locky | hxxps://gofile[.]io/d/MDdWde

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
19-09-2024 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/MDdWde

Score

10^/10

locky defense_evasion discovery ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Renames multiple (4708) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

SerbRansom 2017.exeSerbRansom 2017.exe

pid process

2184 SerbRansom 2017.exe
2332 SerbRansom 2017.exe

pid	process
2184	SerbRansom 2017.exe
2332	SerbRansom 2017.exe

Drops file in Program Files directory 64 IoCs

Processes:

SerbRansom 2017.exeSerbRansom 2017.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\ug.txtINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.dll.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dllINSTRUCTION.htmlINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dllINSTRUCTION.html.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dllINSTRUCTION.htmlINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_socket.dllINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\InstallOut.mht.DDIZ2VQ6V1DZZF6.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dllINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.DDIZ2VQ6V1DZZF6.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXEINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-debug-l1-1-0.dllINSTRUCTION.htmlINSTRUCTION.html	SerbRansom 2017.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.dllINSTRUCTION.html	SerbRansom 2017.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\ReachFramework.resources.dllINSTRUCTION.html	SerbRansom 2017.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsFormsIntegration.resources.dllINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dllINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.DDIZ2VQ6V1DZZF6INSTRUCTION.html	SerbRansom 2017.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.Forms.dll.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cryptix.mdINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\default.jfcINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.dll.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\7-Zip\Lang\id.txtINSTRUCTION.html.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.DDIZ2VQ6V1DZZF6.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Design.resources.dllINSTRUCTION.html	SerbRansom 2017.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationUI.resources.dllINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xmlINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Extensions.dllINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\7-Zip\Lang\el.txtINSTRUCTION.html.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dllINSTRUCTION.html	SerbRansom 2017.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Content.xmlINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Design.resources.dllINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dllINSTRUCTION.html.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationUI.resources.dllINSTRUCTION.html	SerbRansom 2017.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationFramework.resources.dllINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\Microsoft.VisualBasic.Forms.resources.dll.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32.dllINSTRUCTION.html.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.incINSTRUCTION.htmlINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\verify.dll.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.ReaderWriter.dll.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\desktop.ini.DDIZ2VQ6V1DZZF6.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dllINSTRUCTION.htmlINSTRUCTION.html	SerbRansom 2017.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.runtimeconfig.json.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hi.pakINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\te.pak.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationUI.dllINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.muiINSTRUCTION.htmlINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Primitives.resources.dllINSTRUCTION.html	SerbRansom 2017.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dllINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClient.dllINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.DDIZ2VQ6V1DZZF6.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-0.dll.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Memory.dllINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Design.resources.dllINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.DDIZ2VQ6V1DZZF6.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.dllINSTRUCTION.htmlINSTRUCTION.html	SerbRansom 2017.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClientSideProviders.resources.dllINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Uri.dllINSTRUCTION.htmlINSTRUCTION.html	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Reader.dllINSTRUCTION.html.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.ReaderWriter.dll.DDIZ2VQ6V1DZZF6.DDIZ2VQ6V1DZZF6	SerbRansom 2017.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\SerbRansom 2017.exe:Zone.Identifier msedge.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\SerbRansom 2017.exe:Zone.Identifier	msedge.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

MiniSearchHost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 93042.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SerbRansom 2017.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeSerbRansom 2017.exeSerbRansom 2017.exemsedge.exemsedge.exemsedge.exe

pid	process
2256	msedge.exe
2256	msedge.exe
1588	msedge.exe
1588	msedge.exe
1484	identity_helper.exe
1484	identity_helper.exe
4868	msedge.exe
4868	msedge.exe
2440	msedge.exe
2440	msedge.exe
2184	SerbRansom 2017.exe
2184	SerbRansom 2017.exe
2332	SerbRansom 2017.exe
2332	SerbRansom 2017.exe
2596	msedge.exe
2596	msedge.exe
2612	msedge.exe
2612	msedge.exe
4468	msedge.exe
4468	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exemsedge.exe

pid	process
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

SerbRansom 2017.exevssvc.exeSerbRansom 2017.exe

description	pid	process
Token: SeDebugPrivilege	2184	SerbRansom 2017.exe
Token: SeBackupPrivilege	3328	vssvc.exe
Token: SeRestorePrivilege	3328	vssvc.exe
Token: SeAuditPrivilege	3328	vssvc.exe
Token: SeDebugPrivilege	2332	SerbRansom 2017.exe

Suspicious use of FindShellTrayWindow 62 IoCs

Processes:

msedge.exemsedge.exe

pid	process
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exemsedge.exe

pid	process
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid process

1552 MiniSearchHost.exe

pid	process
1552	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1588 wrote to memory of 2192	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2192	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3964	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2256	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2256	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4952	1588	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/MDdWde
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff837233cb8,0x7ff837233cc8,0x7ff837233cd8
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,14516261046523777048,6555096595714185549,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,14516261046523777048,6555096595714185549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,14516261046523777048,6555096595714185549,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14516261046523777048,6555096595714185549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14516261046523777048,6555096595714185549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14516261046523777048,6555096595714185549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14516261046523777048,6555096595714185549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14516261046523777048,6555096595714185549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14516261046523777048,6555096595714185549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14516261046523777048,6555096595714185549,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,14516261046523777048,6555096595714185549,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14516261046523777048,6555096595714185549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,14516261046523777048,6555096595714185549,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,14516261046523777048,6555096595714185549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,14516261046523777048,6555096595714185549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,14516261046523777048,6555096595714185549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3612

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3168

C:\Users\Admin\Downloads\SerbRansom 2017.exe
"C:\Users\Admin\Downloads\SerbRansom 2017.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\Users\Admin\Downloads\SerbRansom 2017.exe
"C:\Users\Admin\Downloads\SerbRansom 2017.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\INSTRUCTION.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x48,0x10c,0x7ff837233cb8,0x7ff837233cc8,0x7ff837233cd8
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,10496310365231593453,5858177072493014876,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,10496310365231593453,5858177072493014876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,10496310365231593453,5858177072493014876,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10496310365231593453,5858177072493014876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10496310365231593453,5858177072493014876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10496310365231593453,5858177072493014876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,10496310365231593453,5858177072493014876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3900 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10496310365231593453,5858177072493014876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:5956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2636

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3007475212-2160282277-2943627620-1000\desktop.ini.DDIZ2VQ6V1DZZF6

Filesize
236B

MD5
60a6b85b9b0a3bbbf4ad69ea1af5aed3

SHA1
7ed0e4b0679f5587a120ed470389313555864242

SHA256
d57195404083a06e73f2b1a819ad73d77079254158394d26e2b75857e9d8d48d

SHA512
fb20136df6cbab6ec726081a0c254c1bb747afbee52a803a53c889e3abf59e60a462a30a36cd97e7f3e40013e4c0d830cd1e5a99e9b7ecf78742b3cee5215de0

Download Submit
C:\Program Files\CheckpointInvoke.mpv2.DDIZ2VQ6V1DZZF6

Filesize
457KB

MD5
23d900f65584ed0b625f3703320b8508

SHA1
249de8b7ffcba104f04bae75651fb4592b5163a2

SHA256
76b103680a0ea2c3ecc443e9160c26bc9c52cd7261a86343d702e43e05d216f5

SHA512
97912625e2c74e5a548a52388cdb7fa561e9b32463accd75180aab2be2a3cc9f676cf708450eab9f3859a0bdc512cd4a8d5ebf85b16514596169de09ea56aa0e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.DDIZ2VQ6V1DZZF6

Filesize
1KB

MD5
c506c05fd83289929d6ad61cde7344d3

SHA1
25c99ce603b9eda50ae38823f8d9e1d6dc55a8af

SHA256
f53c44679b32248215a4a46b3218fd0ec5bd10bc39e87843bfc15156c7d9b1d0

SHA512
25adb78d0b2e63e14a71ddbeae2f10adaf6cf69058a3f60cdcd935bc595c53ccd797af2aaef6f2d4cd3c1e3df91d4fa6865e2b8b624339f8ada071db5bbc9356

Download Submit
C:\Program Files\CompareAssert.ttc.DDIZ2VQ6V1DZZF6

Filesize
363KB

MD5
060784c6dbc9155968e21a7c137a75a5

SHA1
062e9c7041d4dc45c08897e78006c19ee88b4940

SHA256
7cf0086ac6e70b1b9e7a0d14737d251cc84a2109e24783413b433cc49628cccf

SHA512
594ae285a21c777df0fbd8435c794abc7b3c5890422f9ea7ee05f9a3eed6f26d7956cac3c44425f220c56c6d99cd3ea45a56d5e998f80db26145940ae6fbc24f

Download Submit
C:\Program Files\ConfirmSkip.inf.DDIZ2VQ6V1DZZF6

Filesize
686KB

MD5
90f7512616f3066f5e8130dac4c2073b

SHA1
cd477894060a76b99f16785fd21a00fe04df0ac8

SHA256
7a7be155726eb6c02703522ae6b08b7eaa51fa1b65ff54a22756f4fb4c16de90

SHA512
93e2140ac7dd2278923ea07677eeb3f8c3d54a0f7fb238b8c1b1855726fe93791f4a816ab684414b0d8696df699f17628ac158eea61644f5f01e29797a9866d8

Download Submit
C:\Program Files\ConfirmSkip.infINSTRUCTION.html

Filesize
1KB

MD5
89cfd59668f8f24af506cfc463e3d9c8

SHA1
d14bd102140c1dd26ad7c3783def7f914d1dfdbe

SHA256
5808fb63a50f567afb7e5ae6b77972a620f45547f8185ce508d36ad58140e9c9

SHA512
197c40cce3a57b679e68b79e18cac42467d92a0b4b443875aa75ea2278d6516b3ceb51976219630d58f91b482b58f2eda050d9190ce324c3730ba57201f432a9

Download Submit
C:\Program Files\ConvertToMerge.wma.DDIZ2VQ6V1DZZF6

Filesize
228KB

MD5
1f3cf3dec89fc4cdd89fc498e2d0eff3

SHA1
5384d6778efbbf2ae761fae4d7670ff33800424f

SHA256
5244f4b1abb9430c731cf160a589d97660eeb21d6e51dbc9adf319c99e3bfe4e

SHA512
8369486a4610a9179aaaf470fdbd7de2863c5a5808fdda7ce2fec48748a327b95fbbbb291547add40f561ee9d17c6e648c0f490ea73d870738b80ada0fc50e62

Download Submit
C:\Program Files\ConvertToMerge.wmaINSTRUCTION.html.DDIZ2VQ6V1DZZF6

Filesize
3KB

MD5
12cb93d36f374da6f5e6e8becc9035fe

SHA1
2ef9920ce640e264a32e225a44b858269996550a

SHA256
c3e2c10a769c4998307afdd464fcb9d1e882071f3caa7f58d805038abe2e344c

SHA512
170ad5ed9032667b5eb94a1f9e0c1383c12837679b16964952c8987f6d6e9188ccdf478036e7e7d41e9759bb4a59f1627e87ee4faa4d516c1a5e88b18b2007a0

Download Submit
C:\Program Files\ConvertToUnregister.TTS.DDIZ2VQ6V1DZZF6

Filesize
242KB

MD5
6d4634ad79fb4a475c1e7cedb2528038

SHA1
69a2dd1ba22261021dfa034711ec840c363d355c

SHA256
c03fa177693670a1e19ca8d147eaf3248c100ceb1671e14f4a1566f29bd65723

SHA512
b861dd9c4c600784642a3395a5ee47fc25b33ff6dfe8cc111309e32ec069e061fa7822cf38810b4d51f02bf9a6044d771370fdcd3476b24bb075d9dba1832cc9

Download Submit
C:\Program Files\DisconnectWatch.3g2.DDIZ2VQ6V1DZZF6

Filesize
188KB

MD5
e6462e02522f6d0b00478059b32702d9

SHA1
6b12858a354347ee31f9ff0ba435abafde123ef3

SHA256
c5dbbe95cabcfe466cb994d5b1cae764f699230df0e377125ecee6ab7b986808

SHA512
54ec65ff73063f5b110be4e5bb6c2ee53489d8086cd3cdbb13cc58aee9cac1bb852c4c6c4fd0b4ce4eba0d499d35ff8cbcdb5b60a2dce34b65a96d0991235c5d

Download Submit
C:\Program Files\FindConvertFrom.bmp.DDIZ2VQ6V1DZZF6

Filesize
269KB

MD5
d7e5a9ae75e64ab9e39e5f8b5a04138d

SHA1
356bdc8b6636de6b543ed44f11ee2a73a1c1dc09

SHA256
42d6c48e20653434191386bcda60371c280186711d5162ec2e400102f61c230b

SHA512
647cbacb65cf9d1c3f3da40240c401bb046091deda72ddc80e645be9d0bf2b7f907e8831f071a98f17f4f4133a3761f8f418b7a6128f2afd1000acf250dd80a4

Download Submit
C:\Program Files\FindRepair.search-ms.DDIZ2VQ6V1DZZF6

Filesize
175KB

MD5
eb090abfac74eaae5158602eb78689cb

SHA1
e288dc91a417b70b7dd8074ab4218538c141d0a4

SHA256
ff9d8e87be69bfdda88ec062e631d394c4e64fcd81ca2e910cb4e00362cb448d

SHA512
e87276e6c6983316667f200b2b9ae1b8a1e4b6a4b96b8172a5b4def84821150deca9cb35f1c7c0bcd99e8c17dba5f32655d1c255cffe823f89fd52a5fa027d35

Download Submit
C:\Program Files\InstallOut.mht.DDIZ2VQ6V1DZZF6

Filesize
336KB

MD5
085e65141c15a9a47671d54e2ab0025e

SHA1
193c9f56583205ae389c515e6feab796c8db5cf9

SHA256
d3c7dcb84b8c47cf2f75a9d975aa6dfd30048c7fcddf556d60f58d5d34ff0c71

SHA512
cec87acc2298bae4da563f6324f30e27f4c7096bcaf57c1a278db354dd82886c8a75604412ac38344586cc4cf4c650e77e2f3b610475f7849e47c232dbf5d6c8

Download Submit
C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll.DDIZ2VQ6V1DZZF6

Filesize
992KB

MD5
263efe879be92cca6c867f56a7af5f88

SHA1
9e515f624a7fe26183720faebf693de13b740f1e

SHA256
2599399cc8fa3f33fc9d8249eb0f5e05cde39593f01382c50b74db863dc6d630

SHA512
4e972ffa0e5af69936b20b07881ce79c0a175cd2f826e7b26fb70f9a21fb573e06ded469d6f687d58ef5a0e943ca559a96c534cf3df3cebfa8d20655b38648d1

Download Submit
C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll.DDIZ2VQ6V1DZZF6

Filesize
169KB

MD5
8b7174f8558f0e978822c3fc729a4b8b

SHA1
dcc7fb548b911d2ac3f3ace2b0f73610a630551d

SHA256
0b10cab159ec0ebc3498877d81d301cb33da92228cf783de909149c807041639

SHA512
52aeebf11a85ba63b41ed61a906d6ec33b3eacaca21920dcfc098b16f82e4e108aff20831866e32332c323e21d8ae18b465a44db5bf41da3d4b16fb6dcc91bfe

Download Submit
C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll.DDIZ2VQ6V1DZZF6

Filesize
64KB

MD5
b1e46405d2eba9c619c88a27e4c023f3

SHA1
5ad766d6dae5487dc8cedfa8055d7e662184c3b0

SHA256
e7f4b5adbee303f3f1ff0ea4dae366beab37164f8ab82e5d879bfbb9c60c0a04

SHA512
4c7fe67d3a12ef2b32160a08c412dac025d246a4666a4fcf2094971771330d1fbc95ab6f605c9241b6c6cc6fc53cbb948125471eb3f39fd9a6d2b3c20c715ad1

Download Submit
C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.DDIZ2VQ6V1DZZF6

Filesize
280B

MD5
04ce4c0d5b49519214805b24c3e61781

SHA1
ac61a36a069b9e0b266499d30fa4f3a5c61fdddf

SHA256
9d3940da5b1068370780d0dca9d1076ebf4b2c2707a21d43fbf019a757567153

SHA512
096facf3c23ee5d97b333232a9701d1b6e7234441b86919b464abe96d02b7742ef773a1075af6c29f91f5d3e8e51c916c3b250d342f66033661f9a3348327012

Download Submit
C:\Program Files\JoinGet.rtf.DDIZ2VQ6V1DZZF6

Filesize
390KB

MD5
cd3c7639f5b464c7744d727f91393d41

SHA1
2c296787ef11c9279e0232dbecbb45323ff5f6b2

SHA256
a9321b53b8051fb5408cdd0541f2bc44cacae5d90fd6996abd3ee3a673415c65

SHA512
569461a89907d52fa10883f66ded5d41449b1b2eebd90acbe17e921507e779b13ba58a3887b26b1d4a1a65fb946a4a83e0b05a9eb2a715728e5626ea4397111e

Download Submit
C:\Program Files\MeasurePush.xltm.DDIZ2VQ6V1DZZF6

Filesize
215KB

MD5
4456d9cf2f0c463e07f68f0b435aa84d

SHA1
4fe562d339c570ea46c8b90dd169b3cc1436fd84

SHA256
7508cc9c7e1070b9473d460f9d353287416dd89465041d55b6ac836dc3629ea1

SHA512
92724d48e8347b67ec8240a86866e455ac3656f3ce2e8358d9977cf9e4735d55078d206e992d6f4a1273c304a15f4c489ea946dc3150123b2a5edb63118daebe

Download Submit
C:\Program Files\MountTest.xlt.DDIZ2VQ6V1DZZF6

Filesize
350KB

MD5
a1d8aa36aefd0feabf26407393d329ee

SHA1
1209e16edb3fd50a2cc44328fe41e378fca7562c

SHA256
360e890e52db772bbe7d3d339f30bd7982205c8e88bfd073bf98243483079cd6

SHA512
cd04e2827d2088d12b7b58eb3e0998a3ff688ee5dfd24e0b874d515b80072723cc80f7d15c882509d9fcc4f99166900e12acf3df57c8ddf2af3808034977f3fb

Download Submit
C:\Program Files\PublishSearch.odp.DDIZ2VQ6V1DZZF6

Filesize
255KB

MD5
77603673fa2fbec4f568934fd172ee36

SHA1
cd75ce247a8f9f2f75903c6c49805375667aa341

SHA256
efdb024a5dbae80b52600c6be1c744d79b7b0ccf9dc2835d811555809a80dfcb

SHA512
2fa6718d3cdd71bb0019844e07537908421f3ca9fae0c5a226b46aeb71bb4545bf555a4209747c3620a590cd1517a18f527a83114aaff3fb267946bf3cfa71b3

Download Submit
C:\Program Files\RedoInvoke.vsw.DDIZ2VQ6V1DZZF6

Filesize
282KB

MD5
fbe451515c1d51489d4f4ea62468763d

SHA1
8a8457c96773c9278c2ce643efb6461e8437a2a2

SHA256
f78624f76830a13eabf9dc036ba5c37c505d8439203408e9db724a51ccaf8b6c

SHA512
5b9162ae7f0067f0577f4bc2d21b247d2dbd460b64973ee123a62ed168e5625d260951c32e0c666b99418189a74a5d6765605ec591151af1a5499d041c535016

Download Submit
C:\Program Files\RegisterExport.xlsx.DDIZ2VQ6V1DZZF6

Filesize
403KB

MD5
afb04ccb0dd96f79d5277865b03d3cb2

SHA1
524078a2bddae0ce10f089bb3906ead0a5f507b8

SHA256
9d9b75c9abc62c9dab9baace26f53b04875106888e56168786fb4fa400e4bedf

SHA512
b35f948ed0f524597204c016d33e37ac119b8118d5fbc3b0a92a05c8e3f98928080daae0cf30c08cd85097a6551be754c4d655c7065b32a7605e66874938b2b3

Download Submit
C:\Program Files\RemoveMerge.xltx.DDIZ2VQ6V1DZZF6

Filesize
430KB

MD5
9c75fe5df6bf361e568338aa29146f19

SHA1
f3f3b60bbef43c9ce00d3b0b4db12d3ad4815234

SHA256
5dc5f1b380e89016a001fdbd02b1f2d1bf8c636494411b265986679ee8234417

SHA512
e0d63eed7bd0dc8b162b3079466bce1945688527820d901181b78fd3dd2c6fca4be7b749aef990194ece635678ea50e3ac1c78cab1d366936d7bdce0ef5b68c9

Download Submit
C:\Program Files\ResetAssert.MTS.DDIZ2VQ6V1DZZF6

Filesize
323KB

MD5
74fbd7525a377291eb512686816e6d2f

SHA1
bf462097859c6951722fe15b8bf30a8df8053a2c

SHA256
e7af57c4a3415d3694d4459724568c0162f3422247ac7b8b204cafa6c119275e

SHA512
3b249aa632f053ac4af896489216005307679bf0ae554ac218dd8ed2a4a11507ff5ee4c170dc3cc94c9d628867a88ad164ede3bf0b3c3e97811fefcc0d4d9bfd

Download Submit
C:\Program Files\desktop.ini.DDIZ2VQ6V1DZZF6

Filesize
320B

MD5
91ef7f3c579261a0f71222a14569e51e

SHA1
62c68a5a46c3f2d92c502823787800367da81637

SHA256
ca8fcd4ef415f51e99131c7a8abbca2a7d41a757756db81a81883271c5be2a4b

SHA512
f786744e5db2f35ec9e4b4637677558ba7b1f2666e22986becb436cb3c58bdf69463d1bda4a71d2122b0a35973949e6b264d72e5bc55e8a14bb6938d2d8a5cd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bfab9e403caaf1e577de1e106ac836eb

SHA1
4f9e9dc37bb96ea679e27c37545c199d8a0ac8a4

SHA256
116c075445167ddcabf440ec257c2ad5a7d769bb35792c9e553976918663d72d

SHA512
2628b13125fac30503dd29913c86e9af497e8c3b8786d6e4ab1cb031dba765d0563c95b97b0755090f6b196f5ccc26d4a0e1658cd16d86f2cd5a61b81bdc6fbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ec945291e442cc96be3515d2d00714bd

SHA1
0bdd448b4856eb7410743b2d8dcbd53519388747

SHA256
e1258c3c227b9af167243da4e8ed6ebd6cc265f903d5b9cc53572eb03f66aa24

SHA512
17e12fb613167bdd06001e72f73ed115919dee2d0b5ddf1675816a27680edacc5f2a61cf7d5cb53927d9878b11e56bb9884526b9d6a93da7605c71c2bb28bfb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
761c4e04ebb93fd67e4d42b0f95819c6

SHA1
12b0cb4afc11af3ad12fa52f817204b62a4a6d95

SHA256
43ff3e4ef94ed184a0aad6ade8c4886210eb23fa3c8e29538529941a90d4e7ac

SHA512
55f626330be725e36f8e706dfd669baadce1ef248f479e9c85b395453f9502e5ed6363afd76a551773457c50d394c1e24492d2ea88076c453c7a16114960c654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
b94872a8a20ac557ae53774fca365de1

SHA1
7d4e334aafa55a84140acbf16457256004619852

SHA256
9b7cbf2a937d2f827a344b1a5fc615320b09fc309d1a6f0a3adcc4704b600200

SHA512
9e59d81fa3c3351bb87e0ec48caed629576ac10486b4ca92ba5109db38749606319389f39ffe38ccf1f92cc59061b8642b8798447e42676dfdeafe8c05d78b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9d924f1f6d8322813848d5733d6b609d

SHA1
8f1e281a1de7b1dc1cbc3c30c3950d78439ce260

SHA256
86bce3c2a87d2b434deffd23487280720d45d8d52c94dc62415878ee39ff7037

SHA512
60111ac326a7cbdaf33afe219c3cb84c99a55961f42c690af7bee2d53c66041ca00e2275e7ff0e02c5335d4167b362f2b135298ab495fe862e857315865747c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
ab275d2f26e9f1f7bddfd70d4a6c83b0

SHA1
fc2f34a41fde8c1efefa22a4752ed10e05d535f8

SHA256
4f4d38c0d6fe7b3375b7ef066d3a80a7b04271803725757754253ec5dcd372bf

SHA512
f8d9fee45a9174ef588730aa31c01159fa0aeca2b1dd1d8c016a5697271e83339f6d503e321d28ee4797ab8ff282c7d3aa081370914b749c4b41c034b7b9c921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
510495c650e22077ff33e9c0ee7835ef

SHA1
404ec16cadf4e61af502e4e8a22aabbc948f6514

SHA256
b7cad402844c66e736ea7746e2501d1826c22a34bb3b02be04b06cb38cb9fd0e

SHA512
67d9d5a102d6de2177ef3c59eb64418f2605b04705c7330a69949d45ce08d47e8b9d6ee9e653302c23e59e4b9136387ba60b2898d8d708c8a98b63217ab64c11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c866d0d3d0820d63a6092caddd8672b

SHA1
4979cc8ccc4692252df05a469bc465e4add382ea

SHA256
637991a97557d3c618d48b6b3b132fd37d0c49d4729d1d38354c998a14b3b8ea

SHA512
52982b20c5fc18a0659296ed6fac48bbf6e5ac7f7545b6861dc023e981a00bea96886845dc72a28138225bd57801eb9cf9c899965dd098d9ac637e0c860f6aa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4157a91a6a38681c557afa58a6ba6b7a

SHA1
ae584317fbab0c62af74d323b1fd5fbe2c995b19

SHA256
44f693d8276f20f9b2b056b8c5b9ff9c53a47d5b7b8456da7c9dac2355a41044

SHA512
84239fbdae35c26db302dff8ed8afb1e3104952ee8d687e920cc7da7fcd3033ee9454db3ccbd3fc74ec506623e716d9a0bda6e2f1daf85bdd1b4fef9e78c3750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bf36354a001973c9b098a67b56d805b4

SHA1
f1e6fb39aa61c7108aab98f5e07667960d383dba

SHA256
cecd920f0987895dc12cce2c163da5799718d1e618a39ed5d60fa95cb8495ebf

SHA512
bc1c3ef7e31f6eb9c474caf47953a768fd10a65c395859573a3b62399a16561c45061a17ea1f0a247f7f8520e58fccd0ae7878b435d7e9838e4678c35fe239d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cf436fd0e13591e34df34c7cb7071612

SHA1
8ff233a262c160c1314767c12138aee7b6b1d363

SHA256
2e1443df828f9dd3a0ee4b931231df4c4943657545f2026c4468e7b8febe725d

SHA512
b3bad4f8bbc25491a8ad53bfa716f600858f5df52e33b3dac4dbad0cfb02f0ef01263ed376cfe49a85f693f94576e2a60ae42ac8ba29b3d4a56a686873176cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a0c560cf-9117-44e2-9eb9-0ab40c7868c8.tmp

Filesize
7KB

MD5
9d55b2f2b5c37be38834a22d3fbe8e9b

SHA1
5877f92f8d52c7e931683b215eb28620cfae696d

SHA256
dd8ab290fc55c62a55c05ecad3b8692c19cfaa0d32b9018e4d156d6993584259

SHA512
ada2e2e36e34b68157e17e3d67bbff36f7d7f0fddc302ede442fc98cdcb2629053b8d8f9c1423d0b4ecdca18a6a9836281f1ee88582940597d595caa5e1e64ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fd837c54-ee7c-48a7-b84d-fddc4feb1a86.tmp

Filesize
370B

MD5
80b1f4643778470d204defdf79affb92

SHA1
46100d5bf86c47c9a346943f903bd536a1b1f3b5

SHA256
c1a9d439ce15480c1e01e4b6247a5d8cb3f0243a61faf8e836d203e46bac7f57

SHA512
ab2eebd839f3a8718c4e721d12da70e725d6c198a0d0bc39b656e54145454fafe2faf8c60508ec908f4c06f6041ea7519d473db4efd80d2104e78e9f2e5eebae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d8963ef1a08911ec26002475b5f20c42

SHA1
c8c5cda990bf6834a857b1c34da98369aff43905

SHA256
db76b763e7e5e2ba2a63cd69f13121c21ddd6ef780f94e6e36e95b0dda52de5d

SHA512
81b9120cf28dc5b247839dff0ce9d97c9a0388b08d230f21b7392ab7a2b346d32e0de6a9e40a7a11de2e16f2e22247d5bbf4d1158dc1994c837526c2fa304ffe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d7b886dc20fad7fdeb55a69a5dd0f5c7

SHA1
1fc0088f847b3983a5dbf3c39d555de6a003414a

SHA256
2e20960bae57412a2dfc8b86fecc6f3b284f1a4a6953a04f303b85f7274f1993

SHA512
93dd57cb87dd7d8a67bc1f14ed472718e5e070c3c57c48e252fc0f31f8dd87512de2afe9e9684c562fac166bfd86edcc327f6c0ca6185da0a36503440ebdd66d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b9f8830ef83a8cfc39c7a4c002455987

SHA1
e3eb96114e69861c4810e614d1934e274b151d1f

SHA256
9aa3270e132879494a878c965d301b2c3a5b5e6290bc83f7cf3754c38db92ad5

SHA512
3f049cf2b04c3491812525e4ea44398bc047384775525d457d5fc50f4977399cf968c6e450211a7a7add49632724d9d115fdd95156d523358ec70228da518037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4a932c1689fe1c128a436a4355ad2e8a

SHA1
66e2972398cb79f26c9f3e561b41f9e495c47016

SHA256
9183f3cb47c924b11dfb7ce95a9b4fba0c9d1ee4fad3ad39be36a72fc96e2f7f

SHA512
26eb54e791f4c53c9117a996bd21429de7416280b335161c755235a53b78566b403f63baa35339ab93fc3d866b0ef81ff53b229c14d97dcb99ad16faffbd82a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1517089f8c52b1fce0a374e37b3e0113

SHA1
d17d09f87c672a1f7dc136ae4ac5f0601efb3053

SHA256
ef5dad3b9de02b6b625aec6c14dcb54b4ae89ad5cecff4fb75a84eb7e25530e8

SHA512
2cde538e54936506837d4c9b7c17adf2643b971f036989da31caff4ba9e44f236c5e8e1a4df35b49bc1c800eac6c4ecc7e649fa5624f349bf6fbfacd4548dcd6

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
c3e08121cabb9380e3d50cadde97d53a

SHA1
0e666954e83e97e3883e52092fe2be88a520e8f8

SHA256
76e1d3ab7320c4b863adb091b5b77205d81e13eafb539a18ebe3d8ea46b29433

SHA512
9a6ef7710781d2f3a1f873129b21990548c1b275720080d87fe4051b464b0aef4ad8625656c388a65163563c6fb2086c29c01ba5f518c5b9679e7227fcc7941f

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
d9c90cc81a3965139958ce95221b3e3f

SHA1
e1053a91bd6481e12b86b6a79aae7193e44875b4

SHA256
f99e8c101bde6270bec53e6c18f76fb0f7973acf74f15fac1462b85f2872b1ac

SHA512
a3d4907bcba240286c401ad824fba47f7d1029ddc0ccc776a52049fc2668a7503adf115fe013c1d536d7acb733610b68432a4ccf5069df06f5b7551605128e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\TRENUTNO OBRADJIVANJE.txt

Filesize
80KB

MD5
ef6b9232c85820b078b00ae30669755b

SHA1
4661fa3e77f49701d128839fca55bf69198c71f3

SHA256
00c8f39358ebe086d4672454bf7fa7972ff28723e2a55194d4c88cebc743c84f

SHA512
efe1aea09b18e970f74246fbdb6f9a7af8b3399de26b132727db9f6f1ccf2dd4417508b94296a6965b913b5429c4b60cdabcd6136e55f5efebabb02fb3ab6e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TRENUTNO OBRADJIVANJE.txt

Filesize
80KB

MD5
df7a6a7de9ef01b869a6c631652c648d

SHA1
398092bf28da66c942536bd8fe0afe73d4cb93dd

SHA256
2f7c1f1f7696cf9ef28be69aae22a7402f9f080b27aefb21534bf71d6553d0b1

SHA512
1ef73a7ba78449176cb91d078a37c745726cc83b13fccd1c62e1ab1eba236fe3e88029d4c79a7ca9b2590b6cbe9173027535243968281f1760bdcbf1fd40c565

Download Submit
C:\Users\Admin\AppData\Local\Temp\TRENUTNO OBRADJIVANJE.txt

Filesize
83KB

MD5
3b8f7053c7b5024294a6a9103c069819

SHA1
537862c788cc86c770a99760f0401e029b011ada

SHA256
baaa5c58770fbe7bf77140ce1356827dea312e148cae4170155fa25f8e56b474

SHA512
4d4d8f459bbd69bd3237f5688a5b611a7c87c87e8277379db27cbdadfa381747211a41959abb60fc8c24d1fcde8c8cd702b300c07f08bc1053024ac20af0b7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TRENUTNO OBRADJIVANJE.txt

Filesize
83KB

MD5
909785219242fa6ab893caef68234350

SHA1
9462a1d34ed1ad400d0a0055dcdd327d7e913159

SHA256
3067158e7d22c73127a49bfefb5312639797186bf11c9fbf42b0770425593e2d

SHA512
011ee84a979234d80b6e3988a56ad69e037d5069f4a3a49604af05f122d30a10265504de68efaced713aeffd805d1c404bc6810dd55fcf06f71d7343aa11fa31

Download Submit
C:\Users\Admin\AppData\Local\Temp\TRENUTNO OBRADJIVANJE.txt

Filesize
4KB

MD5
23cff20d9a0220885754a5c685cd937b

SHA1
22cd5515fdf85caa02fcb9906ec99952038c4857

SHA256
500c8d3787651fc865f46828a1d5aea75fd14fa7afe73ba49babdaf8d164bdc0

SHA512
63a0b90ba5050b275766a80b29e0f9bc25155ea050f17f279477c37acf251ae046d1ac604e6d9d918b2dc8103510e21990f288b4333f74dfa577a0781e04eeb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys.vbs

Filesize
1KB

MD5
548dda22703f6354960bb203df33674c

SHA1
f8ce4fb772238ce3ec186eb6678b8de5e3bfcdfd

SHA256
d5981127867e62055de67d19aac28af768d35b0ae54f537c4adb64c3b7b5c1ab

SHA512
f27346b5a2333203db2975e386c8120743334981423f2d28cec3eed3ca904c541416b1d3a5e8306d52d5f2479e3d81e712683c85e7df88da42ac748931e3a640

Download Submit
C:\Users\Admin\Downloads\SerbRansom 2017.exe:Zone.Identifier

Filesize
164B

MD5
156e92870fcfd0b61737cbf13a4a0a06

SHA1
3f5d1e09022b1ab13c413bb1c5ecd512ba2b5953

SHA256
53309eeab69a042b6846679905fe0e5646f52ec0ce08ee2f549800a10fa3e325

SHA512
38580989afcb64c37a065865064b640749ef72c9f8b276209fbadbdad88ccd2ab0f6d8d12be7189fcb039f8d985d47c9b3e1e6f5affb4ec5d1f28ffe47669e01

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 93042.crdownload

Filesize
33KB

MD5
b6ab9cfbc6bfa5104419fa843d2a8c02

SHA1
f65bc404f5fcf616a520c6be4e064df7a1a3d997

SHA256
39b33c54bf5aa4f68b462f0b222f136a1b5bf8f3d9feaffe3f3201665c266b04

SHA512
9070ef9f2e1f424e6a15a4ae1e12ee96a0453e97253b2df7b974101be55898d880156b8355e11aa04b1842810308bca695ba06ea0c5f39463b1e8496b8156851

Download Submit
\??\pipe\LOCAL\crashpad_1588_APNNOGHQLKMVOVGP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2184-266-0x000000001C330000-0x000000001C349000-memory.dmp

Filesize
100KB

Download
memory/2184-267-0x000000001DB50000-0x000000001E01E000-memory.dmp

Filesize
4.8MB

Download
memory/2184-152-0x000000001BC30000-0x000000001BCD6000-memory.dmp

Filesize
664KB

Download
memory/2184-268-0x000000001CE80000-0x000000001CF1C000-memory.dmp

Filesize
624KB

Download