dharma | 95dbd294f511335bb0b368c487abe48e8d72aa4b165cba94d32cef71a5e46916

Analysis

max time kernel
1761s
max time network
1801s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21-08-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/KmdUtil.exe
Size

210KB
MD5

3581f6d1470ca02b67fd618204b30d9e
SHA1

1cc2c14eadf5f653df6372072e7eed45c3742c81
SHA256

1d72e61808f8f5ad2bf23bc7f11513eebd1b757f1ec201d1bfe0d3b168f1d5bb
SHA512

edf417db125aa6d508954c163484663f7281fa576354effe5edec6b75df7a514f47f5b94fdd38b900b4b379a6d9e22661214bf4d6e16324f9e3052dac53be414
SSDEEP

3072:Y7MG3w21H+HhCrn9l0rYihWzPQOgcL+gxXgg0TiPKLPwSvOnM:4dqCrnj0rYfzlpLUPwSmnM

Score

10^/10

dharma fantom mimikatz bootkit credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>U3+H5QtSMwVvi3tsAYsFNTKgV75QnHZwSNF0sxatOm8darcDL8rh61PCdEkZthU/FNdmxN8BwCfPCT2ZoMU0ZCNrExmcNglwqgEobRwCQon7U7+MNwZJxpI7dWD9s3CXO8IqiheRg4u27YXBttsYL8OnrwXqUFYJUgu4a1P2GmOFdjH6VzyG05AZo+vHLHd7DtZlpK++/eFIOrXe8WTR7o7QzVsmV8n/jWf8JE1uZrJxziRdXELe0rIFXxBcZsyk7y6BY2FjaZnaL0zvY4P7PiWrCz3elWOb+IlCyEPQujyd9wIx2vhhpX/nSyaJlKnX8/h3N07n1FJBwicDQtDLzA==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>ne1BcoXgOohrJCMaUCEJdm/VstpwCtLATXH6kiDKaS23M/152rOCxF0efZzCVc79gYTETD/C0W150CwGPJLhXYIWsaHYc34WoNkHEiwNQYGkdwLbQ94Hzq8gtVTEiKpt60g6U0gHvsNgYgq9FEzzY2FLRVCHDGw17KUOuceQ6dzTknAG7DxMWXrYzrmUNEYZF0gNBiRwEVecNGdl95tm0ayFOhdCza8n0iCFnlKET8WJ3DqK/MscgGiOWYwmfXxH03bKkTlzPdFVlNbbh+DIBjUyAN8l0k96E+C/6f66mhSUewVhaSLhfDHD3HEmVP7iOWbdh2EMLTmlLr3jHfgXGQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (559) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Renames multiple (686) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral3/files/0x000200000002ac4e-723.dat	mimikatz

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Deletes itself 1 IoCs

pid	Process
1620	CoronaVirus.exe

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Executes dropped EXE 8 IoCs

pid	Process
2956	NotPetya.exe
1720	Fantom.exe
1620	CoronaVirus.exe
2372	CB2B.tmp
11352	NotPetya.exe
19560	Fantom.exe
16624	CoronaVirus.exe
16392	WindowsUpdate.exe

Loads dropped DLL 2 IoCs

pid	Process
1532	rundll32.exe
18980	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-970747758-134341002-3585657277-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-970747758-134341002-3585657277-1000\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
33	raw.githubusercontent.com
71	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Icons\StickyNotesStoreLogo.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-tool-view.js.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SnipSketchMedTile.scale-100.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-lightunplated.png	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SAEXT.DLL.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\AppxMetadata\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PaintWideTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\en-us\hxcommintl.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\am_get.svg.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHSRN.DAT.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\avutil-56_ms.dll	CoronaVirus.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-150.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-256_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-150_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyShare.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-black\PowerAutomateSquare150x150Logo.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_opencarat_18.svg.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\ui-strings.js.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\PSReadline.psm1.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-black\GetHelpAppList.targetsize-64_altform-unplated_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png	Fantom.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.RuntimeInformation.dll.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll	CoronaVirus.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_LargeTile.scale-100.png	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\glass.dll	CoronaVirus.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GetHelpStoreLogo.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\react-dom\umd\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintAppList.targetsize-20.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\ui-strings.js	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\JP2KLib.dll.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\NotepadStoreLogo.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\StoreLogo.scale-100.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-256_altform-lightunplated_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\contrast-white\MicrosoftSolitaireLargeTile.scale-125_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-400.png	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Input.Manipulations.resources.dll	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\ui-strings.js.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8EN.DLL.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	CoronaVirus.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-96_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-60_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-200_contrast-black.png	Fantom.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationUI.resources.dll.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib-amd\concatStyleSetsWithProps.js	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\contrast-white\MicrosoftSolitaireAppList.scale-100_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSplashLogo.scale-400.png	Fantom.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsFormsIntegration.resources.dll.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-64_contrast-black.png	CoronaVirus.exe
File created	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_x64__8wekyb3d8bbwe\Assets\Xbox_MedTile.scale-200_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubSmallTile.scale-200.png	Fantom.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sv-se\ui-strings.js.id-5C2F5FAD.[[email protected]].ncov	CoronaVirus.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..ritain-english-main_31bf3856ad364e35_10.0.22000.348_none_c209261be690aa02\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.22000.194_none_4385d5a885bc9a36\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..soundservice-client_31bf3856ad364e35_10.0.22000.41_none_9406832e93b848c4\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-propsys.resources_31bf3856ad364e35_7.0.22000.184_he-il_d9d6b5183c000288\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..s-storage.resources_31bf3856ad364e35_10.0.22000.132_sr-..-rs_85b661927f5156f2\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Hosting\v4.0_10.0.0.0__b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.22000.493_it-it_e556f664a8c067ed\f\license.rtf	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..ionaries-tatar-main_31bf3856ad364e35_10.0.22000.348_none_f7f4803925e43d16\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\DropSqlWorkflowInstanceStoreSchema.sql	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..me-ppipro.resources_31bf3856ad364e35_10.0.22000.493_it-it_e40e7edc2575819a\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..-chinese-latin-main_31bf3856ad364e35_10.0.22000.348_none_440a30b2efc9800c\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..tionaries-igbo-main_31bf3856ad364e35_10.0.22000.348_none_910ee1f88093763d\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lpksetup.resources_31bf3856ad364e35_10.0.22000.348_sl-si_b899c68dbb900989\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.22000.120_none_8faca973dc064b74\f\Content.json	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.22000.184_cs-cz_ca4442aac974b5c7\f\oobe_learn_more_activity_history.htm	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.22000.184_nl-nl_c6a67f6539770e2c\f\OOBE_HELP_Opt_in_Details.htm	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.22000.184_sv-se_f2b6902ff89d1827\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9#\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\rescache\_merged\1154286595\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_10.0.22000.493_es-es_79c6ec5b39c2a988\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\PLA\Rules\en-US\Rules.System.CPU.xml	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.22000.120_none_8faca973dc064b74\f\NarratorAppList.targetsize-40_altform-lightunplated.png	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..edia-base.resources_31bf3856ad364e35_10.0.22000.318_pl-pl_d90dcfe21e2ec2c0\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.22000.434_none_dd571a7c412145a9\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.NetTcp\v4.0_4.0.0.0__b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\rescache\_merged\2629537451\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..yspecific.resources_31bf3856ad364e35_10.0.22000.493_en-us_42a514bfd790dcc3\f\license.rtf	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.22000.493_de-de_afbb5741efb76ea3\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..ickerhost.appxsetup_31bf3856ad364e35_10.0.22000.65_none_9c821b4e9ca33b74\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_10.0.22000.348_ja-jp_b06a822d554b2bee\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.22000.120_none_8faca973dc064b74\f\NarratorAppList.targetsize-80_altform-lightunplated.png	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..component.resources_31bf3856ad364e35_10.0.22000.120_nb-no_37ad2e2fc6b0556e\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections.NonGeneric\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..em-ppipro.resources_31bf3856ad364e35_10.0.22000.493_hu-hu_ef8f268afa066915\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..em-ppipro.resources_31bf3856ad364e35_10.0.22000.493_lt-lt_7ba1244cc48c2405\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..skmanager.resources_31bf3856ad364e35_10.0.22000.120_eu-es_ea54595f4185e46b\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..t-storage.resources_31bf3856ad364e35_10.0.22000.184_it-it_3af2f88564a458c4\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.22000.120_none_dd24c7cd1fc6d4b1\f\PeopleLogo.targetsize-36_altform-unplated_contrast-black.png	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..omponents.resources_31bf3856ad364e35_10.0.22000.132_bg-bg_a6b75248cf33d531\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556#\d637e93d3b284f0fe472fbe73f7217a2\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..s-storage.resources_31bf3856ad364e35_10.0.22000.132_ca-es_b2892e9eddf96f4e\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\diagnostics\system\WindowsMediaPlayerMediaLibrary\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\microsoft.isam.esent.interop.wsa\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..oudeditionn-license_31bf3856ad364e35_10.0.22000.348_none_752ebc309d388382\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..y-runtime.resources_31bf3856ad364e35_10.0.22000.469_fr-ca_bd58f1415a00c95e\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-propsys.resources_31bf3856ad364e35_7.0.22000.184_bg-bg_04d4789c8e15c10a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\Help\Corporate\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management.Activities\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\f\etw.js	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..erprisesn.resources_31bf3856ad364e35_10.0.22000.493_fi-fi_e09cf6004fd44da9\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\System.ServiceModel.WasHosting\3.0.0.0__b77a5c561934e089\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\a629dc226209d249e95a8bc6319a940d\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\ImmersiveControlPanel\images\splashscreen.contrast-black_scale-150.png	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..t-storage.resources_31bf3856ad364e35_10.0.22000.184_it-it_3af2f88564a458c4\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.22000.120_fr-ca_c23a704950cd6052\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..erprisesn.resources_31bf3856ad364e35_10.0.22000.493_ro-ro_be3df210b405b65e\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.22000.493_ca-es_a992e53b55c23f02\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Fantom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NotPetya.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotPetya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotPetya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
21180	vssadmin.exe
20400	vssadmin.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-970747758-134341002-3585657277-1000\{EB1CA381-0332-4890-91C7-7231D026A5BB}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	msedge.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 705242.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 892713.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Fantom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 21130.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NotPetya.exe:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2140	msedge.exe
2140	msedge.exe
2432	msedge.exe
2432	msedge.exe
1240	identity_helper.exe
1240	identity_helper.exe
924	msedge.exe
924	msedge.exe
3844	msedge.exe
3844	msedge.exe
4772	msedge.exe
4772	msedge.exe
4228	msedge.exe
4228	msedge.exe
1544	msedge.exe
1544	msedge.exe
1532	rundll32.exe
1532	rundll32.exe
2372	CB2B.tmp
2372	CB2B.tmp
2372	CB2B.tmp
2372	CB2B.tmp
2372	CB2B.tmp
2372	CB2B.tmp
2372	CB2B.tmp
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
1620	CoronaVirus.exe
23528	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	Fantom.exe
Token: SeShutdownPrivilege	1532	rundll32.exe
Token: SeDebugPrivilege	1532	rundll32.exe
Token: SeTcbPrivilege	1532	rundll32.exe
Token: SeDebugPrivilege	2372	CB2B.tmp
Token: SeBackupPrivilege	21256	vssvc.exe
Token: SeRestorePrivilege	21256	vssvc.exe
Token: SeAuditPrivilege	21256	vssvc.exe
Token: SeShutdownPrivilege	18980	rundll32.exe
Token: SeDebugPrivilege	18980	rundll32.exe
Token: SeTcbPrivilege	18980	rundll32.exe
Token: SeDebugPrivilege	19560	Fantom.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2956	NotPetya.exe
11352	NotPetya.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2220	2432	msedge.exe	106
PID 2432 wrote to memory of 2220	2432	msedge.exe	106
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 4448	2432	msedge.exe	107
PID 2432 wrote to memory of 2140	2432	msedge.exe	108
PID 2432 wrote to memory of 2140	2432	msedge.exe	108
PID 2432 wrote to memory of 576	2432	msedge.exe	109
PID 2432 wrote to memory of 576	2432	msedge.exe	109
PID 2432 wrote to memory of 576	2432	msedge.exe	109
PID 2432 wrote to memory of 576	2432	msedge.exe	109
PID 2432 wrote to memory of 576	2432	msedge.exe	109
PID 2432 wrote to memory of 576	2432	msedge.exe	109
PID 2432 wrote to memory of 576	2432	msedge.exe	109
PID 2432 wrote to memory of 576	2432	msedge.exe	109
PID 2432 wrote to memory of 576	2432	msedge.exe	109
PID 2432 wrote to memory of 576	2432	msedge.exe	109
PID 2432 wrote to memory of 576	2432	msedge.exe	109
PID 2432 wrote to memory of 576	2432	msedge.exe	109
PID 2432 wrote to memory of 576	2432	msedge.exe	109
PID 2432 wrote to memory of 576	2432	msedge.exe	109
PID 2432 wrote to memory of 576	2432	msedge.exe	109
PID 2432 wrote to memory of 576	2432	msedge.exe	109
PID 2432 wrote to memory of 576	2432	msedge.exe	109
PID 2432 wrote to memory of 576	2432	msedge.exe	109
PID 2432 wrote to memory of 576	2432	msedge.exe	109
PID 2432 wrote to memory of 576	2432	msedge.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KmdUtil.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KmdUtil.exe"
1⤵
PID:2476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffee0fe3cb8,0x7ffee0fe3cc8,0x7ffee0fe3cd8
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6284 /prefetch:8
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1892 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6160 /prefetch:8
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6804 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6384 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,6540822907868011156,9162736723709097122,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4804 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:23528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2888

C:\Users\Admin\Downloads\NotPetya.exe
"C:\Users\Admin\Downloads\NotPetya.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2956
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 21:04
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3676
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 21:04
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1304
- - C:\Users\Admin\AppData\Local\Temp\CB2B.tmp
    "C:\Users\Admin\AppData\Local\Temp\CB2B.tmp" \\.\pipe\{DE37A53C-9C18-499E-B021-0BC8125F310F}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2372

C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1720
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  PID:16392

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1620
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:400
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:21160
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:21180
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:5512
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:20060
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:20400
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:17680
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:18888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:21256

C:\Users\Admin\Downloads\NotPetya.exe
"C:\Users\Admin\Downloads\NotPetya.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:11352
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:18980

C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:19560

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:16624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_100_percent.pak.fantom

Filesize
16B

MD5
1dff3563387013e5189db1b16d3366ad

SHA1
b7f7154fcc47d7c2933b82b3810ac81aef0474a1

SHA256
2918dd3b780b8c8bc82173b05875498376d7eea47b42699bc48feb9d71b068a0

SHA512
7b2dd7975fb7f8fdd4dda568d046d89b67feb7385ba1dc31aced8db121973869c8cf49800a6ee2286a257aecd92ef474c29c823f0532a9e4f84a1b32c020bee9

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\Extensions\external_extensions.json.fantom

Filesize
32B

MD5
15f169eab4cf7ee8a2b3149e1fea4065

SHA1
e311146c73a3f8886d4c8bc58b7f9900ea2cb0c0

SHA256
e08ca3e7a8995f6a9eaeb02e567fc67d2d10201935747fe46f1f7feea3ae5fcf

SHA512
6270dd51c7c62b92be777364721ffdcc26c5c7bc1e820429882674fb8b8aca707d44743550b61cb24207f1188043b189694f862db7ff925ea8f277022423cb09

Download Submit
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
ec898ce86ad3d03b51cedfb8e73b685d

SHA1
3055f8547d5542d1b8e53f78fafa86692a86d9f0

SHA256
2178a34db0068219a124c46725dd763b1969ee8624180ad3efb4c4fd0efb6a47

SHA512
e5c68ebd6a2636f78a32a609cad8a875150bc768c089015088184cba2f3b799ba335d55ca8b6f846eedd8ece12d28cb350c9632406595ed95ad6a8ec153622cd

Download Submit
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
c60573f7c370581311eb400a616d208a

SHA1
bd3afe0321ff0f3b5898e1af372f75b23300ba38

SHA256
4fd9af259e85dda906e1cda74ef6c42eba28764fea6969a5848efa9dfa18191d

SHA512
ab317dc4eeb419fd3f6cbeaede1fc04620accdd061694be7f63d2b0a0b1cad2af89a655d899c9c5febdebf7820311ecb937c5821b118d3a9d77b759286b197ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-5C2F5FAD.[[email protected]].ncov

Filesize
2.9MB

MD5
42ec75e58761dd3fb6a062cd6ff12ed2

SHA1
7dd3685e376762a54df090d9f01c5107fe04bbc3

SHA256
fd824811105bbda35df4d9715f51969eca8c2c0b3dc323a48d0d932b08cc7d09

SHA512
cbe9878c545341b32ddc25bc1f1a1b32a07e09803d79a41c556928eaa8e14787083ccedc68c6d685c11e25272109956c06b086c7f00e768c46cccf0ddd7f68f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8276eab0f8f0c0bb325b5b8c329f64f

SHA1
8ce681e4056936ca8ccd6f487e7cd7cccbae538b

SHA256
847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da

SHA512
42f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
058032c530b52781582253cb245aa731

SHA1
7ca26280e1bfefe40e53e64345a0d795b5303fab

SHA256
1c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e

SHA512
77fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
92bec6fc035b565b5d474737c8adf26b

SHA1
c7dc462f4242f43ac42d33fa2b95dae59ace68e5

SHA256
756102f4145f405df39da13b8d2c171dfb4a7ed8b134f15e4b3c1cd627f72637

SHA512
cee69b1b9dae87f56972fd60e3bcddbf86b0a3dee806148ed577fb45971f90a90e73452c1a0bb04b66576fadbc363225645fe5f6382302a20ea38ff462f0bc86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
796B

MD5
05bab12db86c4349ab4af9b956615318

SHA1
18177aa9b64edfc30fcac98001a4121decac8a6f

SHA256
4ff94dc4f2f94f4cf050826f794c557ad8d2ed062d7eecb0cc25ed428fb5ea19

SHA512
72e52faa04f99c3610df8ed60a838b0b5b78c2bd71487b5fc7fd1b2eab510c910dbe666451726eaa90c156701c079db431d9c2bc44322fd6722aa194c37ba52a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
afd0f951e96ad10a010d72e574e73eb8

SHA1
356553a5c4945c84e36a1667b2ca73b52884ae71

SHA256
76c2080880b32ebe662d57fe21f97d9d89d7a0ff0eb4d8b6ea8b006ed696b305

SHA512
05134ed138f47c90a0318cfeb15ce52993ab7013c96037e4cacd25cda14cff70ac4da7f97835beb8e39e5c94d35d1a66cd0747aa34362ddb432dde57eb5a4dc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
93804b3001fb6dcbba461991d06c9ca6

SHA1
8e0837a590d9d5f5adebfcd5eddce54eab85dd7d

SHA256
2130aedc12fb9e13de14edb9c7b046fb70cf1439cb79933cdebf880e1a6c30bb

SHA512
b87724c05c2c0d4b73b4c45ac1a1c49f31e54387f36154ea5944fb1583b76c68310d0f667373c91a29243cd24b61f3c37414cf949e3ee2858589790074f48f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ada810bc3b2232cd964151c0471ca581

SHA1
bdf3084a676df5b26116a7ffa1f936953b1546ff

SHA256
30c4b4221576672f6df46673bfecd714623902d43f473bcf4ed128cdb4f57b3b

SHA512
836aa203803ceff42d7469f840e53b86cc1e200c242de2b697ff5e072fcb5e3c364f2823e8cd1a725a79bd4bcfd95c61f980e4b3ba4b07ee9513688c39928b0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f7e6e08e5a9afd340756264a1436fabb

SHA1
5822ca595a0ee2a88c4f9b3786d69519888934af

SHA256
1001e2171dee45e5652aef2d3c8290b21fe63edd89536dd5b7dea23512cdee22

SHA512
d61228482a6822e2ef7f4eb1c0f49e6b276382ed1e2a1de62ba02c004b66b53bc825e1941672dc8bac2af33d27bd039ee6248415fbdf069284927609b9e7890c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f9d07f7a17a7224e5afa0d8ddd9bb973

SHA1
32bbfbd890797d8d1e1ed5234606c029e597997d

SHA256
2360539af526d0b9c6b3326d88ffb2dd99b01736aa879a2a958a6dc75ad2b005

SHA512
0a1c19a104c90a175e3884366a74ce33f3dd1386691d4d69d3f75e974e8ebbd025bfceed3ef55e9de6d4aba1b623bbf843c51e268354fa27d8a4227ec9d72ca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6c2df650f7bc17699536d3d996aef192

SHA1
92dbf651226b0d13e1192256155832d54bc52236

SHA256
5c77ddf869ed47026e8d720f4d9c8bddfdc9571bc51b3d34255613b82d7d8c59

SHA512
38e098e9dd2aebeb79fa8d2a0ce068720cf68a3a792b32b8735ebf57873610b92376f0ee2309d23a243b61b7cf50d1d1f47e8e60979377463fbbd7cc96aa2074

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0db9096039beab5260f858f432f33e91

SHA1
148421f60a91a4ec79ebc7278f8c38d6f1af78df

SHA256
22de50fd522196b1813927fff9a9c59cb291f2d0206927bcfd08144caa2c5b0b

SHA512
16c272a6bc8192352cb237f2fa8f01abb1d4d1dcfa0b4ed2ff9d52a746100a2cf75d2d01a61c28799348668e512a1b56d0e2e7261f6d5db67d129f64a2069249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe6ec2d3.TMP

Filesize
1KB

MD5
fdb863d5c8f2dcb2c2ad684fab5f2ebf

SHA1
4697120f423a89280b90833feac86a3375c09e94

SHA256
2a71816f98f86f27b113099231072ffb2643115dde67eb0eecc251cf6b4b82d2

SHA512
b8a55ffcc124998f73c8aa1b1469c470c7b1965f5590333b3236e8c481b3e18f354c459b16a525e0c112806385da723e048dce93ba08a43cd7a50f4ee3657038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9a8e0fb6cf4941534771c38bb54a76be

SHA1
92d45ac2cc921f6733e68b454dc171426ec43c1c

SHA256
9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

SHA512
12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db

Filesize
16KB

MD5
d926f072b41774f50da6b28384e0fed1

SHA1
237dfa5fa72af61f8c38a1e46618a4de59bd6f10

SHA256
4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249

SHA512
a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ea08858edf6715f623267d841a8564e4

SHA1
066f501446f802930520cc8e774e54dd6b904061

SHA256
9d3484b40db6356c6824916226ed19dc0e6fdb10ffe864fa2e295608e3669107

SHA512
8aaf2ee9dfdef0be2d745ec85a2df8cf2926339ee4bf41732ad9cf21259ccfead08f25f03f61aa24c6385fc19ec6500fef687ced366aa86fde88e5daa184259d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bdd2c1fbc78b7a1f939c401bc5dc22a1

SHA1
c7aab5c1fe70fafca487a5f6c040812c9d54b87a

SHA256
2362a71d22f592e415b35984cd894f77128f95e5892182ebd772667a17e2de71

SHA512
5ff0cffa3aabdcacd95b80e994cdb6b0e8de28210aef31c40b0115f93654f90c6dca5ebbbce36fdad4dcd2104f842ce6b779adf8b478ea34f0b8b6f35586d5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB2B.tmp

Filesize
55KB

MD5
7e37ab34ecdcc3e77e24522ddfd4852d

SHA1
38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf

SHA256
02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f

SHA512
1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Fantom.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 21130.crdownload

Filesize
390KB

MD5
5b7e6e352bacc93f7b80bc968b6ea493

SHA1
e686139d5ed8528117ba6ca68fe415e4fb02f2be

SHA256
63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a

SHA512
9d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 705242.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 892713.crdownload

Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
C:\Users\Public\Desktop\FILES ENCRYPTED.txt

Filesize
176B

MD5
6029c0c6e8e99a62bce458b646f66765

SHA1
b7f8bb70fa65a05b0c273c495877f0ccb4f2c37f

SHA256
3b049382dcc7c0386f2b5f28e72bab9d69f4db57a03f7c3fbd8aacaf6d78cc5b

SHA512
cbc14afc27032bc44f90d8f7946809054d24e73e61ea1896aada630583cff028022ceb0c9cc1c27b87eeb63a41dc627f5caf2cc52f75a1d18db53ebfd1a1339b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx

Filesize
3KB

MD5
5e787ef73fdbaa529d9677dd004491d1

SHA1
2a7f62c95bbeb230d26b7dd1b48f6bb2fc414163

SHA256
9dae8cbd4e88cde04d738cb0e40f91a64d639817eeebdcfba84a5bb9f77a1975

SHA512
d6130650a281b5c2527546b37a6aa7efcdbbcbec8fae830d5ac2f87f6ccc6874c72e31105c037c0c348e2fde752b274ce075b035f1e21a191195146cf041efb5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx

Filesize
2KB

MD5
174f690064ef8386d354b36618a01e67

SHA1
0c3a2d8cb4cb8cbea194976da3d8ce4e0231f527

SHA256
244bea72a1dfff21fe46e1174e9b2a1640f9283a7feb5ac67e9ce1a086faa71c

SHA512
78f0ad594b6fa03da46cf9ab5abe357bb2301cfc6a4619b6b7ab84e050e8181acb13b9ebaabff73d5c81dc1586eaf11d2041a1bda6ba0e3070d31c562a683d6a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx

Filesize
14KB

MD5
2c74a5313bd18c1287efa1054d73d6f2

SHA1
3088c46345b56613c2798c9dd0f442a7ce6897ac

SHA256
092aed655522e97095e4e6e30341f6330b549baabccf82e8d96903102dd2576e

SHA512
0a477990afa0ea13489b07f95ecefc0847103e4af4610f6cff88758ab8af0dbf8311595155d5936590e84bee26d0de918eaff2ce05d3e1423aeb4886dab03372

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml

Filesize
320B

MD5
9fed03f5c378cf424436bdd017993d5a

SHA1
0dd3ca6b4053601af447a5c35d6a5985fbd162d8

SHA256
6ef3f3f89fc42e40a0fadc5281afef3234648330628ae34153d300f3acc9154c

SHA512
feedddd2d12c902d1550234d2f991600fa0a3423304f873dd4e6840bfb9d32aa1301fb62cdc2a61ea515baefc475593f5d785e62634ab247bfc370e7023c12b9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
e2b25475ea54fbb88e68306825cbb256

SHA1
0f2689cbd9dbc1c6730b3886d83c36af69492046

SHA256
a72a3c11e79dc1d75d1aa1b8ff16eac14ca61f9147f06bd298f5da60026ba3f6

SHA512
7370a068cf000ee4f06949239ecad97162f91fed7a9972728d411e581de8e7245d0711144442b88cc4b5f35bf88d65076c7d0a1779317f4ee884d0ddf2478652

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
499b864b3105bb8324f8d4f48e1999a1

SHA1
5b9421fabb08760d97f8d0d80ec63c6751d76090

SHA256
97d0d803a363d3f216cdd8d29c151ff6ebbc83af0ef471ecdd26dbea82cc0016

SHA512
de526af88269fc3526744928b96f5308d711731e8dc51fb8831a8e00dc83cf4edce72fbf2baa982260edb8e86fbf2a55186c33c95861bc537c8ddba31a7c9121

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
960B

MD5
a6b08fd04380d0bb7213f6f18e567165

SHA1
4b10c14a2403e733a901c4ae62f2ad4ceabaca30

SHA256
d63c9ad49b0765e32f877a22a016cb0d108392e46dae47d09fa460c463e88d15

SHA512
962144d95b6dd7c060239ca533a78ba6776b2974f7a1e65bbb776b3e0d6b1431645249072f76602978ba07a8672e53bb8fac42477f1de98a95f90ac9792d2a68

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
128B

MD5
c4c2b79c4c71e485dc05639a1499b2de

SHA1
35c4561f1532b1356eff7ab6f912d3fb6b309817

SHA256
20f620ea9c4f87e28ddb0b18023e448e81a22ebbf1f6276d5b7cc1c0349b749a

SHA512
ce7b0aed1ca7946ed94e876c51eb971b83c89eaeee3dfee64e790c7f77672c80c0efbfd9d0cf5186ecfe740b2b07b2809f90c2dec3e1b275e7a87c0d1e2c6fc6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
14614e6ca6b4714925ede86e0f108129

SHA1
7e11b7b4ccafef4024d87172de582d507fcd96f5

SHA256
55859ef14c253ca250b7d52914162e7d922343c6e542a8877f14c6ab17f9c67f

SHA512
6d1740bd9c230440839b0412ec2749cff43bc43fd180f03c385da666563f6d045036b13542c6fcbe819333a55a7e584cab74c0d69165ea1aabf3fce773d8785e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
646147965ea9d16854489e9cf8982d3a

SHA1
dd123d8a58eb245b1171086cce5a7307d1ab4993

SHA256
571febce78ef4e4aba3f0116e299492e23a82d6b545cd1d3f458e7b50eca1f83

SHA512
7f51057919bcba85c82356ea485137b0849f11b3627adccd47b7f091a7a6276c2a83abd8926c7bfcbc448477e3dace9910dcdefb21921ead83946d21d3564d56

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

Filesize
64B

MD5
c6862cb93726c238f8776f4cd071b7d9

SHA1
5181c3f1042587b3a29ed3efd6fdc0eb0835f119

SHA256
e7f45c38b5bda066e717c88463ee8d24facd72ecbeede42b75261cd9c86d37ff

SHA512
80d4756884ff3975c6fff6609566f16a22617513ada8f671bcae477a9fbde865af63e9f9cb25603690cc85223e8fe76363c20e097d3547b194db0edab920595c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
928B

MD5
94d1e4d7f2130faf6c19e127ecde4f5a

SHA1
372141de5c4e2fc5b235d07a1d7a1250af917b18

SHA256
a954911377c3b8eecd33467018773a277fa2fbbb5fb9186adddb55c9f895e2e0

SHA512
60b32d366382426b5863e0392126ae4ec3d089b83e7c5d56f55a9c624172b8810309210b1fb4c4a6a6c64812e9e9f8431b47d8e1fa6b9dfb87664511530275b6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
96B

MD5
5ac083c53f3fcbbdd84fef544cf6515d

SHA1
9f47a1446b3e82c2c5656c0e73094a4543927f81

SHA256
ccee2c06e1174d1392c545b379ab90daef1609722e4b790e89a9f8e2adcb77ad

SHA512
355c729ed65f7e08a979d15ba7464c0195f77274936a575946304a60b210be81ce984be6f959ce4ba57e5e9aaeea51058d4203c29fda649280fd7e5e46193bab

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
96B

MD5
e4e10c1d6deb05a473910355204d9c78

SHA1
6494665f8e93d40194f492184cdbcf62db4343b2

SHA256
55e6d7076c1eeb0b5dc9b298eb35f79d64dc86192d944f370b4be033eb1227a8

SHA512
8945aeb3e3871c892f987e13408a7de91709e59c3ab7c5d54d13f5cb0ff1923d9f0cdd5688819484c2f931ae3e4cbcab0b9abb5e71dd8c1eb0c202875d72fdbd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
336B

MD5
cf666d5dc79e7d12e9f8e48a0f39c68f

SHA1
5980c6fd998f645915abb5aa9088e97543196d83

SHA256
35774ab6212d100d5007ac7ff852500f519ed8b7b543215a2c7c05bacd9b2e67

SHA512
2443b04f9e6b05096e24fee64f9dbff534fa287d015f69b20da157cf344dee847128b6fbc339e1a18292c4e6e567960462aea07b918b899d64f1c7075eabb6bb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
959019a5f1bba9c69c04fb14c98035f0

SHA1
fcf0937b3558acd496932e2b0ec40cde3945b117

SHA256
3de8bb97a4e13cba151f9eb9c8a9b92731d83e2b06b7abaf5a652beba98ba036

SHA512
6676a98f15de1622ea4cb87c5381ad0ec089ce573eafc6fd53cb9c95660fd3f31d030055baa04531825f03316f1f44a935b15820a7b42146f8edc5bb677f7f4f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
176B

MD5
8e1a4ec48eba93fdfe52e15991e85913

SHA1
d6a100be309e636f8544ba4afc8520704fba659b

SHA256
daa450af8fc872fa74e364bb8f5afa6ae2acd8bdf4f9209077272261b27a8073

SHA512
5f3e99d6ff2464d9740199ca1e76d8afd2befb6edbad4d784d243c92d0ddd55d934161555d6d990d2ac0cadb52b1902e5f4e258528c50e7ef55c1688774abab8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
592B

MD5
ba0cab328a57c24ce3db6025b1debe12

SHA1
84a67d840f5c08b84a82e322f73ff4b7cf9b21fd

SHA256
2990c60a16eb3f8b0d2f1480357a1853d1836a1b918a7427773b16fd708d7fad

SHA512
edc846381f6f50da9f62e9dde372500100942de6a0831f56272cce7cbef70163949ecf4d2cfaf2773af62feab9ae8852f311b20c171f08903fd8a2c9610a37e5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
128B

MD5
87b2aa73ece2d3a2b755b719af4b45e7

SHA1
a205a4a7e9ddd69d5932a9557365b6353282bcee

SHA256
f5fc809628be399c2f8dc82bde67d79d0842b2f6925f6899f5b3c7f3628393eb

SHA512
ffc1dae4a93e0f22338038b50cb19e4717adbae68ae2f53bf569b09bcad22b927953f8ac860c57c962a3b8078b391d287d5752572763c3431ba0b5b3524cfe86

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
e11a348025990711ab2ad77a5d4193b7

SHA1
8179092da282a79970719c6d258710dac2d6001d

SHA256
c4c1296c2ce0cc67ff24a1619dc0161a44f91c9e6432b1f5cb7cbf241ef26259

SHA512
a347f27117286e312b15d081fbce94a6517e7b9855c8187a5b44395906a2238feac13affd77e3045e4a60a88387595412a4199ab424e71d509aeb8faa8c32657

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
896B

MD5
7ca4fece0b69d6f50c77140be5ea77c8

SHA1
4e57af6e20f745b1e4a49decfaff7787f9dab71d

SHA256
72d367286c1eeebc4457c94e3911e2ab84442bb8a3b9fbf9442ec6b99a7ef916

SHA512
1d5a385d4921afdba51ca261dffdeeb3416f595f59ba3dfc62011e8a526956b660d0c8b90a33bb4773151576f48ffd9a89469f219583a2e0fba8d2f8bda02d6c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\ManageConsolidatedProviders.aspx

Filesize
12KB

MD5
6cecc3eee69dd18e3e847e04bcf530ae

SHA1
efaa429a2ca5b9b9c4fc136e7b99d86becd6b3f7

SHA256
8ad7de8fa012dff90270545a36afe7be292cfcb124645fa20fee7a19a36359fa

SHA512
8ec90ca970a8ce407d4b45ff0b3e7da078db2b874cf3de28fe0a4403a5249132bb3ef31b8f28b5da67fcdc1fa8c4c66b07857578ba804462666cffc11f6a1552

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\ManageProviders.aspx

Filesize
9KB

MD5
17825449e7e6bdc4fa12a7e66ca491bd

SHA1
e6b565a1064c740351e9b0f9febfb1531101278b

SHA256
bd5931049523d949fae5c41bd5794a0a3a1888e12b0dcdfd35d42bbdf96a2c13

SHA512
c66e5370325b5f4ad2fb3d3f7c1c83770642b626c4b5f4141992100f7891e54d657efa8c88b484f753b645da5cabaa35fae6751fbe3f86b4536523f4ba29caed

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\ProviderList.ascx

Filesize
8KB

MD5
6f98acb11bf707d8925b6acbe5e8fb34

SHA1
53f7d2e94bbed829cc8a48d83713f6f180566754

SHA256
a15725d607dcdb9a11390cd7dc3115ba605a933b999ed622ffc3005c05de3bc9

SHA512
f73c74a5de499a0ee6d1ab5bcf87d59e90855e71880723df94577c844b00e2d2d9b3b2b98e03f314de90688a4533d0c58c2d5d2be146bb2e65b918265e5d3aa5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx

Filesize
2KB

MD5
49c11b0acf79a4143bcee46b13e77882

SHA1
35292ee98c22543d4499eba9b5f6763d381c3054

SHA256
b9fb9dd82d95176a88a914bbbbe54be17be59063538f727ed9332b1c945fc116

SHA512
bebe4526a264f796ee76e796ee638adc683ea54b35ff3db661521c2677393a9000dd6ada92ff48cc33a934f015ea0d7e0cb70e7dc2ac4cf0d0eacf8bbbac0be5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\createPermission.aspx

Filesize
10KB

MD5
b7d36b50bf928cf81e1d9547af852978

SHA1
35f4045980c31c18165c4045f603a3ec4c1b7d23

SHA256
a227920eb9c2c365898210398a0a39a3fca662f63af5566d882e01c969412e68

SHA512
caf11c47a9545654d8e21923cc955eedc70fa57344e0fedece45c0460b7d5a818e4f99f4914906a311b7a668f6fe4d38d764d27ce73644972f39acb0bffd165d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx

Filesize
21KB

MD5
6c99018a570ebe44d694d0fd5a5e051f

SHA1
32a69c07c021eca2d8205d33524e3225ccbc5a25

SHA256
7abb5d024c93348e910ffe05f3ee0c06502d3ec9f8310fca1eef82ca48ce8b50

SHA512
e0f983b6400f6d9700abfcb8c765e1eeb59accc123f6011ff2eabc703bfaf759ff3fc9afc561d37a30d8fd00300136f8b1efadce8b8d4db254cd566eb7a747af

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\editUser.aspx

Filesize
11KB

MD5
a8bd00706579ed1f581cde075828ed19

SHA1
15aa3f3cd46f48097fa21fcb71fa15540df14b5d

SHA256
3e82bb8e02a339d32c828b094b91915e37f71fadb3ca705bb1907d8a9844558f

SHA512
b88c81d1d451c7a2cf5d77dfb6f4f09cb8f223a60a1361ab0dddaa6308b03cc27650709fe9832e5eb77e5593c1e05029feae90ec37c7d837a883a1116cf21c72

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx

Filesize
10KB

MD5
feda369f6e26f7fba983114c628864c7

SHA1
8ba2fd2eb55a66a7c915472dab5da9c323cb78c2

SHA256
85dcdd1af988922dcb285776ba1bdc3b333df144262a7f8fe8cdfdb5ee783834

SHA512
aec966722156af2dd6c39ef77872c1bd3b2159f22b7232458e9aee2f92abe00d6d4ae7ba9821f9ba34872c2ca4e46525a538815a520b5d51bb760a46c47a91e1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizardAuthentication.ascx

Filesize
2KB

MD5
69b5afd00f05e5beaa459e15629435e5

SHA1
c58834a919ca868ee2da1586b9f793ce10c8a0d9

SHA256
7356be50282cfe7008bfd537abe058cb7d51e8e3c5bdc5d543b2c30e4d732686

SHA512
62f832fd29b834bf861949de63774dd980f682eff894e34bf526f8198ece6c9d5c4965bba0a615654068a0c9a111cb41d3d00610439ac8e015e19dc1e2fbe0ed

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizardCreateRoles.ascx

Filesize
7KB

MD5
cbe9aadbbf548133e01893d11e103ee1

SHA1
4e2c328fd5a6f1cb88d187a5a64a13b85fc162ce

SHA256
ae13ab9d28bca71a5f344a57ab8f71ad228678e11d1f84e9477d0d78495ea3f9

SHA512
c10cdc5a0c4d284f2a71b588ff613eaef8a5e8d3d0ccefd511b991c0f425813177075619df33067f7d6629e2c8332011e504c78556e2059f54fa9951074e89ac

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizardFinish.ascx

Filesize
272B

MD5
00af14a3b590f973127cc39f156fb8b0

SHA1
78e35d79513dd0e06c9eb11724914e2f47331da2

SHA256
7e7ae3ff8f7ee97727885283b523c2d372184cfd0ce9cf89b1608a08eddb00ce

SHA512
eab0bf76bdbba70c609aba4f604bda3edadcc2081f89d251b523a98ebc34043fc2a28b5f3b1f27302ca6cf99ef9ba25fe5495664e7f31ffb3471167d45da2611

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizardInit.ascx

Filesize
496B

MD5
1251707c74688b1a530d04cf5d829ca9

SHA1
4445373fc7a2387f0bfd58ce321e6b14ff0d6498

SHA256
81aa13189ac61597a61fcd410bf3816f4ddfec5a1df7e623bf47a57e88a24edf

SHA512
364a3c3bdaee697f0d0d9b553b34b6e26556733d3e2836b868117f7c72b9a2d51bcde23fed280350b1da30f290742eaa2df05431ee015471acb83d5613122c2b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizardPermission.ascx

Filesize
24KB

MD5
4c8f8aff80a712c60273b4a6958c37b3

SHA1
f89fdce6010ebbf32bdd3b91aaec3a1b954ac6e8

SHA256
f92618b16a37801041e3d4206c3ea078bc9b207cc9f895ed1634ab4ed5b697c3

SHA512
c21e8029c0500dac5d0385c2efd1b8453ab62db9fb65baf96b92b9813f3cd40b2b257992461f560735220e2a1a1334f776bea69ea74d59c3f7f6fb97c1df0f2e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizardProviderInfo.ascx

Filesize
1KB

MD5
ac3fe52997ada696f77923eabcf6ea9b

SHA1
984c1e66be13c42a8afa556a56806872d90d7fbe

SHA256
b680771827489914fe57df625fdab6d41a1452c1f13d3736bff3f8f4d9cbdef4

SHA512
f6765a444e2811ae3b8ee42de8382fb07beda71598d67d7bb58712fd43d9f2e2bd458380e25863a8bdf0572f9c5d1bb1efcfafc31d3c3f44ee172b2bbfbfcd6a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\security.aspx

Filesize
9KB

MD5
89aeb6a63d2588089d6d98d40350e91b

SHA1
23fab5dc8665f67602e66ea791c3e2982180e4bb

SHA256
b0bdda92a851ad1c98fcfb5fa3479d9d82e9a9f5a599fb4db0fe204473da18ef

SHA512
6dd9270a09128fc07458c0dfaa9def738a8a8f2fe5eceba28d4e1545aaeb5f436725f55ad440408c3857d0793a20de4a73d78a61fb343f4a872d99daebe34e13

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\security0.aspx

Filesize
1KB

MD5
5a68f0e92417517f87053a97bcbf6245

SHA1
7ead59b38f07d0ba858ee00f4a7afdceb8ca3967

SHA256
0b7df7fae1f679e2910d140e87b391f191ed713d4b37e5bb656b110b76078c58

SHA512
02d4920861a260d833f09654d1d6d8531a1fc9cfd34b37be9764b9cb8f7cc4ac87c39871265e28d49457ac324d7798ae4ba4b4454b84d94dc3d183175c983944

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\setUpAuthentication.aspx

Filesize
2KB

MD5
d664214489da2c3e71f88a033fd9792c

SHA1
5de5b856e6392cb887274290102b95c2514e7bf3

SHA256
ecbaa1bcd537209f21572a029d1485055d2b8654917199dd97af1042cdb63a47

SHA512
dba8b429d3718d0d969bb62ca2aa40e932ec5eb50004d5bf37c8a9b4724ec9a5f735f163aa1561c007e8810345c83fe5d0f56461dd5d3096dafe2f9c08e8fa1e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp.aspx

Filesize
6KB

MD5
92bb5e0e990850b07ea861af9d9032f7

SHA1
f6100370a6c89903246d6c5dcd09e3754306ee42

SHA256
a9d23c8c605b1545ead21b5f1217f6f006ede537d766bed46c93c1a67a802196

SHA512
8b6c06eb7ee116f93611899df85f6a0c41f800ab82fc02ac677663bc62a3baf1385cbe1e6c16fb6516bfcc1918898d8405951a99dfc8ea69ad14e8345750673b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx

Filesize
13KB

MD5
f661b64658049859f4034cf35966c4a1

SHA1
9f90cdd34fe0702b9a9532c1365a04705cd3668b

SHA256
2fd3722926b3211dfde3c90f464857c1595f96be2d54eb359d6491c4295cbbe5

SHA512
820f404e533ca7a109497b9ce3604c9755fb45e73b70cbd8f5526965295ca5ce83b7572f96b1a12473afc0e0d3454a3648544b33916c5eb1eed8db862bff6c11

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx

Filesize
3KB

MD5
3f9de24158861b1a6e12dc7bc916577a

SHA1
b6e83d10285305f86b032ecde364547b7c27a51d

SHA256
270ea45fd4929ad312e6e5cd859ed49d524d246924a4bd3a236e7d14804488e7

SHA512
edc8d4c42f58f44893479ba8bc275293a64ae71ecfe69b14806a6d4fd6972a26b5222574a6f607c926d3ac3d5028cf63787d2bb2f452d3d970be62107974ee38

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Provider.aspx

Filesize
6KB

MD5
0629740b412fab8497767dc8b39b23d9

SHA1
83aea6ee1235085451a3cad9742579b9f3fdfd1f

SHA256
5e894b6d228036e6d3693f469810e23fd81428f4a0c79a21aec8aae0b73b4c3b

SHA512
cbafac013309e4ea815cd2f08bc7d794a74390505e71d4ec8a16b15c0eeed7ad0a346c9460c0cd443d653f0963f1304dcbe4b3926655def5e160d1b5324e822d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Security.aspx

Filesize
10KB

MD5
378d01084d49ea493957176e35c6b159

SHA1
c769d0411d284f196fbd7a2cbfb7720dbe575df2

SHA256
b6d069111a5e02d8362afc4fccd83cba263c8e746bed055f7861675ca06ac4a0

SHA512
1af5a903c70d29858edc3a65ddd3ac6056a6b79a84ade05e5e407694bf3134e28fb1e50ddd6a99f2c271c63a4b1aa602978f71bba3a4da82be2745d0e01fc2df

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\default.aspx

Filesize
4KB

MD5
ff0d9eab0dca063f3e10f6734037eb15

SHA1
1c82303e0d27cadc868a9799f746bf1d35a30ab2

SHA256
87c17a9af619ee243b0b4d359b2e015eff03723fc1ddf40716e20ba93e8d17cb

SHA512
f6736bf8ab39187b70f80785ac3c9a2423100ef51ca48906b6587b00caa788b56c49c513164ab3a3df0b90235774f5d6c264fc3d53c7fcc4ef5fb7313c67067d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\error.aspx

Filesize
6KB

MD5
d632c883475846d39fb7807657d7326e

SHA1
12762c16e90cfadaf9536e5a4fa384163cc93f4b

SHA256
d6e2f7d76456d1d6db6481e3c7a2b9ccc84e96fcae9d38f37ed2c4cc836e0cc1

SHA512
691cab3abdd93db0102853bd40836c0f091d38695d0b64c4f80a0963fc930d8ce539445864bbfb57fd26267fb8c885b00a5122518cf17ceb6d714fd36cfa72b9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\home0.aspx

Filesize
1KB

MD5
b387e696a65581394e4e3fc54c4b0173

SHA1
646896d634f9ba3556abe10bf3784ad1db4d0d68

SHA256
e78778a2c74460ded715eea1de5f7018fc80a1ca580812b73da246d0a7c27813

SHA512
42753a85d8ea320c45b40ea2a1d28322efcc73ea4dbad56490867199e9ba47ece1f58633f9e96fe28a663ff52607f0436739b2fa0208199646d7783405ed6f98

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\home1.aspx

Filesize
752B

MD5
4781cede5224768342302e586ed9a737

SHA1
dbd37c162a0489de2d85aa40ce484e06ce348e9c

SHA256
df3a66b03f4bc835a02528e4f320f6f067e8e54051706ef05966303c3963077e

SHA512
0b8441c3efc136c1465222600e959a9137966d5298e3c267c2013bdce8b40817261c899d7920a6b4534074bc2e79450bb6a64483a6d0aba41534f58c2577e93f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\home2.aspx

Filesize
1KB

MD5
29465c2c922cd280af4e12c4d4981176

SHA1
2d5219aaf28cdd194956c30145867b2edae9a190

SHA256
524a4f015e25cdda72bc1d299d211190f05696d64e90d9b14f887c849f9579a9

SHA512
5e9187d2d304460ef8ed32503aec7b292734d682fa350b6be7fe3eade1bf94dddb79c43726a670b91d663c19fc29573dc5f83d62a5236a5100effa7b50f36306

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\navigationBar.ascx

Filesize
8KB

MD5
de0862a94dd5ee0a37b1b79da48a3cc0

SHA1
e4f80bcc158f5e667858056e5a4d77f48dc17b98

SHA256
d077580646c0f28bfef98ebb565b5ca7ac159e91fa33c7722a792e50a56e54c5

SHA512
4bf3f7d919458e7e58d4e21ef13288544ca345dfb5400483b931c8cbd49d5d7b80497f2ff49cbfe5132a321e96eca3de781194c389ef548defcd25882a8c4fbb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\DefaultWsdlHelpGenerator.aspx

Filesize
68KB

MD5
ef67a862324631b7c42e7733f5ffd447

SHA1
1cbf767d4eb908c7c71dcac7badd5c71ae073463

SHA256
f68f47d50f8753720d094c852a2ab2ce0216a5b90e566ad47d20c4bdf5eddaf0

SHA512
c288f462d5d3449551a097712d01bb581c1f48bebd5741d45232f455298e5835d783d8de3235431c056008b07f9e2b227dbe6167adc49a98b5f733ec9f7d95d5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallCommon.sql

Filesize
24KB

MD5
1b061652c48b548167c195600e876f66

SHA1
2b7043a96446b097983d7f237810e232d36dcd3d

SHA256
784e8fa4fa5aedb9eaa9ac427b730bed50d646eb287eb75c44ed4ef7cee53c73

SHA512
dc82837e915ab532a885a541fa0685848d7befc8abc613ad2037b67120eb36cfdbcb6ffb6c48398cd3b32993a02d148e490aab204c79e78a1cf9837379a7e82a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallMembership.sql

Filesize
54KB

MD5
8008fa0257f90cd32864b322e343078c

SHA1
fbacd5c61d8479cc64e8f2172891da231d773723

SHA256
257fb5ae8b938adec476d4d611f60e85453f44cad69422c064c7a632f6cf587e

SHA512
36a5286ac320a5d85c74de0c37fbd2269403366aa8a49efecd15e09b04cf5bfcf0d1726fda4041161783bab75458a7aca5704df5c3943a6a71898ec64256556d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersistSqlState.sql

Filesize
51KB

MD5
596d83a92a618198fe8792d2f5b83307

SHA1
fe44b65ca75349c3c9e721d6f8839980f9f351f9

SHA256
9a443733077966aa2e13f7860456baa9082208568e705822053c62ad6b85d1ef

SHA512
c1c4a0fe4f3cdd1823fbe5915b570adc541fbf9f5ecf9727d777fa2d8e1eef3362caa523ff30300de65f6c561a627937675a3cc95ddaeaba8b3c457bfa5c0b01

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersonalization.sql

Filesize
34KB

MD5
3088d6469282b3f561ca1f972845fe60

SHA1
d498c5ad526a39f8f3670c7bdbab01f6d394f35b

SHA256
564b61cb56ae0ae9b1707a3b0674a45a175baa6347d8a80aaa490fcfefc7b46f

SHA512
671f39c94b25377b5618de0e7d5b64c9cae941366723b4549701c71f94ac0b118a5bead8071fd7de0f0eefd76eb500e9d5969b7da2f33cc251cfaa9e9b1bb593

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallRoles.sql

Filesize
33KB

MD5
c73015f739b90d58996509d1a16ebbda

SHA1
e6ce6d56dc646292d295a43f9dab3d761e0029e5

SHA256
22d67fb701356d3d9420cbfc69e772db13a6dbac56b3f104b4a8f8801a2c07c8

SHA512
a67eb210952c3877c06e5600ab50053389923b2b1655b864a56df88ef2b61070b225cc07f7ff0ed9819cbcb7853d336cb83e0375d4578e4734bcb66bce744b9e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlState.sql

Filesize
50KB

MD5
f4cca37f53520992c52ae0dbf09451ab

SHA1
731eefbe017f01415e7fb77b944fab0c97fafb87

SHA256
0ad87ea9058ea69a2f0867d7c86bedec645b9cb5f4152e0b763eedf64eb2a081

SHA512
cb4376ffc1ec0ef78c0f1a3ba04f6dbe40f6e35bdef37ac8b438a345713fc6907a9b283c9e482670cba2318de466c665e6e1a3605d351460f3705cdd702f4c1e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlStateTemplate.sql

Filesize
52KB

MD5
a8254d5e47241cbeb18d516386d869f8

SHA1
de93e09777382bb37f950e46a5a77f1c6e73abb6

SHA256
9b6fbc12ccf411fb1e4d4889a492ced7a183c8fd200a49c8be72ae52f22e29dd

SHA512
4694e76cdbbfb32a5cfd5ffb1e80cfc1eaa86263b86fd1cdfa8cf04bb7ee789570a34a6f28d2cea851c7a1600abd4dc7d2f402c9b8d0428aad2665e405a0da8c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallWebEventSqlProvider.sql

Filesize
6KB

MD5
8fbae03d728d90c9187b24774afa5701

SHA1
897a383b191e53c1b9fba718c5bf619e0deaaac4

SHA256
8754d7e269fa16673902ef193d46ead743ef7e73e9d93a89ca55bdd3c2c19a40

SHA512
990d52a07901d227112222fadf82b50d030fd9bf629eb20a8d14a4116e147448015001229cc56caa0700d9c05c2e090892940948596b39bc22a1eb43ec66f807

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallCommon.sql

Filesize
3KB

MD5
acc0418eb86ddc188d377f891c18615d

SHA1
5e3bef852132e7ef55379586c7c0933103d4655c

SHA256
d5899ca61f00b50941b537012463221a2465a9879c5024c608f5b2a1f0afdcfd

SHA512
f9c18af2801ee957a9a6421bfac004d8b5db1f66a541d3e2e1f7d54c539871c4bb96c61b787eb35a875a822e4e7fb33f6ed5f65e46e77afb249d338ef54ea6ba

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallMembership.sql

Filesize
6KB

MD5
5c86ef7d5d7706cd3f01c9b764b39d8c

SHA1
3298b0ccf8c063ca2ae24be141c8dd60c039604b

SHA256
0c970360c103428629152d619804eb3630bedc9c157b9219bcbebb2a87d90676

SHA512
5f43cdbf316d8f6a3009d6d80719ef6e5910a7fbe9484327974db805ca2dbf3bd1528c2f0100e946a72a8d92f9025d424ddd8978ba3cd85d3044edf21a7aa220

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersistSqlState.sql

Filesize
9KB

MD5
e0a88ac1d73e1216955a54bb996a5308

SHA1
e097750fbd98802def485c9186d0d2d190120827

SHA256
49b1529e15c15e84bfa386588f6ebb8964d736014fd1aad7bfcb8a0d928296c9

SHA512
6170b3aa58b6bdcd27bba1d80c26c261c520e1c7697a09ba6e4cf46e8b8cfe5c2f45d209215ab3d23274ddfbfc1df0cb2fccfcf3c9cd9cfe96e305f481d8589b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersonalization.sql

Filesize
7KB

MD5
c87f3a18c239d30f863f06e488ab72b1

SHA1
bf485015f30ec5e88d3f1c51cbc72e3851ec23ec

SHA256
85189d0e423f2880c11c1be6e76c802efe9c25a773840ff37c0255bf12d79bb4

SHA512
05d407ca1c0cca8a027297409237f8128381c94429e5caaea66f3fdbb1ce6e73d1163b179676b9ee8973546559b02bc2b696d451f0fb1d7b0a7abd41a0d26710

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallRoles.sql

Filesize
5KB

MD5
ebafdb29c2c630a0d39aaad2f9d19937

SHA1
52e1ed491e1e73fc8e4c5d48b41502058fa6cf2f

SHA256
1e441b43f5e6685e1e3e8d179e750cda8b9300cc7d69c5e785281973cee7d654

SHA512
7d2c6f32102527551ac5a2bd26987d00f6a1c2c1eae763d1d2e703c7b43d4a128893be0a6715884d639d9ab21be3d14b9dfe68487bb68efda945fb29ad893be7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlState.sql

Filesize
9KB

MD5
93117dc9456e77169d3d92f45e9ab65f

SHA1
62e9e27d4dedcdca4b7cade16ce539009d777b07

SHA256
cd1d537a72e2cbf294ac205429e36122377fb260fc99878d52abfda4038a89a8

SHA512
ed3eb620ca2a1bb6b8cc37058e58d6e0e0836275c06b2d8c6e99c598f1162577095bc65a3f78939d7bfdffa2ad9eab3cebf40c5e5372c3fca3c100bd14703adb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlStateTemplate.sql

Filesize
11KB

MD5
67183298878b9cb9b635c5cf06e45694

SHA1
f307ecb5d3849f83fdb6fa581d5015287fb07184

SHA256
aec17651d868186141e86d6d5bfd076776e0a3aa6189db8450307f420ea5c8c4

SHA512
2e5e401fe8714aebfb0ba4eb4013162ae4fe34d2daa182e2c51f2b0ff0b11d10bfb01109bd9657bf3b627c0d4ef0421cea7a262c094036f75e8ca94b79cdfeb0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallWebEventSqlProvider.sql

Filesize
2KB

MD5
ca8f81d52470ed7e2ba375902bd483a4

SHA1
c5f5215ca7bc9f29545dc313dc8534af79353634

SHA256
c8ef0b4699958ca0b42755e34ff8414b101e86ed81d7737ce76837e39cd5cc23

SHA512
7c7cd73ef3cbd8b21fb1d7ebfa992a953277c5834d88a6035a2c9490cf3b23bd63cde4c4a8ba924c41e7ea74b8f2a8cde0500ecbf41618d1dda219d44e533bbe

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Logic.sql

Filesize
23KB

MD5
3765d8a08eedeeb2794f5c4bb3c4aa01

SHA1
8c7426a48deb3b2033195fa796aead8a5d7b0856

SHA256
af2fd9d1600b5100c7217af706c18af2715bc5029c4758619fd8f5815a873d34

SHA512
c1406277d91ab31d1d00f38688dae9efadb79653213f633e9c3180cc6a1cd97b5748f68309facef86318360636d9ea59b2aa151851cd588b7ed8fe8db5df1697

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Schema.sql

Filesize
4KB

MD5
d1217223af3f33cc51cbb19c4e86fdcf

SHA1
28f51a40468084a07c4e62f29281ae1fd10ff036

SHA256
10a33ebafa1119b8ffdc0e5b2e3bbf9c86ce0fe5df8f84b120f9142ce4bc694a

SHA512
85aeb829b53bf061c401fb8ac354161be08120afa439cee1e11653837cdf9e5826576c3bf51412ff892fae08dbb1fc2710b96ae0f10120e39a3a6c103ecea9b2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\Tracking_Logic.sql

Filesize
372KB

MD5
ce0faa23530fe82a67a2f0aa6299d3e1

SHA1
b04f52c0aa9615dbbbbfeef1c83034ce06481018

SHA256
2cb9812d65502d5eb4227b4d38408793e3c207f73d1a7aff090a550213593341

SHA512
41df1c174dc1cd0e09f7a10c0428f5afa9955045ec3cf369e8d6b092a7532b823917a57f692ee4f926f1c02efacdd805103336c814259c33b11cebb5ae6fd4ef

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\Tracking_Schema.sql

Filesize
49KB

MD5
840e774a262a4786138b2d22f3b1068b

SHA1
7417486c1139a1c6259cbf5c927523710b47d6d5

SHA256
1bce862aa3abed774f4eaf23220d070f62e271160de28569f8c036f95a46d360

SHA512
dbe3b40b32c88d32c5b8cbd6612b250a28b47e2256a3cbd64dfa5c447898811401e21448bff53c0017b66eb2d0248e0aaf5070f9c27c0c745204cf07d194c54f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg

Filesize
64B

MD5
546a2b27390602fedd172e26dd0c071b

SHA1
b788f8a7e7007f45b4c50fa67ee8e61ed806bb33

SHA256
3bdf66557a022068a791203336542b67214601e6f0406696f253f2efcfa5db39

SHA512
6da3d9f5c97736634a79ae03117303cbd5d046fa56df967af74bf4b12ba0ea9c39f0bd3db86ccfa4ce11786de0c978d82e3ec70ca244be01cf29cc34cad56c08

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

Filesize
80B

MD5
bd98d82cd25ed766661721290f4e3b33

SHA1
09a69ee04d92f7a0b95ca8024ade6f080ca07c33

SHA256
5ab1d1b07ca3e2dee76fbc4cbefddd58df749a1b77e01d885f4761a428518f75

SHA512
f1f3577f2fd00127e45c83a90bc3aad8ce66fc5a160259623d28ac2dcf847b20f1c7cec9d17fafbd32f5ae5f0068b57bdb300603b41e0d8accffbd08a535acfa

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

Filesize
80B

MD5
21d191017727db886b4e562f1f60923a

SHA1
257e23fe36759a5be6f7628c3018afa3bec39146

SHA256
903272d92d00b17b815fdb67a1b819295b92a22dcba87399faf4504aee57e6c5

SHA512
9a97c5838c0edae282af2f3a352575a5a237ac5cf5599253b190e6ebbc6d8f5513d9982af1019d4028ef0b0269d69f4ab659245878ce4a446923e1777d48afd1

Download Submit
C:\Windows\perfc.dat

Filesize
353KB

MD5
dec4a653645b61e2a571a4455ac5c88e

SHA1
3462a834d62f07093e3128380f7638259372264b

SHA256
bd2bab2ee246af92d3cb868bf0bb4f337b6604c192a243ec9cfa992310341188

SHA512
2ea846b7e8542fd11914e3cc65d3c21f4cc705c83d4a6b9ee00f23e7c86ab3f4b4717ce2f0aa273976752b84a6af15a8b530be01b697b68d23d42aaa7400e675

Download Submit
C:\Windows\perfc.dat

Filesize
353KB

MD5
8e65591bc985e97b1dbedf47e26f2209

SHA1
ae6f678b2d4018211da6ebcd076397fa0a7a4175

SHA256
3edd68a254c5ac127d58e8745f046cdeb8f5e9f20a48fdc0ed3af3395c6624f1

SHA512
850b3888d50daa367cbfb08307340fbbf6c98c768f707f33d7caf22405c150fc25de34b5f093a467d2e2f907ba5961f5a6eddf7a0b363dcbca8f442e5953c931

Download Submit
memory/1620-28024-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1620-578-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1720-584-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-638-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-580-0x0000000002710000-0x0000000002742000-memory.dmp

Filesize
200KB

Download
memory/1720-643-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-634-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-26280-0x0000000005830000-0x000000000583E000-memory.dmp

Filesize
56KB

Download
memory/1720-646-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-708-0x0000000005210000-0x00000000052A2000-memory.dmp

Filesize
584KB

Download
memory/1720-632-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-626-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-624-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-726-0x0000000005420000-0x000000000542A000-memory.dmp

Filesize
40KB

Download
memory/1720-622-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-707-0x0000000004C60000-0x0000000005206000-memory.dmp

Filesize
5.6MB

Download
memory/1720-620-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-594-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-599-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-606-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-628-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-631-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-636-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-579-0x00000000025D0000-0x0000000002602000-memory.dmp

Filesize
200KB

Download
memory/1720-640-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-644-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-586-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-588-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-590-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-592-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-596-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-600-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-602-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-604-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-608-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-610-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-612-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-614-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-616-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/1720-618-0x0000000002710000-0x000000000273B000-memory.dmp

Filesize
172KB

Download
memory/16392-26290-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/16624-27158-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/16624-26279-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/19560-26153-0x00000000049F0000-0x0000000004A22000-memory.dmp

Filesize
200KB

Download