cryptolocker | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

10-09-2024 07:01

240910-htazxs1ekr 10

10-09-2024 06:58

240910-hrqbtssfmc 5

Analysis

max time kernel
115s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2024 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

cryptolocker dharma troldesh defense_evasion discovery evasion execution impact persistence ransomware trojan upx

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
12872	NetSh.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe

Executes dropped EXE 2 IoCs

pid	Process
5224	{34184A33-0407-212E-3320-09040709E2C2}.exe
4588	{34184A33-0407-212E-3320-09040709E2C2}.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2940-491-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2940-492-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2940-493-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2940-495-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2940-3007-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2940-8568-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2940-17529-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2940-27768-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2940-28045-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini	CoronaVirus.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_hover_2x.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\ui-strings.js.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_cs_135x40.svg.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\ui-strings.js.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\ui-strings.js.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\ui-strings.js.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check.cur.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ko_get.svg.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\ui-strings.js.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\msedgeupdateres_es-419.dll.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.id-E6D931DD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.id-E6D931DD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Handles.dll.id-E6D931DD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\cstm_brand_preview.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.Lightweight.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reportabuse-default_18.svg.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main-selector.css.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.dll.id-E6D931DD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\dd_arrow_small2x.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\ui-strings.js.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\ui-strings.js.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\uk-ua\ui-strings.js.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Buffers.dll.id-E6D931DD.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.id-E6D931DD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\fillandsign.svg.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\move.svg.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt.id-E6D931DD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-datetime-l1-1-0.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Primitives.dll.id-E6D931DD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\ui-strings.js.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\psmachine_arm64.dll.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.id-E6D931DD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\rt3d.dll.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Queryable.dll.id-E6D931DD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll.id-E6D931DD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\plugin.js.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.DataAnnotations.dll.id-E6D931DD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-tw\ui-strings.js.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt.id-E6D931DD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\ui-strings.js.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\de_get.svg.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close2x.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.id-E6D931DD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\ui-strings.js.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\ui-strings.js.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\cstm_brand_preview2x.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\es-es\ui-strings.js.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\adobe_logo.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.dll.id-E6D931DD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.id-E6D931DD.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msquic.dll.id-E6D931DD.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\new_icons.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\circle.cur.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\no_get.svg.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97	InfinityCrypt.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.id-E6D931DD.[[email protected]].ncov	CoronaVirus.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfinityCrypt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InfinityCrypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InfinityCrypt.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 5 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
6276	vssadmin.exe
13084	vssadmin.exe
13052	vssadmin.exe
12936	vssadmin.exe
14296	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4860	msedge.exe
4860	msedge.exe
3192	msedge.exe
3192	msedge.exe
2736	identity_helper.exe
2736	identity_helper.exe
5572	msedge.exe
5572	msedge.exe
2940	NoMoreRansom.exe
2940	NoMoreRansom.exe
2940	NoMoreRansom.exe
2940	NoMoreRansom.exe
4648	CoronaVirus.exe
4648	CoronaVirus.exe
4648	CoronaVirus.exe
4648	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 112	3192	msedge.exe	83
PID 3192 wrote to memory of 112	3192	msedge.exe	83
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4444	3192	msedge.exe	84
PID 3192 wrote to memory of 4860	3192	msedge.exe	85
PID 3192 wrote to memory of 4860	3192	msedge.exe	85
PID 3192 wrote to memory of 2376	3192	msedge.exe	86
PID 3192 wrote to memory of 2376	3192	msedge.exe	86
PID 3192 wrote to memory of 2376	3192	msedge.exe	86
PID 3192 wrote to memory of 2376	3192	msedge.exe	86
PID 3192 wrote to memory of 2376	3192	msedge.exe	86
PID 3192 wrote to memory of 2376	3192	msedge.exe	86
PID 3192 wrote to memory of 2376	3192	msedge.exe	86
PID 3192 wrote to memory of 2376	3192	msedge.exe	86
PID 3192 wrote to memory of 2376	3192	msedge.exe	86
PID 3192 wrote to memory of 2376	3192	msedge.exe	86
PID 3192 wrote to memory of 2376	3192	msedge.exe	86
PID 3192 wrote to memory of 2376	3192	msedge.exe	86
PID 3192 wrote to memory of 2376	3192	msedge.exe	86
PID 3192 wrote to memory of 2376	3192	msedge.exe	86
PID 3192 wrote to memory of 2376	3192	msedge.exe	86
PID 3192 wrote to memory of 2376	3192	msedge.exe	86
PID 3192 wrote to memory of 2376	3192	msedge.exe	86
PID 3192 wrote to memory of 2376	3192	msedge.exe	86
PID 3192 wrote to memory of 2376	3192	msedge.exe	86
PID 3192 wrote to memory of 2376	3192	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ef2a46f8,0x7ff8ef2a4708,0x7ff8ef2a4718
  2⤵
  PID:112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,590815400911069145,12379679646987423279,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,590815400911069145,12379679646987423279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,590815400911069145,12379679646987423279,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,590815400911069145,12379679646987423279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,590815400911069145,12379679646987423279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,590815400911069145,12379679646987423279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,590815400911069145,12379679646987423279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,590815400911069145,12379679646987423279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,590815400911069145,12379679646987423279,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,590815400911069145,12379679646987423279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,590815400911069145,12379679646987423279,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,590815400911069145,12379679646987423279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,590815400911069145,12379679646987423279,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,590815400911069145,12379679646987423279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,590815400911069145,12379679646987423279,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5728 /prefetch:2
  2⤵
  PID:4060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5840

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\InfinityCrypt.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\InfinityCrypt.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:6080

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\NoMoreRansom.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\NoMoreRansom.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2940

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:8
- C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
  "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5224
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4588

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4648
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:4984
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:8736
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:14296
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:8704
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:7672
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:6276
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:8156
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:8196

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\Annabelle.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\Annabelle.exe"
1⤵
PID:6996
- C:\Windows\system32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:13084
- C:\Windows\system32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:13052
- C:\Windows\system32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:12936
- C:\Windows\system32\NetSh.exe
  NetSh Advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  PID:12872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:16268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
16B

MD5
12a2af38c6fef2e036dc789d69129a92

SHA1
6059ed1db197496fb71a67ede05382562c51473d

SHA256
20a95ac27f8c2a8c21967597f6f4954aa154c05daa6848d514a175572911a9a2

SHA512
e158cd127ebabdd93606d4cd85ca544d761799446584b8dc6c3c732cc913ab87919ffd5d689e86843eabc2107443e1bb3bded87195070e79d77e084adaaa1d72

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
720B

MD5
f55323bd25ebfe6a20995925a1c437be

SHA1
d9b3daec92bd164d229b0f3f4f23089bad5e37ff

SHA256
fc0ee8066c4b965dd76c10a5e8d7d9dc46edaae32ca03fe03a6ea60bdfd53078

SHA512
bc50e369d34c30d1c8c64263f86080123813355d2af84f4d8423458e6ae886c87c44998f6256c8d79aec148e6628f04fc810b696b886942a5384580f0c7e39df

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
688B

MD5
b7346bba713ff26fd70a660e22d855aa

SHA1
d9be8ab8f7eedf32135ad682668548d6a381e3a0

SHA256
2b7733576d43ddc726b5509a05ad58d1abcfcb5001434a8ab0e42dbfaed9a34e

SHA512
7b16d7acaaf689e9ad65ff943dff4346133051b73f804ba5b1ee15d194b01721b247f3d4ff842eee123cd02fc02730433371f7bc80692277536256981e0fa433

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
1KB

MD5
1f88a7e78c0058d23081face15348eaa

SHA1
e1437f5d3787150ac8c5c4fafe79bc0186e75bdb

SHA256
9a606d7b0fb66848ed4b04827bc66d794bdeebf2d11261ef917e0db694f28460

SHA512
67f5864bd7218c5bbcf92bb9d2b74fd2357ac196951460fc169d1b16cab52ced9a770f2203b48bc3f96a2bf5174ad8f27fb9291aa6633a2bbb46e089f61c7a91

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
448B

MD5
09427538569ecab163a6429f3d23e0df

SHA1
31f328c8ec397caa20e93c2cea53ff8174e08097

SHA256
d8b0f2f88fd753eba7b5efd8cc6b8c33b0f9a6e971bc5e9df8e19907dc1d55de

SHA512
335a4a32415116b3078fda71a6903f7ea8cc86188029e62e24197c9dbc2b46f0d10def27dabb6aa01787c0622876812538bb967f144499b6bd490ecaff0f90b8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
624B

MD5
495d7a4450f669af650fc6737f0168d1

SHA1
d49c284ea328ec0af9289b3e9b6ca9ed69cfe72d

SHA256
8bbc7677078d4ac50dc00ee7debe9125076c6a68b572289556d4dbf3346c1307

SHA512
01f01da37cb30003ffe7d7984a991e65fd52c667cee3f619e840d230f467ed204308615b6418800c42b55ffca8c890d0e73ef3ea4527f3d6ef8b80da43b21e79

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
400B

MD5
c14dc19bac055db69b6ae35e657b97cc

SHA1
a8d6cbbf9877c68291d10c3830ac29174987468b

SHA256
28bfe2620a470e98106f4d1469a1758c36c944a1a8f0eda6de15a4250d8da4c5

SHA512
23dcf2bcba6c80c9887f482e12eeb8d70e3d0cd766ec6f43165cf371b77782b00bd0c518e58bce9d4fb08abead80efc129126f7e9a94252a1e9faec69419c25d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
560B

MD5
4a9302575361fc6076115b06137aafbd

SHA1
a27482263aa9122e6a8cbe7e0956a8ba3e93655c

SHA256
d0b0b77ae041b82bf20e0a66cded8f0aebc3c33852f15779b5759c8b926fbb7e

SHA512
3b21d4e5ee26017e832dce5a3836599acaf46bea67d51540025244453ec0b1df7e8ed79e6534653624c3e59b3f5444a1f68d8296a9ad939730d023274bcaa1e1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
400B

MD5
ccb17ce1dfdcefc5ed10dcf4a38b352b

SHA1
1de7e7f09609f3d268b1d9c57d724cdf394011ae

SHA256
cfa8df95dfbb88b6dc4a71f05b5bb5c8c7605e04145852383efe2036ce577978

SHA512
0139c69f4a4897ad72c55a3ab9183a45087444f100ff46316ffa0ba77a938c58ef9b904bc7678bed44dbd75d5bd331d369ed604ada1ce10d0a3351b74a70310b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
560B

MD5
ba6790c830be7473360131f452d04e1c

SHA1
5c3bde9af906830c3553f7701d8160265f28f94a

SHA256
efe158754a50bd4c5bbaa294b39f8690093c8612f9ec67ea9e78078abb6b1eb5

SHA512
bc6575a512c6bfc27718ec6ffd81d0e6bd957b8f8b1782de97edb3115a4fb5ef60b764f16f7636963afca9ff315b7dad8805278c727bb54221f0c71a63d9c61e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
400B

MD5
ecb9bb168cc0088a7ab2cd9c4ae6d09d

SHA1
9ac245a22490d3819b693035d3830e544860db98

SHA256
4ff963e43054b5d9f65a75f971286e5fc1cbc93e23325ac02a150d3af6794f72

SHA512
c2687d601659113ecc1a9ae7800b9aae00bdcf4f2bc6df41d32b45bca752443ff09b6f92b410dae53de89bd1dde3521da451621ad2ae5dfe79b842d01b8086cb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
560B

MD5
1c1a41bed96bb58e03f53f368c9483fc

SHA1
3c4fed428b89a09626b0c02b59b4cca0dd842abe

SHA256
5f1639c7179a076367147c7c229fab99385672bbde1179a92645ec71912586a6

SHA512
c7d57cbb16bcd0e50fe71a76ef9b69c417f5c5fa24692123c81b045a245a50e185a31ca2d28ff622d3bdf0ef7b04bc177fcc6483b8b5d4b0ec337be4978ca7c2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
7KB

MD5
907680f71861d211e0172f417a0cc04f

SHA1
ac7612092faef2be71340699e82f4e43eb31f6bf

SHA256
0bf8387c87054337c4ef280e0cdf8c7be91ab3f6a6884a3c42cc55dc56cdb095

SHA512
c22706e77fab70b8f6f14b99330002426e2e74db37f8effdb484e2b2ec432d4fa19e9b7ea03e7b9194301a6038a3b8eae0ad239bc0f60931772b3f4f8767eec5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
7KB

MD5
3428e1a6a773f9e77c3e0d256e5c8b55

SHA1
c6ebb00617c1fb578c2b706bac5ba3b80b5d9863

SHA256
19b1243c94bba2c9f31b648bf5aa5aad21e1846e7e12ef5062970a4897a01097

SHA512
bd8bab49b75b1a4bd798d4addcc6c2290b087033dc65ec82a35828d2d8548f25dc03fdfc9da26f9e8379e29bd0e51e3fe091a2a856258a668396071fe3422960

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
15KB

MD5
b31efb7e79f2fce9014f283cb56c978d

SHA1
7c58fa36b1de241b87588f35798612d14f304fcd

SHA256
60c2a3ca1915abc7ed2f596371caade8378a8f438f7af148def56f4c5a000e33

SHA512
ca23c657760dbce3dd3a1f4f1f725de5c69e4a8d6cf1484d66306d7ffabcc82fc1b3b2cd2a1562ca2a499c2e48adf6e7b2fdf398b9c287eb6cab25d4279baff2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
8KB

MD5
f8076e68def949cc74719aa2241cdcc7

SHA1
b754186af6bedf812d8c3f3c878d82c697ce0e6d

SHA256
1a6ecaa0b2c029ea38014093f9695e1c3bfdfd8ab78efa21034345f68cd9917f

SHA512
31b87d5d3a2be8a6b9292342cb85a485a16c8b6d4865cdab272d942ba43b2538738749fb91859ba00ffd3b74c41a602fadf723c441011e0d7e2ce7f7b2e87dcd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
17KB

MD5
5576b1b88a1c7875dd589a974eaea1a4

SHA1
93b5d8452dc55d118f7d3fa5528a2a0398b1a5de

SHA256
46efa988e1989b7b1fc7d27394c54c8c01eeaf4f6f26b48bd59190a1ad97f6f6

SHA512
95427ce5003e00b053c64e8fc630621a92512dffe53d80d0f33fba2f3445ed9dc6876dc8ad3a750c424267eed5784583ca7300e67bd49601fa8c3ebab7e7b6a9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
192B

MD5
30d3ae95be7843a34ae3c6d370eac496

SHA1
2def54f110793ef4ee12e74409472e3d5163e319

SHA256
e6fd3f33fef262c6a93b48d91117c4faa2dab667b359c9ad0e12ee2a0438ca79

SHA512
32034d1113ad66db1c93098f9285de832da6d434ab00105ad4e6cb0615e86c3c911a93819bf6a72fb9a09bf5a97b0977c4ea3bfcfddf0fffe99dd8ff48237564

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
704B

MD5
37cc41d3077e209db476ff05d1ae1f7b

SHA1
d65acee47ebddb80fe78a29abaf7d83280dd7cf0

SHA256
8f5a17d15d78675500edd3790f14c8680e5537fdc79992bc56d292deed3bf62e

SHA512
e642b24fdbdf281908d50317cba5031dac509b9ce2b32cbf703aa25cdb7456a1c025530c0b6fec3e165c618ce1cbd47d802147a827caae8e5c0af31b2f43a9f9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
8KB

MD5
5fe81c8ccf4a8b1d612fb9db0550812e

SHA1
95c8782c9bc9c7c3f7345eb7c4847a36fcfab47c

SHA256
73ef2a33610d5b63072002415aba54edfc0331740f912b9b34d36c63d286dbb5

SHA512
9e0ffbd420adee8ae5aacf58e839153ab52b7268c4a5ed0bad823a77b434a8fbd4c366099312fbef80dd5a3bee7d734afff1533eb89a687bcb2de60edf911f9d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
19KB

MD5
d9e5c40f9c3ee72f906ea0b72dfef7e1

SHA1
85d4199323d405bef03dc91410b0373b93fd3d79

SHA256
0cfbdd776426671f2db02aacf79357e54a125d86350152fc49fe9716b1c6b592

SHA512
1fff8c7e593fd1fd8d2d92ca795798c840cf3971523ec5e2a25143992ba8546810d1fed0c9d82a091f65d33b4930569e59b08fdd4eb8e963c0ddc6890d7631ee

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
832B

MD5
702af976cf3d155360be7d2c0e8bc4e8

SHA1
aebe866d2ec93b45b7993958d052573643733c40

SHA256
47cbad707467b8fe29404aadffcc8cd98ad206120845764bea5351b5e61a6472

SHA512
b89d76c87afdaf74c05cc472186c6e0f00af2120deb3bef09ce299d43ba54e9f4e9ec6529eb4aeea1fd892dc8640be9aa21a93bf4d24c17b0927ddcc8c1fe14b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
1KB

MD5
2831ac100040dab941f004eec9c79c01

SHA1
46d46b1456835fd773dbe51a8f3af55528d22162

SHA256
0250c5e826842b930f727089fbd9e8abdb8e3f029330303c86daec4dc139d188

SHA512
a6a889ac134d48fb07fd8105013413b445d7978ea58eedd9b1470e869fd9be4ab94fb4a994a91eff873fb57491d8b3a864ee65bac550c761b4ee79ac7df6dd9c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
1KB

MD5
4357641761ec2ccf64c47a26d9dbbd0e

SHA1
61052061533f66f1e20c82359bc7a69d75fa6de3

SHA256
cf12484c679c2aa95d27bb7c0082546f4fa08ff147c407bbdd674b3d22e1c27f

SHA512
e3fe1935f063018918d6b3c7825632ce124b21f57770fdca7f8988288fded08fd7d3a2525967102e0269a84bdb88b3d068eaad53f749cddf2ebeab031ceba5a9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
816B

MD5
c9ca3a1161b7ff557226919f1c6eebf2

SHA1
f13885b180153712e5f2f2d6cf0364c1cbbd7c83

SHA256
294791402d2ae43cb5870d7c452c7fbbe34940ed82bad5e1ac26d4d06ee1046f

SHA512
fe45ec632e1f089cf73beb6a4a3ddd6cdb8d5f2a740d66395e45a80642038c3686e85ca20113f306a40dc6a5b9e83e0593d004903f57f130e09d98ab8e9f9fe0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
2KB

MD5
e26ff0baa17dd145701bbf86629a0a1c

SHA1
406d31bb56113e5ee8695ca79456ed59b7b0b1f8

SHA256
6a5cb85c9c46b5a30841217e22dc0eedc9503fed185371670bddf9e1f0adbde1

SHA512
764204d1f85c36ca8fc3ccd962f1b9af40c39a800e81b6dbfb18d10ebfb315787dba0c18900a44ce0344374b010fd2dfe13446c2ea896b001f0b1d53eaa6de94

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
2KB

MD5
aac7bfd3186eb5818733f77c4acf513d

SHA1
498107f5a18b25556761f4280bffe697595a113c

SHA256
9bab564e47be1e63ca9f3ad5fa77c0af7fd4c953cfae9a7cf1adb27ef11db0d0

SHA512
c9e7efdad2076a5b8cf6ffff175855f09d0dc5cf1aa78e0a5d708b09c8a81ec602ef9bc53bc73c05a283f25b96263ba1f36f4b4a4b130defe3f026be8a3ab75d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
4KB

MD5
29d38216ea499f58b66f40ea020e43f1

SHA1
b5b1c2b3b23861b1a1201518a432a3d6ddc851a5

SHA256
bbf828c6def1a30c336b2ba6dff39478cdfb72654df04babab0ff7e48df0250d

SHA512
29f24010b76deed4608f6775808405c1e9f54704b4599f65c6f5cf69ee1163df7b1b83425c87d3bcacbfe163fc9b61c096f2c7e44da49187dcfbab674542c3e9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
304B

MD5
2c32dcec9d4abc0a653c2adf97f9bf03

SHA1
f7a8c863e82ceb9e55b837093f37bd8761ec6c20

SHA256
1bcc794f49e02c751497344f83a253b25fdb1800a754b76a4b3dc3e47ccc1d4c

SHA512
78cf684d56ee8353a7315f1c5cad3113e9061ceaed55e557c832e5f9a7110d8d83aaebd18dfd51a7344c75bdde97ce2f78fca074b97369a9aa925214f7b104ea

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
400B

MD5
b143601d3b2fb3f036ea8f96ce509b89

SHA1
10854492eb600c966e3c886dce2f37bb1c885396

SHA256
47f4c36f90b24fec0d47fd96c93a91244763bdc9533d1ce0a32580833829ac5e

SHA512
3797bf6c5fad46df35886f61e915d6b5a625961518658c01d013aa64301b09496bbf5839e4b945642fe49d3eedfe41debfe96a2adc75f0668579e45635f0b7ee

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
1008B

MD5
bce8293cd4009532198b99de06a0458d

SHA1
877f139adedb6bb9a87fa4ab6bd6c301a50894c4

SHA256
c3cb1a37844d98ee6a7346bae238ced76f30ae3a02dd69a554914c736a7ca5dd

SHA512
c0080bfa6a1bae10676d9ed003946a1306b73602f7f447f7e9e526077d7c044c732cd5f2449ebff484b75f2e1fd37478a2aabaaee921a81a954cb42dbbddcdb7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
1KB

MD5
6ac3de42f56ce8a0bf1e76eb11803506

SHA1
330a6a85cc808fae232c65269b8fbf2ca82194cf

SHA256
4aea3038c36e246945f8d60e5e07978ab3de79e4470401574ec042e944e2cf5f

SHA512
3c01b1fcf0c6a618d51e4b2016926cc23a5ba4cda173256941bb3b69a171da7a0a94438d7b6bccef9c21aa00164301a4d3254374dbe73b40d87176db4a05d077

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
2KB

MD5
288b32508e83a839ca3f0cb89454d47e

SHA1
42d0a48792ae2b33c036b9e142ae0a7443afe499

SHA256
cc5fa279f9528d7792098f686d61cf54e47a89bf35dd3877d8ceec1a7082691e

SHA512
1b4fa08144deabd41a242c39b6591e178519b0da67fee0d473594dd46576511533190bc5356743b45d2b8dcb29d2eb1fd872cfc7006843825a0a82e626d1f040

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
848B

MD5
6cba7caee19b6f5cceead9f238ca16f0

SHA1
4a376f0cd508709f4850520f91a8ae1c28c62f45

SHA256
e3e856edc0651bdc75a484f4298609ed163ef4f2cf6b5a38bae9553a2e782343

SHA512
ed5b51fe4c8556679813ff6d37123733e7600ccd674432a93adf2f3973d5582a89b997cf101cfee1884dbd434a1f013880acca44ddcfaa97c71f296886cad309

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.A739A93E20F2052656695B19D53B0FFD0FD174F47690413CBD4F0F8845045D97

Filesize
32KB

MD5
e037436a7ccc4853095c3ee987e4cd75

SHA1
3f84b39a5f20cd69176b279c3e901e414957ac04

SHA256
bd1a699e8187b1efeae08501b8bde0d748ccafbad11123ab3e524c820deddb9f

SHA512
f0564f94c8284cd1cc492284197c8b510ee0f2283ff0dbd69138e9e317c98f44deec6c4bfdadddf98d515f209eb1f16c03f8886c75fd79220bd00e99e0f0e06c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-E6D931DD.[[email protected]].ncov

Filesize
2.7MB

MD5
5dfa2f4fe3654dcf479569e193af86dd

SHA1
8e1dd35edceb3c78abb7cfab823f012894fc4e15

SHA256
331c42fa356c946060fa623646934efb82a5eb70d08f6283224f131f35248de1

SHA512
afe40bdf04fb96fc6175656fbd7120717ab8ab57c8cc42aa88d0be55220b7283730dea4beffd7e5772d61135bfc427e1251decf6e2be38839b9a542cab6020dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b103f48110360de63b6b2b06430e85d2

SHA1
1197aa03a84b3600cb43bce86d7583cad5375713

SHA256
363c3bde570cc0b3ce4a8bf44755723312cbc7f60fe87ff136104f184c32f977

SHA512
655157e459ff204e9181647e65b470d765540d59c41d7733620fe5660b7c9bf25d0679518d3f19fcb9117e584c82b7c2e425ee63218c1c48f3a41d0ead0c9364

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
463f615865d92339eb68e23cb603e539

SHA1
1caff5854dcc2665be53c36fafe53602f39fbadb

SHA256
a71ea36b4801d34a72d4cf2e6697acb39eb69abbf866461cc64d84133710759f

SHA512
f77f957a18753ea34c90d48bc81ed4a6ff65a8c42036d2ebc622ea4e5bb7a4d76eb1e9e6367d765edba69e83c973dac2670a97cbee3f95d08259ef667cc8b5a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af48c1c74c65a8219a6f602a9594ab8b

SHA1
e09ed0a54fa29053e9aeeffdbc6dc538237592a7

SHA256
733f34a657349c497b1c99bdc3727c13822058dd37b1627c62aac883deb53f73

SHA512
bb5755e2cfd933c73d8eb445bd3539be3ab43ab15f8a3713da4245fe475ca4faa6be455aced044dd904735e3cdac0f5e8f5d1fa01a6c11b2b39d07aecba6fd37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cea1a08f-6eb9-4517-9fe9-f3ff953590aa.tmp

Filesize
5KB

MD5
91cab3392a483d1c0c718aee2001d3fa

SHA1
664c9152b78ef8f3b64ec0b62dc79005c1e32989

SHA256
44d834d5c782d5f14a3c16b0c15b6ff731555a331fcb8a5755ad9abda8b93989

SHA512
5b84cd92b4d4f10af4f5c0d067a65d4b1c29f64a097d29b78efd496ae6d682e0dee73eddbefed2f97a186ed370bf8a851d521cd956a011b1abf4ea39a76fae57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0338f1f9dbbf3636a4060ffa7e16d506

SHA1
d6955546ba2d3d61dffdeb6cc4c93d2efd6e2173

SHA256
bc3eb9042ae04735b76f5b5da8ce1a65c98d0d4eb00abe2c28eb46a6f474f7df

SHA512
3c58ea0d57e9da8b500549b8ac25c619bc93afca029d4df5b4be24a5f18933212713c349d85d8d7b696a56577c201d8351dc4e81319475be88c5026adab6de6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b7a6940d9b0a65ff86c4621af0f3ba17

SHA1
52cd1d65c48970cd6d9d979eb2c2b770378e1d85

SHA256
9bf208e2abbdb7cb3be99c1f094dc565f1678086ce3f81c6b2adb8d14f638cb2

SHA512
c4dbc4b3998cfab8b9d1c08cda3a3648de068ec72091e7bec484870f4b951e3b934bd9125507261a739c2e37cefc74ab7b46f33553546348ba561dd22c1fe248

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Documents\ConvertToPush.mhtml.id-E6D931DD.[[email protected]].ncov

Filesize
680KB

MD5
f64ab3e22be3d70cfeb137e774b2549d

SHA1
48ffa6227aa3ac168bb2e8c42b1790218c55e414

SHA256
64fefe42ae565eda95f104736b51bcfc02f2b1ec91fbba713a59aeb215df31fc

SHA512
bb2a530d4ef431f3a3b1182fbca2bfe313559f9b816763848062d6afe62453bcb434f1d5e75ed950ccfd0b7495122c5520f3cbf61043e1da69d9739f3eeea953

Download Submit
C:\Users\Admin\Documents\GetNew.xlsx.id-E6D931DD.[[email protected]].ncov

Filesize
10KB

MD5
c894402b487c91c273625cc0f486bb1e

SHA1
cc4e269c375ec2f3c30b365c624cccacddd3c1fd

SHA256
dc9bd63f99b7143a827539409eac9951a0860342de116b228fe9e3cca18dc0db

SHA512
4ecde0a57c5d6f5878056fc4b33a8788123fd306bc87a588a5761f75ec44173b690112115dbf9b76e408b6edd09785515d2dc84753ec6ba687e40665d56ddb08

Download Submit
C:\Users\Admin\Documents\JoinConvert.pot.id-E6D931DD.[[email protected]].ncov

Filesize
2.4MB

MD5
09ef17564b574e1bdc5bf77b53d5616e

SHA1
5082242fab2402c397b4bca0d929acaa7abf159b

SHA256
270479151c8da933ecd1802a1f2b69049bbe7fe84ad9c8d967bac69ef1f93383

SHA512
80d2a1be60888b9cb8db3ec966215bdca7f2fd760b3abbfed557f1d25fc7db4db26bbaba9aca0d035e56d8b9dfb71fe232bdbbb04692c3e1a314f632b8db54ed

Download Submit
C:\Users\Admin\Documents\JoinSearch.dotx.id-E6D931DD.[[email protected]].ncov

Filesize
739KB

MD5
5237c7faf6d037c0eb12c08cc0180118

SHA1
da4e71cce2b09dac5565ca4893581fe588c6ebdb

SHA256
eb004a5ba53c51517cd53a1a574b8ca4d2eb1bab4111a7a2dd7eb5bea2938572

SHA512
1d122a6e611e28597a729a48031ce75a0837aa49b30e29f0a156e3747d7acd312995fed076c2558a464ed61185951fdd8240238e990b8774d217020ebe6b4b93

Download Submit
C:\Users\Admin\Documents\desktop.ini.id-E6D931DD.[[email protected]].ncov

Filesize
650B

MD5
ac0d796b66dc38e5eb4cfa9be39b1a03

SHA1
8469fb84f14db82053a2baf550f7a40386d7e1fb

SHA256
107d7bad9ed89b3278e8ebfa0c28390ab5e2d88a7e49819d3d6d78d381837f96

SHA512
7d16398085ee5c9d4ba7dd7b879ee4b8a458289c7e6c3beefe76bc491d91b3b8f2a6c95550a59806ba376a28783fd7090365a30736ddc658b7c723c84b189be4

Download Submit
C:\Users\Public\Documents\desktop.ini.id-E6D931DD.[[email protected]].ncov

Filesize
522B

MD5
1c0977e260069f35f55c0f0adc5713d3

SHA1
6407fb797fb52db17ffed59a7bc51384951af4c0

SHA256
2bbb6be8f0131ce674b280e19a1534605d9128010336a48a4f2ae44fc75b40a7

SHA512
76f8fde7e4be6c95afe8d0782895b56e446f344ecc2f8cd76e00a4b44198277a1335c16488d76b369c374c7b00def256474df38872c00775c9233dbdcf633e03

Download Submit
memory/2940-28045-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2940-491-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2940-492-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2940-3007-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2940-27768-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2940-493-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2940-17529-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2940-8568-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2940-495-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4648-3151-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4648-6213-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4648-2580-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/6080-295-0x00000000059C0000-0x0000000005A52000-memory.dmp

Filesize
584KB

Download
memory/6080-294-0x0000000005ED0000-0x0000000006474000-memory.dmp

Filesize
5.6MB

Download
memory/6080-293-0x0000000005880000-0x000000000591C000-memory.dmp

Filesize
624KB

Download
memory/6080-292-0x0000000000E50000-0x0000000000E8C000-memory.dmp

Filesize
240KB

Download
memory/6080-296-0x0000000005920000-0x000000000592A000-memory.dmp

Filesize
40KB

Download
memory/6080-28043-0x0000000008500000-0x0000000008566000-memory.dmp

Filesize
408KB

Download
memory/6080-297-0x0000000005A60000-0x0000000005AB6000-memory.dmp

Filesize
344KB

Download
memory/6996-17954-0x00000181E53F0000-0x00000181E63E4000-memory.dmp

Filesize
16.0MB

Download
memory/6996-27999-0x00000181E87F0000-0x00000181E9D7E000-memory.dmp

Filesize
21.6MB

Download