90db030710ba1078cb4960822a0b975b0dde1d90dbbe77864faa7d597cf67c57

Analysis

max time kernel
146s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 00:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f68fb5b51c1775f8fe3424b4ac135c6_JaffaCakes118.exe
Size

363KB
MD5

3f68fb5b51c1775f8fe3424b4ac135c6
SHA1

c5b0a68e610056551871659d2b351ddb432ffcc6
SHA256

90db030710ba1078cb4960822a0b975b0dde1d90dbbe77864faa7d597cf67c57
SHA512

e4cb8f70c50dfa12bd9c03a32fcb3a8e18684234da862c435ea0bc9a6db2ca86dde2c9f15ac1e4f888d774811927e8cba2fc3a9cf3ef26deaca25223bc1209b2
SSDEEP

6144:9juVRjg3qETAQVu6w6MfZqAXBvTF7V4ddEQlon/g0OrPkGlxcd/rvSwmMINTVPrw:9jWRs6EkQV9w6Mfbt57Vk9lon/zOY8Ar

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3028	photothinsetup.exe
984	photosplash.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraPDFfile\DefaultIcon\ = "c:\\pdf995\\res\\utilities\\ultrapdf\\ultrapdf.exe"	photothinsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraPDFfile\Shell\Play	photothinsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraPDFfile\Shell\Play\Command	photothinsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.updf	photothinsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraPDFfile\ = "UltraPDF file"	photothinsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraPDFfile\DefaultIcon	photothinsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraPDFfile\Shell	photothinsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraPDFfile\Shell\Play\Command\ = "c:\\pdf995\\res\\utilities\\ultrapdf\\ultrapdf.exe %1"	photothinsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.updf\ = "UltraPDFfile"	photothinsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraPDFfile	photothinsetup.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1312	msedge.exe
1312	msedge.exe
1464	msedge.exe
1464	msedge.exe
60	identity_helper.exe
60	identity_helper.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3028	photothinsetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 3028	4796	3f68fb5b51c1775f8fe3424b4ac135c6_JaffaCakes118.exe	85
PID 4796 wrote to memory of 3028	4796	3f68fb5b51c1775f8fe3424b4ac135c6_JaffaCakes118.exe	85
PID 4796 wrote to memory of 3028	4796	3f68fb5b51c1775f8fe3424b4ac135c6_JaffaCakes118.exe	85
PID 3028 wrote to memory of 984	3028	photothinsetup.exe	86
PID 3028 wrote to memory of 984	3028	photothinsetup.exe	86
PID 3028 wrote to memory of 984	3028	photothinsetup.exe	86
PID 3028 wrote to memory of 3440	3028	photothinsetup.exe	87
PID 3028 wrote to memory of 3440	3028	photothinsetup.exe	87
PID 3028 wrote to memory of 3440	3028	photothinsetup.exe	87
PID 3440 wrote to memory of 1464	3440	rundll32.exe	89
PID 3440 wrote to memory of 1464	3440	rundll32.exe	89
PID 1464 wrote to memory of 3424	1464	msedge.exe	90
PID 1464 wrote to memory of 3424	1464	msedge.exe	90
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 2656	1464	msedge.exe	92
PID 1464 wrote to memory of 1312	1464	msedge.exe	93
PID 1464 wrote to memory of 1312	1464	msedge.exe	93
PID 1464 wrote to memory of 2576	1464	msedge.exe	94
PID 1464 wrote to memory of 2576	1464	msedge.exe	94
PID 1464 wrote to memory of 2576	1464	msedge.exe	94
PID 1464 wrote to memory of 2576	1464	msedge.exe	94
PID 1464 wrote to memory of 2576	1464	msedge.exe	94
PID 1464 wrote to memory of 2576	1464	msedge.exe	94
PID 1464 wrote to memory of 2576	1464	msedge.exe	94
PID 1464 wrote to memory of 2576	1464	msedge.exe	94
PID 1464 wrote to memory of 2576	1464	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\3f68fb5b51c1775f8fe3424b4ac135c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f68fb5b51c1775f8fe3424b4ac135c6_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\ultrapdf\photothinsetup.exe
  .\ultrapdf\photothinsetup.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\ultrapdf\photosplash.exe
    photosplash.exe
    3⤵
    - Executes dropped EXE
    PID:984
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe url.dll,FileProtocolHandler c:\pdf995\res\utilities\ultrapdf\photosharereadme.html
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\pdf995\res\utilities\ultrapdf\photosharereadme.html
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9ffc546f8,0x7ff9ffc54708,0x7ff9ffc54718
        5⤵
        
        PID:3424
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,13160081442954703560,1065758260546093575,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        5⤵
        
        PID:2656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,13160081442954703560,1065758260546093575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,13160081442954703560,1065758260546093575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
        5⤵
        
        PID:2576
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13160081442954703560,1065758260546093575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
        5⤵
        
        PID:1592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13160081442954703560,1065758260546093575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
        5⤵
        
        PID:1640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,13160081442954703560,1065758260546093575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
        5⤵
        
        PID:4480
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,13160081442954703560,1065758260546093575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:60
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13160081442954703560,1065758260546093575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
        5⤵
        
        PID:3964
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13160081442954703560,1065758260546093575,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
        5⤵
        
        PID:4584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13160081442954703560,1065758260546093575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
        5⤵
        
        PID:4324
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13160081442954703560,1065758260546093575,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
        5⤵
        
        PID:1152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,13160081442954703560,1065758260546093575,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7f37f119665df6beaa925337bbff0e84

SHA1
c2601d11f8aa77e12ab3508479cbf20c27cbd865

SHA256
1073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027

SHA512
8e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d406f3135e11b0a0829109c1090a41dc

SHA1
810f00e803c17274f9af074fc6c47849ad6e873e

SHA256
91f57909a10174b06c862089a9c1f3b3aeafea74a70ee1942ce11bb80d9eace4

SHA512
2b9f0f94b1e8a1b62ab38af8df2add0ec9e4c6dfa94d9c84cc24fe86d2d57d4fc0d9ec8a9775cf42a859ddfd130260128185a0e2588992bca8fd4ebf5ee6d409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f1964ad9390bb44c61dfb3c65d322bf4

SHA1
bc1882a86f850bf7a40aa0541b6e42a3bb0ce510

SHA256
18ae67de66213ee3d0497ea9fd139e2163734ee51d53cf75eebd9892bd3a21bc

SHA512
4cf33876e10612015126f25e7e085491027498621bef62368b2886251389bf72db58b4b0026ca2a8c425abc9c41556911aa349bf6890e582460e0bc6185b5d5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
25f3fd1da3791a7cd73b1dd64ee205ae

SHA1
9bb5f48e684c95a6d13e2c5d41a498e5e4d90f25

SHA256
adb02105498e14825575659962639ad35b711f2b6d0683b688dd3dbb85ad1dc3

SHA512
4f0a2b166f011aaff2ac2860508671031a5cb32d35596563eb8720421a0a87fe5bae34c693ce87c868cd79b6d6a81e63b7fc50201bb0eccac0031e85d34afda7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dbd6fcf33793cf05eff95a516380a46e

SHA1
f73dfa9b22c18ed7e7732347ee383821eb85efee

SHA256
3325cd44f6995a32981d4123d363eb41f7ce27a62ff1919e404136f52e166e20

SHA512
35650f4939a9252de54905da2844b0c0f5c9c56888ad7e4f34a721aa36880c4bfc71ac231691fa66e58537ee538284ae1f7224709ee4b8e7159af643f42d73b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\ultrapdf\photosplash.exe

Filesize
508KB

MD5
7a98781875faa03baef101c02cc80947

SHA1
d9c0f575717a49ce428049c4e5df866c78f0f053

SHA256
71975593615a3e3fc0e124dc5ef996350878526fb81b49aef993cd80b73544e5

SHA512
865b50dc5ebf6d0f5668ce4ca755251fd1c9d71a8a8618dbc5cd8938d28f5c826c68027c3d5e531a3b82eb3750bdc573fb02cad48d55a1b9b8fd76808b445414

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\ultrapdf\photothinsetup.exe

Filesize
136KB

MD5
816ba19f8ad4039b20fe85c70fbfa034

SHA1
c7f7276ec256cc9930b526be8e01e4426a401c0e

SHA256
8f0c12f35049e6a2747b4952b438fa868d2408956bbf04caa322aa104b0e074e

SHA512
a8146f2e51ed032d62434c2d5c5c978b51f35df012242be46f7505cfe0cd76cf760ecc8102eb5865ac138e1165cbf27d3a062bc9a5de60eb9cc849f885472d75

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\arch.exe

Filesize
64KB

MD5
c47c080fe9047a0f72b9e8d4e1b8e55e

SHA1
36ddc972644378fc03279f4f7a1501c23309fd53

SHA256
dcb93abded326dc0610b29835370afe234457f912ea74a6a702fa3d698615515

SHA512
5c6709fefc9eb9800efb72cd71806b31c624490913970af9863bb64a8cfe9f66917d46876ea7b78206a336a46dedb5ee790d6d2275472d0f6c55971af7a1bdc3

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\photoshare_readme.gif

Filesize
7KB

MD5
a7e2971b7210f86ebbece38558f04bf5

SHA1
d2bc1dd77a589940e0a44ac7c0ec719865a364dc

SHA256
ea22e8c30aefe1f6313fa3a1a226c5cc8ef2618c23e0f53bca112a2ea6e3893c

SHA512
c460433b6e72b193fb8b51ff9ced7d30d9aad7b4835075f4b72a70369761c80d16d975551afaa2a5882b572224928240c845983c2ffd53441b603fd35ea0a50b

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\photosharereadme.html

Filesize
11KB

MD5
7670ff332a2a495e703a8d0c8382ebd6

SHA1
60a78568b2d7b45fe255f8d91e9d857bef76c6dd

SHA256
bd3c76df88a7b04549e0c87ecc246e408389bb40dacea446d551080369131ca9

SHA512
d801a981238fe5adeb699a51fbcf263aa0353b8422aff8f78de4d504eada7a27e2d73e092b096d823bd310f7aac87ab197fc97ccb59373de8d975aff046e5937

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\spacer.gif

Filesize
818B

MD5
bf3dba9074dcc1ddab0b406208461dca

SHA1
9268260ceb1b3a1707d3bda83c5e444f9fa47edc

SHA256
2b67709f572913f01bc330c7d7dedd541c178ad2e5d3c53ca0c81652895e4e67

SHA512
aba2c52e98e9d1a55c48dcc79fbfdf9c43a14df284b980652d8793466cf48a4317ce6bfb94344ec1662ccd6c4d1aba159f65ad003e9de244a553572123d3ce54

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\index.html

Filesize
471B

MD5
a79c7a16572f97172e2657197ea4ee24

SHA1
33346398404782c2d00fed9d4a00885062c148b6

SHA256
4ea660491b4db24ee039d1382724bb30426daf70968c35505abe0d82a6d14f0e

SHA512
e09438bb0e121c34bbfe74ef6284422a9e9492aab49c7a1abeeb4fe03f26ed04875a3494158e1980a94c2b456ae4529c25b0c0c2b318a9138d1c9dd9ecd4a545

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\blue.gif

Filesize
43B

MD5
bc0901beead5b8448a7b9353a94e4151

SHA1
416d2e4ee05ac2b167956f07ec3baccadb43016c

SHA256
a30c8d9e64b3e06cf1d526e65284d9d28e064f0bb1219530b58d76d81aaba569

SHA512
3d8dbdfff1747a68cb830c5da896882927f51aa0ec1ac20db53922031597b2bc2b75f44433936f243cf914c7e9848edf80cf3a3636662b0a6fa52ef21c84ba93

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\btn_animation.gif

Filesize
111B

MD5
12a8ed3d78074bd76776a71808337396

SHA1
34c208cceabe84429cfbb873afa8a31853303dea

SHA256
af67b5f3d0d65655e8bce5eadf0c96808e665555e43d6d59a72a3ca41cb2a22e

SHA512
c354cec3702765b4fd9f367807a416f9826ccd0420b9ed00c96752878f23db177073b6fd9b44b6bbb78322135d626b9bf998445fd03b58ae9ffdbec84d065fcf

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\btn_start.gif

Filesize
173B

MD5
f8a93467733191f6380915ed0d597416

SHA1
ecda8354d7998e946da261252e17163a7698e274

SHA256
bc794b6c4ba40a1b9ef2032f12f277cda0662d5eb893d21730f91daa34e95af2

SHA512
815f0b46af6a83193165f76d2b9e4beae99421d01ce6f28762b402d17640ffa267b8135e3c93358a020dc3b5e376afdc517885b59d5b421eb61a2dd2a184b8d5

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\btn_stop.gif

Filesize
171B

MD5
1d9bfd96d26605b37adfbaff9efebe74

SHA1
55cfc09671ee6b25dc274fc2a9f46232dc0495ff

SHA256
aba297680ee374d712bc36ccc7acd1233aae32c86e60061a795bb718c5329c08

SHA512
7c31714915115d5a4b242f52e874d1e5fc79c260ef04545c3b5cbbc7cb1eb93abe1c6c32f7c1780cc2364d47f735f85b111ad6df12da682b028d74827597c1d7

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\button_get_viewers.gif

Filesize
228B

MD5
2382f1c260ffd3bf933be3d3eb1df89e

SHA1
ef3b5dfe4b9e586680edbc22e797de169889c04d

SHA256
fc070af38bdbb9a8d5b03456d8ac034d6b2d2658de306e487734bb728c2e3548

SHA512
79f399fa429fd433985e9ffb34cf724b0afb99a4fd0ae943994a245171bbf9777613591d5eac1aa245e872fb8b3a0b3cb38311880ae2fefc802854c05ea67ad1

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\button_help.gif

Filesize
213B

MD5
995b6471e019973e9787f938875b2e6f

SHA1
02311103a4e7557dd956e250162c8ee14f3fad1c

SHA256
4c28d52023937413774e1d7deedc0d2bf31e1fa553da32f39b430d66d5c41cf6

SHA512
1276943c63d80a333e4dcba5167b3a2368e9dfaaf677290d47aec9f1a70467db1d99dba9df6228304a54a082cfd291237631ed49a6c0a44b8c1e47bfab50f586

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\button_next.gif

Filesize
183B

MD5
67e71a686283c0b0a3ca0bfd684cad2a

SHA1
311afe2271904cceb90f7039c3d4c44f276cad54

SHA256
2b94c0b83b091fa6ca8d275e096a0cc2a4513e40c18b333bfa8f83fc6d7dd51f

SHA512
4be0689264a643f37f08295effd2a198db980f06b38f560fb4fdca6f5a0f02b6430da57d357f7739b31dcb670f2000eb9cc5ba4d9dd3d0285f691d144b7a4ea7

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\button_prev.gif

Filesize
182B

MD5
ce674a178191707be198bffd58df8695

SHA1
741fe5f0bfaaa04c66cf8ed022be8d84433f0d58

SHA256
2beb2ad008e554e6228927941d3e4567ffb67e6153596a81780c5cd160a39452

SHA512
f00b6fea94ec6724b41f6ae51455de9b7b18d0b4839475eed7547d8b721a3b0cc976f932396880b1f727e5c544c9eb8e6fbac9158eb363fe1dbd5a19ce706f16

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\clear.gif

Filesize
43B

MD5
1aa6a87632f48b5beac0bf1251a065a6

SHA1
98b2e9555b2a7bdd9c3244bdf1393031d766ee28

SHA256
301e4f0af4e5975c33540291c0592f5d6c1f239baff192a405417299e9a655be

SHA512
e84e7b0d9c60bdca29c0e14e906d86d0d2c3fbdf0a45f99dd50f6e042bfd2da8fe30b219bdf0de4fb9a253736634d3312b0ae9fc47e0afc7dd4d4003ad7d00fe

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\g_acrobat.gif

Filesize
165B

MD5
1e8abe3b7d2e4ee1d7602892ef13727a

SHA1
c55ba6453acdcadde55c36ae462a0c1f67c27333

SHA256
0bdbcff6393d319c48079fdebd8ff6e7e51c319cb933a16ed67076cc95beb9bc

SHA512
bbfced4ca9298bac4d1cf52c02d767084ebe4f78a22162ac8add0b9cca7df6122de56c1e3d8ecf02370f810fa1af30b05011a3478a06ae009f680c694c820a44

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\g_excel.gif

Filesize
139B

MD5
4233274d7c273106604361224c9e152b

SHA1
ece84831c8f9bee0d643c941a25efea693daa984

SHA256
e1aec47f057980b65af5eef166c0ca19e5d1f4b99513b09187e11f0e5d39bdbd

SHA512
ae26d1053d54308165c9fd725c6e5fce5dc85f4408c174369927f78a99306c42cdf30f7dd40a45aaedf753c2404a78e7ed011b9a0739992b5329c3faf831c21c

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\g_html.gif

Filesize
143B

MD5
2f7ec2d90f2bae65990e7d9aea64a0d1

SHA1
361eb6450e64fd87b6e9bd4eb9f2c6627b86bbad

SHA256
d0dea1b3c331bd6e37305649f936969c9359d5333156126d8770cba435909092

SHA512
dd3620584a2a094234335673647acefa0076b7445dffbbec49d68821cdc864767f21317b2eec809743ffe428d3be6e6ed22041c47e745cc7ceb03993348cb12f

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\g_powerpoint.gif

Filesize
171B

MD5
659de511cc555642217d6a563d03cd66

SHA1
830f3daab3e3322090c8b733927c01aab89166f5

SHA256
40d573fe289fbf457f0df83d7a2d2c0de6c133aa3af6feb8a0d122c753ba20b6

SHA512
4eb104a91af6631256b2e006abfec1a0b12f9cfc092908a7bae89cf9fa73a0064138e063532ce600ccfa014d96d1d2b87f043267ba1d3e0a3f9658fed6b81e71

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\g_word.gif

Filesize
139B

MD5
3c779f5062e6412774ab22ee16cb1dfc

SHA1
66f089e85921bd9a6399ff5a845e607e2dc9f8d4

SHA256
8a6d5476e89ea7ea0a5426b1857fda014b4b8cd30db2b84329a677ea974bf614

SHA512
f6f4dc13d508736f818e988f89a79eb4368530ea3b80dcf48d9c0e0fa316e349465a519a1017eaa76194c4bdea4297a02deb0a26767f00db1173090b15da8409

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\header_get_viewers.gif

Filesize
442B

MD5
94881f1e8ffae23d8c77652263816a02

SHA1
9d062f913ba5f300b97ea9aef949157f04e87bcf

SHA256
1763420ee2c3cfd4266720970569ceeff2663ea1ffd143b37bdc78b613d14346

SHA512
f9630d23c6faea6f6c4c10c194757c8778b7db751d9337bca48beb4f0781996190eb7675419eaeea1f93ae49d7fdfb9aacb815a3a41d169d7f576ea34942b901

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\header_help.gif

Filesize
271B

MD5
cd3d2b25e70a499c2ce642c73e8d6d5a

SHA1
f6124af1dad43f301a2c1fef84fec24f0495b3b0

SHA256
fc9bb97ffd105d0366b6bf02e076985ec0e52323da0475c7a80255d11c5d9bea

SHA512
d21f2bbcbc5eeb684e015fe033762b78556ed2988a7d50e25447bc121cfd9722188351b4afbe279dcfcc7c4de6a55e631328dc2ea998acf4994e1126ba49b070

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\help.html

Filesize
2KB

MD5
6db92fd53b2293785621482d343880b8

SHA1
04d871ac632ed9bceaa04788f255338e9b01c2e3

SHA256
384336cef58bc029b2324ccfdad6423351ddafd248ba0d1c672578c6863536b0

SHA512
e31e225334bb0aaa10353eb50ad181ba1e68447d8052998eb06a0877c40bf150ab8bf4c9db1fe66fcb80ef3a4dda5722bcc5ef7f12945aa387da574bbc04aba4

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\left.html

Filesize
463B

MD5
f8a3469aedcf4513fe2f86502e0a550f

SHA1
c19da3990c7070bbfac7b0d0ec2168ddfa01b5dd

SHA256
d8a43a7a1fdeff84104271c4fa1509bd01256f73a7037b08696d441b2adcb40f

SHA512
6cf49f0fc38e90df09c26d835c742a6bdaabc4f1d88cd83a0ab94e75772335928ab868a3805bd42e499d0c54ac4d56ee17219bbdb432d22f6d7ff039f71390ec

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\photo.html

Filesize
443B

MD5
b2ddb38251f4422ec57459cb23df8b8e

SHA1
7d51ccf792fb18d202e842b26586960ecfb82574

SHA256
3a34b1e0e83f6d89151cd4f17964897c00dbf6a6dccd9f2e03c91dfbb705f681

SHA512
a075bd6b303e0aab025cdf1ee94f876f263ab203bef48c91c6ac46e7e7a665bd8ac5326d63f17667076692cfb97bd1fc9b236987a82a84b90f2acbe5c5ff720e

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\style.css

Filesize
513B

MD5
07514b9f637e499d90e80e050f168537

SHA1
3f8bb8e92ed6b946fb797a25f3529c61f9ddef69

SHA256
61fc5dc17d0e411a665f6375728b4e0ea53bb1b0b2264c057f6aeef47c7d51ef

SHA512
813fbcfa60f614059ae653561312697ac8c504d68bc96a7ced5fed09b7939d6a522c08a1e692354830e1ac1d410fc396c8e064e5adb9f1bf558aa7dbf3987060

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\thumbs.db

Filesize
35KB

MD5
d71712f8f3f48374f4fbfbadb5bd5db3

SHA1
1457d693d512dd3d4233356ddd999750fc06b3b1

SHA256
cfec59024bc99dc73e3b6ba1500b672bdaf0dff67ca079310dcdc6c46e9e0788

SHA512
e370e2619af0b5a92b842afaaafb510f50546e4ed664ea9bd9487a8bd1ec7c666e719949ba4a0de9200b4a54080fd76bb7f39760393337c4a2c8bfe0d8c31b38

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\template\resources\ultralogo.gif

Filesize
1KB

MD5
727f58d68c0c9eba94e3b9fda17daf7f

SHA1
eea5867475cf6282791fff56937d6c29c09e1ce1

SHA256
7f5d915f9ee5d0d2d498b35a902ccb626e3e8fd4da80ae37fa854b263c0696b1

SHA512
724795fd5c785a2f211e3fcaf1b7f3059a1f0c0d6072f9906dd8a709cd505c6e631fd22c9220aaeffc133de5a4427f817507b6d539371c4ac6b602ba802194c9

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\ultrapdf\ultrapdf.exe

Filesize
276KB

MD5
68036bdd898ae37fdc499537778c69a6

SHA1
50ba8123c1e40e9511ccef11e6734864157d7b96

SHA256
aaa2485dd11a84334f327580f41907342734d05bc40d39492ca33f72e57eb43a

SHA512
05c97f37e1dfaae1ac6d26c1a66ad74a4cddba44a51ec465039f2d266749a96d53ca2327c097910e95c96c93fd4a5d566718335a6e7fbc8bdfb5306f468f641f

Download Submit