ac6e1ad75e3744661bb590a2d1da98b03

SHA256
283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

SHA512
95b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c

Download Submit
memory/2244-4475-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2440-10-0x00007FFCB9F60000-0x00007FFCBAA22000-memory.dmp

Filesize
10.8MB

Download
memory/2440-0-0x000001E69C890000-0x000001E69D30A000-memory.dmp

Filesize
10.5MB

Download
memory/2440-2-0x000001E6B7B40000-0x000001E6B7B50000-memory.dmp

Filesize
64KB

Download
memory/2440-3-0x000001E6B7B40000-0x000001E6B7B50000-memory.dmp

Filesize
64KB

Download
memory/2440-4-0x000001E6B7B40000-0x000001E6B7B50000-memory.dmp

Filesize
64KB

Download
memory/2440-5-0x00007FFCB9F60000-0x00007FFCBAA22000-memory.dmp

Filesize
10.8MB

Download
memory/2440-6-0x000001E6B7B40000-0x000001E6B7B50000-memory.dmp

Filesize
64KB

Download
memory/2440-7-0x000001E6B7B40000-0x000001E6B7B50000-memory.dmp

Filesize
64KB

Download
memory/2440-1-0x00007FFCB9F60000-0x00007FFCBAA22000-memory.dmp

Filesize
10.8MB

Download
memory/2984-5646-0x000000006EE30000-0x000000006F04C000-memory.dmp

Filesize
2.1MB

Download
memory/2984-5704-0x000000006EE30000-0x000000006F04C000-memory.dmp

Filesize
2.1MB

Download
memory/2984-5750-0x0000000000F70000-0x000000000126E000-memory.dmp

Filesize
3.0MB

Download
memory/2984-5741-0x0000000000F70000-0x000000000126E000-memory.dmp

Filesize
3.0MB

Download
memory/2984-5737-0x000000006EE30000-0x000000006F04C000-memory.dmp

Filesize
2.1MB

Download
memory/2984-5731-0x0000000000F70000-0x000000000126E000-memory.dmp

Filesize
3.0MB

Download
memory/2984-5729-0x000000006EE30000-0x000000006F04C000-memory.dmp

Filesize
2.1MB

Download
memory/2984-5723-0x0000000000F70000-0x000000000126E000-memory.dmp

Filesize
3.0MB

Download
memory/2984-5722-0x0000000000F70000-0x000000000126E000-memory.dmp

Filesize
3.0MB

Download
memory/2984-5720-0x000000006EE30000-0x000000006F04C000-memory.dmp

Filesize
2.1MB

Download
memory/2984-5714-0x0000000000F70000-0x000000000126E000-memory.dmp

Filesize
3.0MB

Download
memory/2984-5703-0x000000006F050000-0x000000006F06C000-memory.dmp

Filesize
112KB

Download
memory/2984-5700-0x000000006F130000-0x000000006F1A7000-memory.dmp

Filesize
476KB

Download
memory/2984-5645-0x000000006F1B0000-0x000000006F232000-memory.dmp

Filesize
520KB

Download
memory/2984-5701-0x000000006F0A0000-0x000000006F122000-memory.dmp

Filesize
520KB

Download
memory/2984-5648-0x000000006F0A0000-0x000000006F122000-memory.dmp

Filesize
520KB

Download
memory/2984-5649-0x000000006F070000-0x000000006F092000-memory.dmp

Filesize
136KB

Download
memory/2984-5647-0x000000006F1B0000-0x000000006F232000-memory.dmp

Filesize
520KB

Download
memory/2984-5651-0x000000006EE30000-0x000000006F04C000-memory.dmp

Filesize
2.1MB

Download
memory/2984-5653-0x000000006F070000-0x000000006F092000-memory.dmp

Filesize
136KB

Download
memory/2984-5652-0x000000006F0A0000-0x000000006F122000-memory.dmp

Filesize
520KB

Download
memory/2984-5650-0x0000000000F70000-0x000000000126E000-memory.dmp

Filesize
3.0MB

Download
memory/2984-5654-0x0000000000F70000-0x000000000126E000-memory.dmp

Filesize
3.0MB

Download
memory/2984-5698-0x0000000000F70000-0x000000000126E000-memory.dmp

Filesize
3.0MB

Download
memory/2984-5699-0x000000006F1B0000-0x000000006F232000-memory.dmp

Filesize
520KB

Download
memory/3860-4328-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/3860-552-0x0000000005290000-0x000000000529A000-memory.dmp

Filesize
40KB

Download
memory/3860-546-0x00000000007B0000-0x00000000007EC000-memory.dmp

Filesize
240KB

Download
memory/3860-553-0x0000000005560000-0x00000000055B6000-memory.dmp

Filesize
344KB

Download
memory/3860-548-0x0000000005330000-0x00000000053CC000-memory.dmp

Filesize
624KB

Download
memory/3860-4329-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/3860-547-0x0000000074850000-0x0000000075001000-memory.dmp

Filesize
7.7MB

Download
memory/3860-3403-0x0000000074850000-0x0000000075001000-memory.dmp

Filesize
7.7MB

Download
memory/3860-3646-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/3860-4327-0x00000000069C0000-0x0000000006A26000-memory.dmp

Filesize
408KB

Download
memory/3860-549-0x0000000005980000-0x0000000005F26000-memory.dmp

Filesize
5.6MB

Download
memory/3860-550-0x00000000053D0000-0x0000000005462000-memory.dmp

Filesize
584KB

Download
memory/3860-551-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download