7f945a0e46602ccd3a5c13416268d3ebfecd733a8e15b068dbbce4c2c8441985

Resubmissions

13-12-2024 17:02

241213-vkk5rawqhr 8

13-12-2024 16:57

241213-vgll4svmby 5

13-12-2024 16:55

241213-vfa4zsvlht 5

Analysis

max time kernel
233s
max time network
295s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
13-12-2024 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

267KB
MD5

2c7efdbcd898a5074f861127c98af124
SHA1

4e48d6098569572602e1c3dfc114092b8230c865
SHA256

7f945a0e46602ccd3a5c13416268d3ebfecd733a8e15b068dbbce4c2c8441985
SHA512

2c76c82b97c5c5db464ac19d1c7907f810464705cb6823484c27e4af8bd12120cc0ed0f581d9f48c50d79a4e3b035add2c51dc229b40264e3f9670f12b765299
SSDEEP

3072:tTW0Oi+0joZJ6IXn/loJzh4kgEJ6LFIsg1AwtN+Tl/js2:tTW0A0joZIIXuJzgEJMIBgs2

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Recovery\$PBR_Diskpart.txt	RecoveryDrive.exe
File created	C:\Windows\System32\Recovery\$PBR_ResetConfig.xml	RecoveryDrive.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\5d4ba697-2c74-43c1-b949-9260bf2d980d.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241213165755.pma	setup.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\RecoveryDrive\setupact.log	RecoveryDrive.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	WindowsBackupClient.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	WindowsBackupClient.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Logs\RecoveryDrive\diagwrn.xml	RecoveryDrive.exe
File opened for modification	C:\Windows\Logs\RecoveryDrive\diagerr.xml	RecoveryDrive.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	WindowsBackupClient.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	WindowsBackupClient.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Logs\RecoveryDrive\setuperr.log	RecoveryDrive.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Checks SCSI registry key(s) 3 TTPs 20 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000257bb80f55fa345e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000257bb80f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900257bb80f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d257bb80f000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000257bb80f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Software\Microsoft\Internet Explorer\GPU	WindowsBackupClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.4355\"hypervisor=\"No Hypervisor (No SLAT)\""	WindowsBackupClient.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache	WindowsBackupClient.exe
Key created	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings	WindowsBackupClient.exe
Key created	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache	WindowsBackupClient.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5136	svchost.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
3396	msedge.exe
3396	msedge.exe
1128	msedge.exe
1128	msedge.exe
3776	identity_helper.exe
3776	identity_helper.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1128	msedge.exe
1128	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeBackupPrivilege	1252	vssvc.exe
Token: SeRestorePrivilege	1252	vssvc.exe
Token: SeAuditPrivilege	1252	vssvc.exe
Token: SeDebugPrivilege	5404	taskmgr.exe
Token: SeSystemProfilePrivilege	5404	taskmgr.exe
Token: SeCreateGlobalPrivilege	5404	taskmgr.exe
Token: SeCreateGlobalPrivilege	5592	dwm.exe
Token: SeChangeNotifyPrivilege	5592	dwm.exe
Token: 33	5592	dwm.exe
Token: SeIncBasePriorityPrivilege	5592	dwm.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe
5404	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2908	WindowsBackupClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 3908	1128	msedge.exe	79
PID 1128 wrote to memory of 3908	1128	msedge.exe	79
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3696	1128	msedge.exe	80
PID 1128 wrote to memory of 3396	1128	msedge.exe	81
PID 1128 wrote to memory of 3396	1128	msedge.exe	81
PID 1128 wrote to memory of 4560	1128	msedge.exe	82
PID 1128 wrote to memory of 4560	1128	msedge.exe	82
PID 1128 wrote to memory of 4560	1128	msedge.exe	82
PID 1128 wrote to memory of 4560	1128	msedge.exe	82
PID 1128 wrote to memory of 4560	1128	msedge.exe	82
PID 1128 wrote to memory of 4560	1128	msedge.exe	82
PID 1128 wrote to memory of 4560	1128	msedge.exe	82
PID 1128 wrote to memory of 4560	1128	msedge.exe	82
PID 1128 wrote to memory of 4560	1128	msedge.exe	82
PID 1128 wrote to memory of 4560	1128	msedge.exe	82
PID 1128 wrote to memory of 4560	1128	msedge.exe	82
PID 1128 wrote to memory of 4560	1128	msedge.exe	82
PID 1128 wrote to memory of 4560	1128	msedge.exe	82
PID 1128 wrote to memory of 4560	1128	msedge.exe	82
PID 1128 wrote to memory of 4560	1128	msedge.exe	82
PID 1128 wrote to memory of 4560	1128	msedge.exe	82
PID 1128 wrote to memory of 4560	1128	msedge.exe	82
PID 1128 wrote to memory of 4560	1128	msedge.exe	82
PID 1128 wrote to memory of 4560	1128	msedge.exe	82
PID 1128 wrote to memory of 4560	1128	msedge.exe	82

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fffe76e46f8,0x7fffe76e4708,0x7fffe76e4718
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,6345619893182470244,4093001918610488581,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,6345619893182470244,4093001918610488581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,6345619893182470244,4093001918610488581,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,6345619893182470244,4093001918610488581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,6345619893182470244,4093001918610488581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,6345619893182470244,4093001918610488581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:3884
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x2a4,0x2a8,0x2ac,0x280,0x2b0,0x7ff73e3d5460,0x7ff73e3d5470,0x7ff73e3d5480
    3⤵
    PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,6345619893182470244,4093001918610488581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4416

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:4280

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WindowsBackupClient.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WindowsBackupClient.exe" -ServerName:WindowsBackup.AppX7g7ckthmr138zk16nhs1hb5tyevsa9p6.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2908

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2332

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3636

C:\Windows\system32\RecoveryDrive.exe
"C:\Windows\system32\RecoveryDrive.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4080

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2804

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:5136

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:6128
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:1236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76abc5b2-4bde-4683-a68a-157747a245e7} 1236 "\\.\pipe\gecko-crash-server-pipe.1236" gpu
    3⤵
    PID:5292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5846690-8665-4ad4-8ffe-68b947ba7418} 1236 "\\.\pipe\gecko-crash-server-pipe.1236" socket
    3⤵
    PID:3880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3232 -childID 1 -isForBrowser -prefsHandle 3192 -prefMapHandle 3168 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c9e15f9-51cb-4a3d-859e-202ee2910c70} 1236 "\\.\pipe\gecko-crash-server-pipe.1236" tab
    3⤵
    PID:6064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3084 -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 3620 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e831c46-960a-47ee-a8e0-72e015f6afe3} 1236 "\\.\pipe\gecko-crash-server-pipe.1236" tab
    3⤵
    PID:2004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3868 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 3900 -prefMapHandle 4176 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c03a0b3-2c1c-4cbe-b210-611387b1dc27} 1236 "\\.\pipe\gecko-crash-server-pipe.1236" utility
    3⤵
    PID:2920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5284 -childID 3 -isForBrowser -prefsHandle 5276 -prefMapHandle 5180 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1571bcb2-1950-4792-b933-ea7ba018a5ef} 1236 "\\.\pipe\gecko-crash-server-pipe.1236" tab
    3⤵
    PID:2724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5300 -prefMapHandle 5444 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ccd0370-8d03-464b-a599-7f77c9fe6b6d} 1236 "\\.\pipe\gecko-crash-server-pipe.1236" tab
    3⤵
    PID:5356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 5 -isForBrowser -prefsHandle 5600 -prefMapHandle 5604 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81184e39-1042-45ff-a5f3-d6a2bb1c1fab} 1236 "\\.\pipe\gecko-crash-server-pipe.1236" tab
    3⤵
    PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b19b7ecb6ee133c2ff01f7888eae612

SHA1
a592cab7e180cc5c9ac7f4098a3c8c35b89f8253

SHA256
972bc0df18e9a9438dbc5763e29916a24b7e4f15415641230c900b6281515e78

SHA512
16301409fee3a129612cfe7bdb96b010d3da39124aa88b2d111f18d5ae5d4fc8c3c663809148dd07c7f3cd37bb78bd71e25be1584bd2d0bacf529fa7f3461fd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
23fa82e121d8f73e1416906076e9a963

SHA1
b4666301311a7ccaabbad363cd1dec06f8541da4

SHA256
5fd39927e65645635ebd716dd0aef59e64aacd4b9a6c896328b5b23b6c75159e

SHA512
64920d7d818031469edff5619c00a06e5a2320bc08b3a8a6cd288c75d2a470f8c188c694046d149fa622cbb40b1f8bf572ac3d6dfc59b62a4638341ccb467dcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7fb002a84aab9373b5458d3f9384aaed

SHA1
70da15d829dae22ca8f549ee57b4c56add2d3156

SHA256
004120ef3712b4a7c0b612fcc254c7f0a7f960da1e3dc67bb56569c3f2115d5f

SHA512
a67ce1f83b58920ff50f24c44956067202a123567bae753c1807fdda5b3bceec06c9e84cc0271a7b86f213e42cc2ed7465ea435ee03307e32a86de3927cda14b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
362ca23572d5bc048eb2ffe6d18cb0a2

SHA1
c4edd7b604caadf371a979c35d83db1d3dc3676f

SHA256
5b9047293cf8f6145ea86b5e0ae02abde0afe252b1efb82d3b13d84891f6dfef

SHA512
fabbf9e2893eca38fcc3a0415bb7955397671dd07efc3fd25c7fb4bb09faa9617ee9edcc75e9462b2457874446284c9e2a541bef11838e78d6558a42871cd401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8cd513127214e252edf0454f329bc002

SHA1
6f47fac6be8e7331e54203a7865e86b32cddf16b

SHA256
3df220380a8bf881117c17102a5c70ae7deea18ec92e7c478df2ee904d882108

SHA512
0b6d2f2e12bb8b15175875b7118778e57475934dee0476bc3ec989c5408d1ff5cf1c2d5dce4bd980a3ef9bfee232f974fa90050171826f3f0847f9682ae7e4c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ffbe7d9b2e7283f7ae3ed1324237ad7e

SHA1
2ee52d1d1e549524aa1abd2ecedcb9d4fbafaa4a

SHA256
a55cd3929ea7ed84e238bcc0723f8c3ba34fc3ede6085b635641e8cfca31af07

SHA512
6fa41727c1392a6480854d30aa4a86efb3e2efc44f73f051f895b67341f06d7d4be7e08fbf4df78a695d1143fa6fd57413f7d9177b486387c2ae9bf3a69e553d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e117572d7b4fe9bb4eed85bd846d272d

SHA1
a132e1049414cda66c0880d20cc9ee4bee383120

SHA256
e166bdd1255b5d05d381d33bc61358ccb1638924dd8872a1539affb0744d4115

SHA512
e99ca3f0013f15662a58ec50d8f415b5ef87e97778803b1f5ce98e62408613199d4ec3be1822e6b401de914225efcd2e959402d67fb58d37f821e2a6e95bcbc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xne5uxr5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
96ba7f95154b47ec063034c4747541e0

SHA1
b42267d8643c291b05cdf1496a73aefd8f9eae3e

SHA256
84e8ad5b01a6236964df4ce205bbd0283058748517c90664a156a59b0c232505

SHA512
621f5fb6275bc974b09e3995b29e684e6ae396fd5430e8eb52fd13e395523a1ab4b518eb819b0720854884c8bc146663e560f9e29f0a8efdd46ecf38f45495f5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xne5uxr5.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
2eaf490f6d925488da3adb362ab976b6

SHA1
957919594928cba01592ed915cf58b445f9305bc

SHA256
87874e5f2a38cad55c76ba7455673d36f681bd22475aa4e91ea4cc9a1428ff33

SHA512
56c5afe0348f1e22ebd737e9a95f7fb768772fdaff79c45ee97867f8abc7021151b714e3350c4f38e105d7f7a69a44958a681d9317383822a5756e83cf4452a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
805415bf3568185de51b3278050b5837

SHA1
e536828cf20cef0616a7e4f6916da02ef832b5fc

SHA256
f7f3bc488cb4b9791b00fb326c6009d33d4c4d12f6838c4e9ec1594a3d1d518e

SHA512
99c2392fddfb3b985a3684753f29239716de66cd8fecd70ee5cab45f946d3dda9ab1e6b532eccb0a59e3e2aa7677630426d5bea25633179454fc2b26f553a351

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
dc14463eb4bc7e3eaebb8d7aefdb885a

SHA1
e77dc5ffc130a01e2bdeb49d4d5a98a698c1675d

SHA256
43579334be8c2af8abab9eab6b5b4a8ae0be99b2e9171545df523ab230dbb487

SHA512
24ba5f7d641d353e554b5cdfec9fe00d2fe2c0d0e779de4d28afc4364aa362904e80325f5572df3c9b8a9edf1ee61d7e34fff4e1db6fe98aceea248ca63fb29a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\AlternateServices.bin

Filesize
8KB

MD5
c43e5ff2331247bba0478a1d6acb840d

SHA1
06aebc74fb093b7a639bb0a61d2e6e669ac71ce6

SHA256
c4cfdafebee16dea880b7673e1ee8118e00bd9d7ac0103b19a47fb4222aaa3d8

SHA512
b2b56d772a869dead4e28a4be4de05ea4edee9d3ad478f4f7ae971548d2f5b4d60192f563ee5365a05bba0ee6cb6d40359466fb0e2ee64b4c68a19a5a83178b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\AlternateServices.bin

Filesize
11KB

MD5
d183441173704b249800641ad3c5555e

SHA1
d5f1ff043d78ef9fb650c951ed26166aa98e78fe

SHA256
53199d7938bc98a9ee432e6bdeb7b375498274052137bb5d7e8b31abaea2a10c

SHA512
2f6a9930300adf502c9343ed07b1838ab7f3c4b86312b57cf9b4362d13c56abd37a5adbdfcace15b090e85d1f0e5824dc8c5e740c975bdfd463346d9ebc5bdf1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
56f525906b87acc955f9c3a29bf28c71

SHA1
619dd61aa7fa374ae90b226a55ac9acb625ce76d

SHA256
35f3f6c676e7eae99e2bfedd64cb8c190bed586227216c11ef10452e4b789e06

SHA512
3a9f7c6dcf7c221742fd8d68268837dc8655563efef273053559429d0753072dd9ca5260e1177d110b8f602d788ae55ce7838dd6a7c38221f0f58507c17ca80a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\datareporting\glean\pending_pings\c8bf9251-976e-4393-8030-ca5d09fb9af6

Filesize
28KB

MD5
ead3a978f128a3b21b911405b1bd9caa

SHA1
a14c6c032d231a9da53de247e204405fa7ee19a1

SHA256
40e9fb4cb484a7b6a587a9c8d5a2620e791728c49263fa8a2f72b80da58012d5

SHA512
7b9a37938e86178e6f9bc5588f7570f6955122faf911abd31333458fd1d7bd4135c77fa8e579363bacacf0617b3414a0cdc80af8cf8d83f4a7e92c9ec8738564

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\datareporting\glean\pending_pings\fa4d4a17-271d-4982-b12b-6f2263aa409a

Filesize
671B

MD5
2b293e84a4e3b06d907556b68dcb918f

SHA1
8ccde1946e635d9906d14685af7b4042bc1fdbbe

SHA256
6466d0df802630d05446c7fdceb5a9cfe27d58d320983815196722e4750cf5bc

SHA512
113cb15ba317f8d60b2e2ceee811d1c87fe740a747bc46b2fd59674b3ee7d2c699959720b4b16f47170cc8d25e61c20acbb797e4795e215325b1ea1afa01c026

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\datareporting\glean\pending_pings\fc320a64-7bc2-47f0-a44b-ed6475c66fe5

Filesize
982B

MD5
74e93d916acc1f53e7c3048b11796eaf

SHA1
53d707a7158b992f8297ee96057e3507948494fe

SHA256
ee1ccf60cc76eeed6ab26dd43c26ef19766d3e825cf99f6893f05b9c97646d38

SHA512
2dbb34df8d8a543406736f02feba2704ad6b3306de8e7b372423f1efa24eec4d8db1e0fcce4770bfd997592af70b64750e839f06bca1b878eb6eb36a46c46822

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\prefs-1.js

Filesize
11KB

MD5
23e47e8a35d252b05b35b7cdd816ea22

SHA1
5a02459dc6cfee6105908bffc7b02344f4c525d4

SHA256
4ea3f983943cba99acba8d56229d3ac9fd45d498bbb8c9ab2d067b24577aa0d0

SHA512
a545102d85343f1793aa674f0ba3e8f4abf7017764221fc9d2dc208090c27966c6f0d15c8f423db6a680131c89bb2c0e676e8c6df4318bad923e57193a3ca6d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\prefs-1.js

Filesize
10KB

MD5
33b3bd73bac322cbd1dd203cb50f9fca

SHA1
7952e1fb437603d4ef896180f250571e2a3ee65c

SHA256
9d8933971e4bb60ab88e4c1237af9cf8e8368560b00da29d8155da84195978a0

SHA512
2728b5aa58521d0ab345fc04ae93fb4aa95daf14f8a83deda24a872dad250245d0543e507b1deb5514d2f75dd1350b8f185b60943f4a0ae3fa6ea1a670e845ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
b3b74dc136512e2b8a057f3ba4210a4a

SHA1
664c08b5be5975b9a2dfb181d0ac6128e942a91d

SHA256
143837f37c6dcf730bcb763fbf2b577049f36d08cb447544697f8a5dba1233b7

SHA512
0fa47bd20d75001ff22b0b169bc3b4e6db76343f026ccdbd76dd942e1cb99b2cc78312936cf5a1b1bbc2eb5abebb9317167e725cfbacd6a76d6d6a08dbbdc7ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
67c1648b077c433fe3794b2b5b5bacb1

SHA1
f99a38a85b57e32cea13b4db4ab85b4b4dce288a

SHA256
bd9faa6e4e85f7c22bbf7ac331b5a3f96c9203427d9d34a8529ffa5d22a1a102

SHA512
0f64720779c5cfe0b88b5791c7d2e886aecf56854a9f24aeff2020c3a8fa15f6901169e42ded66fb321d631eca383cd2dd2f258529eb9b04a41967310d3f6997

Download Submit
C:\Users\Admin\Documents\ApproveUninstall.dotx

Filesize
592KB

MD5
7f54566fbaeadde1142beda94e9f06d7

SHA1
b87e1428b9a8781e508d6985e9b4a6e44a90c248

SHA256
a46642ee2de5f8e266924f8240e1769ad9857d48a54f468afd9ea72983c3e8d5

SHA512
b65ca81d5e83a6dc36340b665059524c31b63facd5c6814a39ee5a46744e03d34872e31a2c6c6131ede709184f1f6bc809e69d8a9c1d4ae824dae07a724ece10

Download Submit
C:\Users\Admin\Documents\ApproveUnlock.docx

Filesize
522KB

MD5
ceac8948637060074becbeda822f71de

SHA1
4af3486b0fa462733fc68dbabf0c31bd2152c79b

SHA256
d29e31ef8c1c5ee6d76f4abb305eb267e8033ed84bdc9ae93c86ce27449b774e

SHA512
ec44b9a6daf6187f908398a6370e04fedc3336925ef35571902a7a7cb15cad9e440b6e379124068e000f949e3b26cd86da39ca089631823b5faa5e11e3139c42

Download Submit
C:\Users\Admin\Documents\BackupResume.docx

Filesize
20KB

MD5
6d007a0fcd714a3868122c33d3ed1b1a

SHA1
4279a64b01732659206d713284303a177cee73bd

SHA256
1af248d7bd52f6b8a9415a01eb7e3666f901e366a43904195af6d0cb043e377f

SHA512
cacb33fc4fa533c48ee3c6f0604c64cb35b1383318ea01067961195c4139af230352f1ace7ca476f019ec2cbb6e9aa6e27859197e1df010b2985eaf86cf7c87a

Download Submit
C:\Users\Admin\Documents\ConvertFromStop.rtf

Filesize
360KB

MD5
a54aec45a66d6cf44edfac76123f544c

SHA1
059652608278ce1ace344f09aab874b6b4354162

SHA256
6db76cf6351cdf842dcb521ac44d7b610822ed8c190ac13ea08db6f47dd6f30c

SHA512
ab9fcaa276d79e17d83d1b50d6c4c864487df690adf1f5d2bb5ca2ab80ba77cf6bab0f6a8c1bffd65bd0cce4591d31e9a8bbb64cd887bef34d876936c2e457db

Download Submit
C:\Users\Admin\Documents\GetWait.rtf

Filesize
1.0MB

MD5
50ae013398ee81df4706192425691eec

SHA1
e2bc97371f8dc094eabe1404b6ebd3a76343fa32

SHA256
d16de5f17328fef006d701ba573860288a9ab60d41c85f059d04db6617aa33d4

SHA512
6ad26c1653606c175faa66d10c019fc9050199cee7cf8f082d72be1308b501dcf2b19e8fc07f812dad7a1a6c4e45828d6bd62727854b0f112b20b1f84d6cf867

Download Submit
C:\Users\Admin\Documents\ImportClose.docx

Filesize
638KB

MD5
13bd1315902c9f200ef1a5a016eb21bd

SHA1
2773d2dd6f5dafb022fb46b12265b07b94aae43f

SHA256
9079a427b04da3e8616f3971ff0e73f3892118a65d3d55984d3dade196dd019c

SHA512
bc08c0d2e8f9acf3b4b0ae638727baf63de032539c8a7c0a64494f02eb2374b94f597f987e1c972f8d451a5935c62991d65cfccd30a37b0d713ce155c965ca58

Download Submit
C:\Users\Admin\Documents\ImportFind.vdx

Filesize
313KB

MD5
9ca24b9e0d4fc1d1c4ca12409724cca4

SHA1
076220e34392067c21e31c3ca916b8f0a1175a16

SHA256
c95db0c352faa579aa376961c2bfb2fa5441a081daaba023d21392d6a9395200

SHA512
d6486cc5ac8a1e148f5b993e3b0863acacf27702b5e2794caadb7ca5a528041a5d4f221c17e6dfe0d4eab498366c7bc37f01d9e4397aee8a4cea45b249155826

Download Submit
C:\Users\Admin\Documents\InitializeRegister.ppt

Filesize
685KB

MD5
00b63d29748323a58ddb56dd18d05595

SHA1
6e0145f9c4d1466716770ee0897d876e7bc4b8c0

SHA256
58e11bb458956db8fa609ed28e2640851af610d62969977f70ea006527e25f83

SHA512
46907ce933e418eeb14c32defab757e85ccf12ddfe0e37cd6b5a3f64139cb3dc79b11cde0e96212f18fb6637b94a7e393296e6d4b2fa724bd89a1db21b1601c1

Download Submit
C:\Users\Admin\Documents\InvokeWatch.vstm

Filesize
452KB

MD5
8b7d384980604b0aab3df234d0148191

SHA1
9018b8877ed4be262a3118060032c832d9a6bd09

SHA256
745a495ab944b9c826f6cf0483278aa7001bcfb43ce9c684c4ed4f72ddb15ee1

SHA512
05a85301ce1dfccaa4ab67e76da6ad52cc1e4401d8802fb92b0772bffad491b0dcea51eec1bff48e496e83591d15544f6476cee38a9a694663b6c2b8ab09ca6b

Download Submit
C:\Users\Admin\Documents\JoinApprove.pps

Filesize
476KB

MD5
ce9c07cfae8df62a3addf97105581a83

SHA1
6c3a90ddf593bfa64c1eb9b1f4368d42a9f596c9

SHA256
8ec966c407ac4f1a4a1554e384f30a83694c5b1d3f0622f6fe74725201b001f0

SHA512
fe729105b89750e0563d5a2d3cec19507347a76b6b3844bbf2f4290f858a16721815ec518d531c12e2ccf864b3684591fc453a5f52235ddcafd1c6ec60a23161

Download Submit
C:\Users\Admin\Documents\MoveSend.xlsx

Filesize
9KB

MD5
3635acaa2b6acb22e0943b83f6b77037

SHA1
249cda376cb7754230267c8121d00d98a9b8ec30

SHA256
3215651634fd15b6574d689d152267bee632add6a3790ca66eb560c30b42ba77

SHA512
8663efeb9bfde98d69abc4b5d79f5b82160f42e5268bd44b18932404e7a5e161a22f9122165b96ec9580a2a8e28ad9445f2bda8abc938d30a86eef84e0761fd2

Download Submit
C:\Users\Admin\Documents\OpenOut.vsdm

Filesize
290KB

MD5
25ec2b1aa6bb47dbf332089f77f3acbf

SHA1
ab8c295e6f2e4da4a668d434ab5fe0025ea61e48

SHA256
060fc22bd7c54188d043bc5a54988ba5c3164f61e291ee98cfe1bbf22cc9f3c9

SHA512
a72673d725743697833690eb0e22dbdc2c7c384efbf74e4d5719b4a8a72361022e0a77c771f7195034faf702f2468a78967496af6959bd92f7ff1984c05f3297

Download Submit
C:\Users\Admin\Documents\PublishStart.xltm

Filesize
429KB

MD5
18608146afb2481052f90c0c370f49cf

SHA1
d061a9cea6df413436f29969c376223b09e22ba3

SHA256
01bd02e747ccdc5d024d012cd13f8783ff2ccb7c94080b5cdf99e3b54325b6f9

SHA512
d0387bff32927c2b9db0ad6fa7addab8f8e5d0a4204bceba30ebb591890ddcb27c6eba30b269be2fe960356977e5f64c7624cad59fc4a3f446ee4cf20d26c5de

Download Submit
C:\Users\Admin\Documents\RenameDisable.html

Filesize
383KB

MD5
af7db7dc186c5dfa84ed2438f286e1d4

SHA1
262d67ee3169544061327b1a78a5a39a35f8a707

SHA256
dfe9cff9ffd4f0a26cdb61f0397b84ec678ce9e90343441ea563ac70ee8a040a

SHA512
15f1c01920cbddbbb4e0619ed4c1e6e38138be2931a1d0e0bd29a062c74cfb6180a7c9cf5f7e3d23012781fb094ab8c0970caf145cff4ac7a65ec25d737a9238

Download Submit
C:\Users\Admin\Documents\RepairCompress.dotx

Filesize
545KB

MD5
d787951d9fd2825ed35cd3373a99d577

SHA1
2030b1b58f29147e5b5a717e453c0963bbb7d9e6

SHA256
50bfd8474bf9a2faf99d9408b5b57a391fc5fe675f032bb08e9e9e588858767b

SHA512
952eb48286022d386c15450446818044c12b40152697df521056aee239508c35550f1486747a4e6f9ad284618349a1995861e246d32dea74e00b92b7fbdbcac5

Download Submit
C:\Users\Admin\Documents\ResetFind.ppt

Filesize
569KB

MD5
db562b56a730560b5099cad0d4f22f19

SHA1
a4cf28385d38b7328c601df23aae88e8cdcf9737

SHA256
299de2159de76eb0f131c34c3bcb219ee9bfa495899d655edf74a1e480714b34

SHA512
749917aebf915a2a22f580d5e73f1a0922c9f1b21c9ebd0ddd40e0b5a69ae7224cd10d8121fa30d84c4b70eed934a0b5a517e55044f00a37851403e71e7be325

Download Submit
C:\Users\Admin\Documents\ResizeDismount.pdf

Filesize
731KB

MD5
39d5b3611f9f70e65f613388d6c85e0c

SHA1
92a77768be4ec94ddbdc5bbeab9aae8a3aa0434f

SHA256
55ae0c73b0e6117294a5b21e3063aa85417b23f271bdcbef388c10fada752e7a

SHA512
b602a792e0bd671fbc752327746b408c568aa0278491f93468e164a41c6b6d1f2cc5c5aceed49fb1185235c3637855e9f26741782a62cdbaf38fdf509849f274

Download Submit
C:\Users\Admin\Documents\ResizeSelect.docx

Filesize
17KB

MD5
5f03a398c968d9d1e982b21000258e19

SHA1
a83a21eedc65fdc02d953c81c26d08818aecc646

SHA256
3e5658c56b3edb6828de8d35e389d99a67cb642859e17f0bb38f6b489afc7aa5

SHA512
9f5a30a0c8cd3c79af33d8535eb0e0c114b401ae505c2e088a2d336edb071205c31f1a0e0710b1262fc4041c58e3c027c63e716407beb15b654a7d853dd68e08

Download Submit
C:\Users\Admin\Documents\SaveOptimize.csv

Filesize
499KB

MD5
eb4a384d609506185660a2d929a5d69c

SHA1
eb54d284f89932c7f6e3e6a1c07adf91e5c51f61

SHA256
0b202ab98e0d07a50dccbefabfd6d8632a77fb7805763d82d856b62ff3d3539d

SHA512
7060c1858882cd7dacb2acecc5ca559dd2fbaab5fc03e76a4613e90263372bc20a07e51ab17bf200e022f2616bbb36b1b2f82660bca83a0d89ad55d8e40d3219

Download Submit
C:\Users\Admin\Documents\SelectPing.dotx

Filesize
615KB

MD5
b28e3bf8133909ab6fbe725c1407a0b4

SHA1
091d22aedba9f625e44e05a044d8e6575363e878

SHA256
82b67186e6e48e63f952ee5e757c7c4bd706ed996f513958700df88636917a69

SHA512
307d105478bb5ff0f9a2d7d624d45e94d22a3f8e120a3ced60a5e635acc8c4db43a1c2b7e2a638c2bf332a8ff7632743b11efaded1791dabb205981ed4bbde65

Download Submit
C:\Users\Admin\Documents\ShowRepair.xlsm

Filesize
406KB

MD5
d1341e90ad8c81685cc7786cc1246e33

SHA1
e8db05d1d90ef583bdf0af89b533892a0d111e15

SHA256
ac681e17de8be31bd0abc91ec778b313e89c30704931554119bda1a7e2be751f

SHA512
c87394cc0e0d6006ac7ce3d1cd2f391253787b9dc31cbcd64987b7311551e00a992ffab318bc166fd44a8c80b6731582683d2b2ef7a08d2f60cceb0381865a5a

Download Submit
C:\Users\Admin\Documents\SplitDebug.xlsx

Filesize
9KB

MD5
b5ba110b6ecf384e4c475f67cab86d02

SHA1
3c91e90d950659e3da628cb7f68136f6b2404a79

SHA256
18175b837c23404e59e7389c8318d5afb91009c7d947ac024869754608ca53f6

SHA512
b26cac03a5b7af202b2956a2ddb0cc182df6d26dbcdebf26b18d873478df62db0b1bc1d96d12c776cacd4f7f2e35fa95323cdc372035b9bb109f985c9817f996

Download Submit
C:\Users\Admin\Documents\UninstallConvertFrom.xml

Filesize
336KB

MD5
a743565df49ae1785b108ea8d6c38e4f

SHA1
e8a0841b6244dece15cdb9aeda2c2e6dac4daad5

SHA256
d631e38d46250f141a27b34f9968355f9f13d8c19ce89289862c3a0ed059869a

SHA512
db1a0c1ea581dd8d6e8294d4436ad00ca0ee5b7e8d51b3952e38e91c4be18584377555079cf00b47f5093836e8ce0029ca7a6fc77d02f811f1830d654396989f

Download Submit
C:\Users\Admin\Documents\UnregisterCheckpoint.vstx

Filesize
267KB

MD5
0857ea7c7a17b3cc83b0b8b742a24fc7

SHA1
dafb0606e2068fffdfcaf1fd7ea50bb361655927

SHA256
4d6b7c6ff1230998d551cc543877d8056f0b7c936f2064160d4e2f621ba62830

SHA512
fcb927a5e764a9b2e0968c1af8e0c563d8eb2ec26cacec7b3213a2ae6938cbd1029e79f6c750a8918dd0c581eb68d620c4c865aa47f51278dfa5e1e7d104342d

Download Submit
C:\Users\Admin\Documents\UnregisterRead.xlsx

Filesize
10KB

MD5
86eb723b47bbbc249190834c4a9bfcc2

SHA1
6d7c507ebdbbdb759a2399f49c51fd0ac426d28b

SHA256
3787c3b783d764e19e12324320cc7b03469fce2273f9e0c098bd0da889df800d

SHA512
e040ac618e22101cf97a58706ddccc7e4cf57997368ddaafdb13dd18967a4cf6f9b083d7bc3d3c3cf867b2bb37a1a0ec5974157f5eb05df53976387ccc73d501

Download Submit
C:\Users\Admin\Documents\UpdateShow.ppt

Filesize
708KB

MD5
8303919f92dae78c7f15283e7946d839

SHA1
34d5197cc313abe6f57d3c8c00bf336f9c09d804

SHA256
be3513a3f00479d5763c8c32d044a9e1e7554426e64943acc28734f1d2fc6177

SHA512
87ae7bf6209daa2940f122f14878e8c7fa28320832dec1b77844b9155049ffb1c04166699f1e2ccd54d646eb3b68120ccaa8455e9157d42bb1d1aa14444bce05

Download Submit
C:\Users\Admin\Documents\WaitEdit.ppsm

Filesize
754KB

MD5
234d47724a85e707bf0ece3715857117

SHA1
717ce353738ec705480377cd1f2234dec6dd1448

SHA256
76e94ff6faa828e7bf57096c38117c91ce9e18869ca6485e4717cdea6cc1b0b4

SHA512
a9bf3a642166aa658d449d5e81132a6d77fab717c77ebafda47b9c4ca7e39b7de34655ebcc29d985fc61ca7f37707be019f94e93c0125f8246839636b2777a2f

Download Submit
C:\Users\Admin\Documents\WriteResize.docx

Filesize
662KB

MD5
f1fd3bc6671d304d2e2e41a8e8d53726

SHA1
cd55baefd3bc85f9da5c9552750df2ee2ed1b6a6

SHA256
b2e23ab933635ba639dbc5bb6d954f2d9a9c40b09ed1f0257fe98124caeeb4cc

SHA512
7da9e835c1df628722f3e6c97ee10abc00975323fc4d90fd1bde5e0f4e13c0cb878a459551c3f948f4ea2e25e0e1ef6ed89490be43daff25211b9528c9438a1b

Download Submit
C:\Users\Admin\Pictures\ApproveExport.tif

Filesize
413KB

MD5
b9d1041d5b4c2c6dae0a704784a6695f

SHA1
bb89794d855a097eba38057a5ef8359b10d3392b

SHA256
3f5b74ad08b8c165cbb46b544eaf4bdf5c59a61b7cc878b3b1c0cdcb410064ef

SHA512
79ed961b09e83982a40d41bb67f7f72b437f3b63b8a8b75dc6873c511013a3ad347ae8123b080d245176489d56f3bbb533eed80b8ff7b08cc8f1a95d40fadd4e

Download Submit
C:\Users\Admin\Pictures\AssertDisconnect.tiff

Filesize
234KB

MD5
875d8dd15b0c81af085d8a67703109e6

SHA1
3c61794516a72564f502683319b03f71c5b2f36d

SHA256
2acd6842288ed15b0908518afa0ecc8d1365cb1814f113db0cd879273ad6d77e

SHA512
49629b6100cd022818ca1a77d784f42ce6f7707247f4d4e59d60dc279a5a3217cbf68e7e04768ba4fde257162845f1115dd88582c94989ae5f5b50dfe59249cd

Download Submit
C:\Users\Admin\Pictures\BlockAssert.dwg

Filesize
335KB

MD5
d401b18495f20c910b1f1be56faa82d1

SHA1
f357a6c52423ca7591fa37f76e32644f3711f603

SHA256
5134ca9d02378f898872997e12680732313b7ae928dca0657f0ec02f3c2982de

SHA512
93b73bb51cd7a4beff599ddd322b34363f0ce2930e015508192198ccdf25c49e1987a7cf32169202bdad708567add7c1fc0bebc2feb8c21afacd30494df91cea

Download Submit
C:\Users\Admin\Pictures\ClearReset.jpeg

Filesize
257KB

MD5
cfccf49293b790a306f6c2c63042f902

SHA1
b2a6fcb65b9ca5ef0aec64761f14d085d453ddd3

SHA256
313a504cd5dc325451d1113ecebc9d62e4c13a2cd1124e645498158cdd2edbbe

SHA512
03cdcfabc5f48b01a9c556741c727bc9cbc2f494ee85bc78a384a89902e94fedb974b40f3bc3e1d756b77515b8e59e60fc96bc2b0ea3a88f5f8be9e061fd1129

Download Submit
C:\Users\Admin\Pictures\CompareFormat.cr2

Filesize
351KB

MD5
07c7c1823259cf0a01bd2edc3ca23dca

SHA1
619c7d5e1e634a7f14afbfdc40c189916b638dde

SHA256
aac48d119ca4d5cce7dd9ad69fb19cfe9cab897ed57b46f52ce6ad5a9e5bbc13

SHA512
74d2ac06a837c1abb700e916ef1bfb95fd9a839157635911c46369ac5faf9c226a6379b7f920d18d48fa05bc7ee4366623c6c6433e7ea8a7b69f14607a2927fb

Download Submit
C:\Users\Admin\Pictures\CompareUndo.eps

Filesize
405KB

MD5
161b611d98d70d73e9f93a98f052a113

SHA1
cf48f794dfd61d03e8bd928df85db95667ff2c90

SHA256
c276a8107baa91d1a99c5b30ed959ba1ec1e2815dcad8c3571607ce8f032f317

SHA512
438c064a1ab68e7ef5b0555ccf1beaa1599872e6de6468e1cbec3c5f1ac083462f79aa103edff2027a69a7a45b152fb05e46ceb5b4577bcbe734b55db01c176b

Download Submit
C:\Users\Admin\Pictures\ConvertLimit.cr2

Filesize
319KB

MD5
ecf6ebb62e9087d13f7396b97ad4bfa4

SHA1
fca13754d6bf28ab927592a32fa4da115b9d7de3

SHA256
a2b71b00377e948af3266befbe9d5cc55ab86d8fa2ca957f041128fdd2230fbb

SHA512
158245588c862bb1098ca3ddb2d73527cbd62bcf6afbab25835879f287f7886fbb1e10f4a7e986acd39c59bc20aa494591bc8a89ba737ac9766821bb5efb3035

Download Submit
C:\Users\Admin\Pictures\DenyEnable.png

Filesize
280KB

MD5
0256cc2118f95262f6f5dbf8c5a42c0b

SHA1
ed6b3820a0cb593bbf3bdfe0b84bd33b1d64c009

SHA256
0534b5b407c9317fd622e085936c4ee170698ae8e28b08ff3400798b8f76fd0e

SHA512
dfec1666bacd54f52c219426e686386da170b933dae4b6e757472395a8c2c785b17d734bd97a52ba008b201fe39a4947d15e0a74c079ba4c64f2e4f5311e3544

Download Submit
C:\Users\Admin\Pictures\DenyReset.svg

Filesize
343KB

MD5
f8a289b6c8519abc286cd70fd27853d9

SHA1
ed643dbdf972260e7f67b2ad8941af4011e6d88c

SHA256
4f90e1a7b1dc8004831493da98cdb46e000343203f8b183a4e42bf6b089378ea

SHA512
7a6a5eacb79ad7db86802a1ce07f4332165daf410dd5d96b2f4d61d489224be8241148daed6b7b5eb1c8d7d7b3bebb4ea35ee7fae9518e0f1c8dc203674be4d5

Download Submit
C:\Users\Admin\Pictures\DisablePing.tiff

Filesize
304KB

MD5
46b62893f59594cfb9082ccea07a934a

SHA1
040e06e31029040a9955dc5e3f64bbde2861273e

SHA256
6c3680f1851945b4027509801eeb84b51d4c496939eb7e84e4b2fa669ce00cbf

SHA512
6840c6daec98674ecc049a54c36baa47687926b640bb50d31cb4dc9f850a9c75f416e18a1ac948d75b6374168980194f99fc8466a3d620953553ed5ab59b32d2

Download Submit
C:\Users\Admin\Pictures\DisableTest.eps

Filesize
374KB

MD5
63b13d7a8542ec4bf4e20188765ac451

SHA1
ea3b1320a4b7280106db03bf3023a1272275e924

SHA256
04043dd1a65fa0a59f5f2d198c5811cbc6d1c6d703b7cd6237f47baf07907bbd

SHA512
f72a0bc8a8823de7c42cb1c221c073bc00c1c3794343e6605965aa5b5d6853fcedfbe689f4d1d7c77ec2602e344f7cd5a1eebb7db96ec9d65299788aee963f69

Download Submit
C:\Users\Admin\Pictures\EditMount.dib

Filesize
390KB

MD5
5132744ea876339e172fa3fda1a4bfdf

SHA1
ad8a0204cec768e8325e99b4aba12ae2a5a8997f

SHA256
c5484115176cfef0e51d01cbdf4804663d72c5294d77f806553b1f325ee7d976

SHA512
2880c1a94b7a5ab9fbfcfafe58b59438bb317518ad5205642144f4666c81f0995b99fca63ba87f3b801f5157cd93cee379329f88ace193fa5ecbc3a328e932b0

Download Submit
C:\Users\Admin\Pictures\EnterDebug.tiff

Filesize
202KB

MD5
ec46bdb04d2e886230302ee976fc73f4

SHA1
eb1be26b237a05a229ae00865102e2ef7020f6da

SHA256
36ada1b6b5f4ff5fd1171724c815f150a68d6f2a62238dbf6ea2d2dc0f9e3ee1

SHA512
4c135e5f926e0a5a16e52bc19d3ebaee077209a3a9c3fc0a49b5d68e06febf2208bc0c23a3a79ad6ef6a4eb2f825df138a1591cfabfd9e1453a9508223d1961f

Download Submit
C:\Users\Admin\Pictures\ExitMount.svg

Filesize
218KB

MD5
c7a87b79d3e0a5fc65d16cda1d5f208c

SHA1
13426355ac22a8bddf4ac3a33288c189c31ba310

SHA256
e2144f51a4037620584d50794f5aa7628f36296e12fc4155bc2b622117fd6c96

SHA512
2fc4e343a69bd0fb5c1334bf9750ba98ea77f5e66a24d4f07a26d8de7549fd47db5c4747b55a093c30463d7d2406f3e37097f7da9fcffc9770cce5c7b35040a8

Download Submit
C:\Users\Admin\Pictures\ExportConvertTo.bmp

Filesize
312KB

MD5
bdd0a98aa0fb2cc9dd67fe499807e2e9

SHA1
058e247e6366493001750a6410ec0ca79981b5f3

SHA256
8f81e709dc427c71ad080f819fde2ed82df7f335db382affa885bfb352b93ec1

SHA512
4fbae05ce13b9c2d3d6d96c01ecd6269e52acdc66f50597197e7600a7a6e8ea1ceb1561215a1847196a53e58166eb72ee543b658d68b4263a7372e71379bbbf1

Download Submit
C:\Users\Admin\Pictures\GetBackup.svgz

Filesize
382KB

MD5
9c18179c96eb31340d53d7278a999042

SHA1
092213ebc8911113e5267c53892f930fea2c9af0

SHA256
25a53c537c2b87729aa7736d892583fe7f64bea6e90c977287a615a07dcd1ec9

SHA512
8ad5ca47d5e6c2b6e83d5aa24b58168a561a9f6f5c064b438bbdea808796da09871219f7b3ce2c078d0a858ddc80a08eced3a9858e44444416cbf3ff947de984

Download Submit
C:\Users\Admin\Pictures\ImportJoin.raw

Filesize
210KB

MD5
120233f162dd4fe0983c2ae6a23457f6

SHA1
5ae7870ff05fbcc1cce2f078b8d6af4011fffd47

SHA256
46cf2f894aa9b1820ab191f463b20dcc57b9ef77056e03832be3c61d0bf98854

SHA512
24f1a668486532788b004b9b5ffbf29f28ca2f1e077f123603ac03620c5a28427b0e6f7b9eba97b6f3a9ad66f5ef8c983999f0563f8771548bda4627397863eb

Download Submit
C:\Users\Admin\Pictures\JoinGrant.jpeg

Filesize
171KB

MD5
748f0a3988af5f5874f1438b55bb40ea

SHA1
da79aa4cc4b7708974144c33effd7b103033b116

SHA256
c730ee37c0f6a7a83e25c6b3f277e13bbc2ec8619123d21750da1ebeef5fea22

SHA512
d7a405afdb04a9160afed2e8aabbfd5d813589f8827baea3a6a83baf59ff329c09132383d4f38310b61e328cd0f0b1d188adb3e9274d16d706909a5dbb17e1b5

Download Submit
C:\Users\Admin\Pictures\LimitRepair.tiff

Filesize
296KB

MD5
1c1fd75bfa27787f56486175dc3de07a

SHA1
ea305eee5210b60ec9f4828223f1ffc2f21cd632

SHA256
a16cfdcb514b2764621696cdfc99c0f4d7339fcd1cfac2a0cd4365383ab65c29

SHA512
420edc5837cb877f92486b55ecb4870f148c6c0e234d060257a6b28e448f28f19397844f05fc5a473ce90167ec7c7d88f65184f508a3bff1efcd1d259b15f2fb

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\Pictures\OpenRestart.ico

Filesize
179KB

MD5
570e389bca3bf1935251628692088e26

SHA1
c137f936ae863e0d64f140a55d4bbfda68319452

SHA256
0dfe02adbc9169432006e88ab575698e86f5e7f4ae55e4ad8cece26d94ad852d

SHA512
08ae14e90f155ff2da8e2ceaef34da361c25987358992cfcb45ce555e6d4827f792ecb938b14e4754c78aebe8ec615503b40fe20967b940c82e9f12710f3d98a

Download Submit
C:\Users\Admin\Pictures\PingSuspend.raw

Filesize
241KB

MD5
ce849b4ae38777d0b30a6f01da362538

SHA1
1758a84548f7261a09f5bfa4aeea724cded72070

SHA256
bc9ee540d2db13a1faffd245f477599ef5195ef8a03ced2e5f5f9e84c10fe6d7

SHA512
b7d75bd785d4dbcd42a54c3aaa41bf7fbf7886113aae5f3148775015e6611c7c1ed3e60f9d00d00b840140e25edb52e2c9cf4faf329985b698d39bf8912f8ba0

Download Submit
C:\Users\Admin\Pictures\PopCheckpoint.png

Filesize
273KB

MD5
67a4fe3d36df69bdb5d7fb11018ff41c

SHA1
220ec118faef5c29f10f22401aaa48370d92f0aa

SHA256
2a44e42f31500946e5ab7b1ec6ef8e10b69194be68c99d2896f3f5d8672133b8

SHA512
3cb49e6e8a4f13765e7d14382527f7bf39d2eaba2eba5fe50d51ffc92383b61dfa2b05eb650fa0a88cf67166f972d2584d94567a50a40677f56deb78db1f11e6

Download Submit
C:\Users\Admin\Pictures\ReceiveRevoke.dwg

Filesize
366KB

MD5
5caeb91701681db8614c65658a8539a1

SHA1
a963a8565f72899c1e40e6b2d0e8eeb6225cad55

SHA256
bda4b3290ce8de9e91847b29dc65c355d9bdd45cb2080ccbce666b7a7b7ce325

SHA512
71b0263165c67ba4351c68731e65ddfc437dd277d675ef6f9fb9b33bde92d8fd662187d198cece4e334cf647f4251a3efbc5292d9be0dd64e04829374627cabb

Download Submit
C:\Users\Admin\Pictures\ResizeStop.pcx

Filesize
288KB

MD5
5592681221f5add0b6b66dcfc3a76dc9

SHA1
d96a150067c620d76db30f27641bf220c46d7fa9

SHA256
960db6f75693d18e8f3009e669e80ae85abf98db3c56af13d586158820d3c381

SHA512
85e6be76a6ea66401a7eb9e18720831db12b71f2c45586bbb0e1de17bd0fa8efa93f25c72166744e395b44be89a7b5d717b5c9d1a197c3ac8d5fee63e5432249

Download Submit
C:\Users\Admin\Pictures\RestartMount.dib

Filesize
584KB

MD5
87381460f38653d10edac915d736ff5e

SHA1
76fc700bb4a06cc54e6c3abcb447596739f1158a

SHA256
f95fe4c798384cc6f0963bb7fc078e9c83c4c6d01565001d9014982a488492cb

SHA512
c5e48c9245931e86496a9ad698324c307bc3a1940f8564b806f4991f3b2054a562dd2dbf8439d6210ac24cbe685d6b2ca2501e6ef7e9686c9ad88bce8cb40306

Download Submit
C:\Users\Admin\Pictures\RevokeSwitch.wmf

Filesize
156KB

MD5
9fba63bc397f4909427a483cfbc475bc

SHA1
ac006b99bda75f12104e199cf95b4b497e43708f

SHA256
815445d1465f232781d346a56698a2361971b82af7f51aa1e65ebb16e09a15ae

SHA512
589e09c64fc3b45f1ec69bb019f7ddfe43389328eedafd0d6a18813a95694627d2e3ec21cf3267136523d37e0d97e3bff56587688c3439c5d433c5c2d14a2578

Download Submit
C:\Users\Admin\Pictures\SearchStep.emz

Filesize
195KB

MD5
ab552f078500010954a3dbda6aa1117c

SHA1
d44d104e736473770d1fcf99404e74314382e81f

SHA256
47ee5609f0ced1e568233f7ccad3cc343813b28e97d9bdf6590d2d4fcdebbc2d

SHA512
e274bc893717ede85d2c1a576cba731a1ac16db6ce356235e87119457ff7552307f92ec1fb8b8e39489aed2b316121527d7caece5ff03051592918864594fd4e

Download Submit
C:\Users\Admin\Pictures\SetWatch.png

Filesize
187KB

MD5
0c18caae9b2495fa59c473cb5d3010f8

SHA1
50e29623465e55a3c857d7615e74e0fe27c8e1fe

SHA256
a8cb9bf218cfeae4013632be4461a65e7178d9bd7c3695c236e19011c12f767c

SHA512
871e456c75e9b3079ad8f34712d47bcededce1c6536bfd092519d60dd4f778f5eb77b95327bebe849f51dcb7b13042ebd82b17b01d74a51b8b4498cf66a1d481

Download Submit
memory/2908-411-0x0000018AA2220000-0x0000018AA2240000-memory.dmp

Filesize
128KB

Download
memory/2908-521-0x0000018AA2D50000-0x0000018AA2E50000-memory.dmp

Filesize
1024KB

Download
memory/2908-393-0x0000018A91B00000-0x0000018A91B20000-memory.dmp

Filesize
128KB

Download
memory/5404-914-0x00000286FF880000-0x00000286FF881000-memory.dmp

Filesize
4KB

Download
memory/5404-913-0x00000286FF880000-0x00000286FF881000-memory.dmp

Filesize
4KB

Download
memory/5404-915-0x00000286FF880000-0x00000286FF881000-memory.dmp

Filesize
4KB

Download
memory/5404-916-0x00000286FF880000-0x00000286FF881000-memory.dmp

Filesize
4KB

Download
memory/5404-917-0x00000286FF880000-0x00000286FF881000-memory.dmp

Filesize
4KB

Download
memory/5404-918-0x00000286FF880000-0x00000286FF881000-memory.dmp

Filesize
4KB

Download
memory/5404-912-0x00000286FF880000-0x00000286FF881000-memory.dmp

Filesize
4KB

Download
memory/5404-906-0x00000286FF880000-0x00000286FF881000-memory.dmp

Filesize
4KB

Download
memory/5404-907-0x00000286FF880000-0x00000286FF881000-memory.dmp

Filesize
4KB

Download
memory/5404-908-0x00000286FF880000-0x00000286FF881000-memory.dmp

Filesize
4KB

Download