infinitylock | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Resubmissions

03/03/2025, 23:26

250303-3e1x1ssq18 10

27/02/2025, 18:06

27/02/2025, 17:36

27/02/2025, 17:24

20/02/2025, 14:05

20/02/2025, 10:59

16/02/2025, 02:15

15/02/2025, 18:54

Analysis

max time kernel
1048s
max time network
1047s
platform
windows11-21h2_x64
resource
win11-20250211-en
resource tags

arch:x64arch:x86image:win11-20250211-enlocale:en-usos:windows11-21h2-x64system
submitted
15/02/2025, 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry.exe
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
SSDEEP

98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

Score

10^/10

infinitylock wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer upx worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Extracted

Path

C:\Recovery\WindowsRE\README_HOW_TO_UNLOCK.TXT

Ransom Note

YOUR FILE HAS BEEN LOCKED In order to unlock your files, follow the instructions bellow: 1. Download and install Tor Browser 2. After a successful installation, run Tor Browser and wait for its initialization. 3. Type in the address bar: http://zvnvp2rhe3ljwf2m.onion 4. Follow the instructions on the site.

URLs

http://zvnvp2rhe3ljwf2m.onion

Signatures

InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
ransomware infinitylock
Infinitylock family
infinitylock
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Downloads MZ/PE file 4 IoCs

flow	pid	Process
21	4184	Process not Found
83	1408	msedge.exe
83	1408	msedge.exe
121	748	Process not Found

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDBF82.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDBF99.tmp	WannaCry.exe

Executes dropped EXE 64 IoCs

pid	Process
1784	taskdl.exe
3736	@[email protected]
2308	@[email protected]
2036	@[email protected]
3672	taskdl.exe
3012	taskse.exe
1940	@[email protected]
4840	taskhsvc.exe
868	taskdl.exe
3868	taskse.exe
2788	@[email protected]
4300	taskse.exe
2708	@[email protected]
4452	taskdl.exe
4512	taskse.exe
416	@[email protected]
3180	taskdl.exe
3136	taskse.exe
1924	@[email protected]
2992	taskdl.exe
4164	InfinityCrypt.exe
4832	Rokku.exe
5728	InfinityCrypt.exe
6092	taskse.exe
6100	@[email protected]
6120	taskdl.exe
2968	taskse.exe
4672	@[email protected]
2292	taskdl.exe
5240	taskse.exe
5376	@[email protected]
2420	taskdl.exe
2152	taskse.exe
5380	@[email protected]
5368	taskdl.exe
5844	taskse.exe
5840	@[email protected]
5816	taskdl.exe
6012	taskse.exe
5996	@[email protected]
6008	taskdl.exe
5784	taskse.exe
4448	@[email protected]
1144	taskdl.exe
932	taskse.exe
2328	@[email protected]
1864	taskdl.exe
5184	taskse.exe
5072	@[email protected]
5212	taskdl.exe
4324	taskse.exe
1664	@[email protected]
5244	taskdl.exe
1868	taskse.exe
2376	@[email protected]
3960	taskdl.exe
740	@[email protected]
3808	taskse.exe
1808	taskdl.exe
1480	@[email protected]
2016	taskse.exe
5380	taskdl.exe
2788	taskse.exe
1684	@[email protected]

Loads dropped DLL 7 IoCs

pid	Process
4840	taskhsvc.exe
4840	taskhsvc.exe
4840	taskhsvc.exe
4840	taskhsvc.exe
4840	taskhsvc.exe
4840	taskhsvc.exe
4840	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3396	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dlgwolxsejgaup088 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
84	raw.githubusercontent.com
78	raw.githubusercontent.com
83	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0002000000028b8e-2645.dat	upx
behavioral1/memory/4832-4753-0x0000000000400000-0x000000000058D000-memory.dmp	upx
behavioral1/memory/4832-5006-0x0000000000400000-0x000000000058D000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\es-es\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\stop_collection_data.gif.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\s_thumbnailview_18.svg.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\de-de\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\file_info2x.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\close-2.svg.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_en-GB.dll.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check_2x.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\avatar.jpg.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nl-nl\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_el.dll.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ExtendScript.dll.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions2x.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Locales\pl.pak.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_lv.dll.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sl_get.svg.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\canary.identity_helper.exe.manifest.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_ur.dll.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fill-sign-2x.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Build.bat.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_fi_135x40.svg.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Locales\nn.pak.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Locales\kk.pak.DATA.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Locales\ko.pak.DATA.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_zh_cn_135x40.svg.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Locales\ml.pak.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_retina.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_Roundrect_White@1x.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyStateDCFiles_280x192.svg.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nl-nl\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_mk.dll.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark2x.gif.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_az.dll.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_bow.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\webview2_integration.dll.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluEmptyStateDCFiles_280x192.svg.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\identity_helper.exe.manifest.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\en-GB.pak.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapter.dll.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ja_135x40.svg.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\oneds.dll.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\ka.pak.DATA.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB	InfinityCrypt.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\InfinityCrypt.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rokku.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfinityCrypt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfinityCrypt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4400	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InfinityCrypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InfinityCrypt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InfinityCrypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InfinityCrypt.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4560	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\InfinityCrypt.exe:Zone.Identifier	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4840	taskhsvc.exe
4840	taskhsvc.exe
4840	taskhsvc.exe
4840	taskhsvc.exe
4840	taskhsvc.exe
4840	taskhsvc.exe
1408	msedge.exe
1408	msedge.exe
4228	msedge.exe
4228	msedge.exe
464	msedge.exe
464	msedge.exe
5080	identity_helper.exe
5080	identity_helper.exe
3628	msedge.exe
3628	msedge.exe
5172	msedge.exe
5172	msedge.exe
5172	msedge.exe
5172	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3736	@[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTcbPrivilege	3012	taskse.exe
Token: SeTcbPrivilege	3012	taskse.exe
Token: SeTcbPrivilege	3868	taskse.exe
Token: SeTcbPrivilege	3868	taskse.exe
Token: SeTcbPrivilege	4300	taskse.exe
Token: SeTcbPrivilege	4300	taskse.exe
Token: SeTcbPrivilege	4512	taskse.exe
Token: SeTcbPrivilege	4512	taskse.exe
Token: SeTcbPrivilege	3136	taskse.exe
Token: SeTcbPrivilege	3136	taskse.exe
Token: SeIncreaseQuotaPrivilege	3628	WMIC.exe
Token: SeSecurityPrivilege	3628	WMIC.exe
Token: SeTakeOwnershipPrivilege	3628	WMIC.exe
Token: SeLoadDriverPrivilege	3628	WMIC.exe
Token: SeSystemProfilePrivilege	3628	WMIC.exe
Token: SeSystemtimePrivilege	3628	WMIC.exe
Token: SeProfSingleProcessPrivilege	3628	WMIC.exe
Token: SeIncBasePriorityPrivilege	3628	WMIC.exe
Token: SeCreatePagefilePrivilege	3628	WMIC.exe
Token: SeBackupPrivilege	3628	WMIC.exe
Token: SeRestorePrivilege	3628	WMIC.exe
Token: SeShutdownPrivilege	3628	WMIC.exe
Token: SeDebugPrivilege	3628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3628	WMIC.exe
Token: SeRemoteShutdownPrivilege	3628	WMIC.exe
Token: SeUndockPrivilege	3628	WMIC.exe
Token: SeManageVolumePrivilege	3628	WMIC.exe
Token: 33	3628	WMIC.exe
Token: 34	3628	WMIC.exe
Token: 35	3628	WMIC.exe
Token: 36	3628	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3628	WMIC.exe
Token: SeSecurityPrivilege	3628	WMIC.exe
Token: SeTakeOwnershipPrivilege	3628	WMIC.exe
Token: SeLoadDriverPrivilege	3628	WMIC.exe
Token: SeSystemProfilePrivilege	3628	WMIC.exe
Token: SeSystemtimePrivilege	3628	WMIC.exe
Token: SeProfSingleProcessPrivilege	3628	WMIC.exe
Token: SeIncBasePriorityPrivilege	3628	WMIC.exe
Token: SeCreatePagefilePrivilege	3628	WMIC.exe
Token: SeBackupPrivilege	3628	WMIC.exe
Token: SeRestorePrivilege	3628	WMIC.exe
Token: SeShutdownPrivilege	3628	WMIC.exe
Token: SeDebugPrivilege	3628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3628	WMIC.exe
Token: SeRemoteShutdownPrivilege	3628	WMIC.exe
Token: SeUndockPrivilege	3628	WMIC.exe
Token: SeManageVolumePrivilege	3628	WMIC.exe
Token: 33	3628	WMIC.exe
Token: 34	3628	WMIC.exe
Token: 35	3628	WMIC.exe
Token: 36	3628	WMIC.exe
Token: SeBackupPrivilege	5608	vssvc.exe
Token: SeRestorePrivilege	5608	vssvc.exe
Token: SeAuditPrivilege	5608	vssvc.exe
Token: SeTcbPrivilege	6092	taskse.exe
Token: SeTcbPrivilege	6092	taskse.exe
Token: SeDebugPrivilege	5728	InfinityCrypt.exe
Token: SeDebugPrivilege	4164	InfinityCrypt.exe
Token: SeTcbPrivilege	2968	taskse.exe
Token: SeTcbPrivilege	2968	taskse.exe
Token: SeTcbPrivilege	5240	taskse.exe
Token: SeTcbPrivilege	5240	taskse.exe
Token: SeTcbPrivilege	2152	taskse.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
3736	@[email protected]
3736	@[email protected]
2308	@[email protected]
2036	@[email protected]
1940	@[email protected]
2788	@[email protected]
2708	@[email protected]
416	@[email protected]
1924	@[email protected]
6100	@[email protected]
4672	@[email protected]
5376	@[email protected]
5380	@[email protected]
5840	@[email protected]
5996	@[email protected]
4448	@[email protected]
2328	@[email protected]
5072	@[email protected]
1664	@[email protected]
2376	@[email protected]
740	@[email protected]
1480	@[email protected]
1684	@[email protected]
5816	@[email protected]
5976	@[email protected]
2948	@[email protected]
5964	@[email protected]
2288	@[email protected]
2736	@[email protected]
4380	@[email protected]
6128	@[email protected]
4116	@[email protected]
3572	@[email protected]
232	@[email protected]
3500	@[email protected]
328	@[email protected]
6004	@[email protected]
5020	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 236	4600	WannaCry.exe	85
PID 4600 wrote to memory of 236	4600	WannaCry.exe	85
PID 4600 wrote to memory of 236	4600	WannaCry.exe	85
PID 4600 wrote to memory of 3396	4600	WannaCry.exe	86
PID 4600 wrote to memory of 3396	4600	WannaCry.exe	86
PID 4600 wrote to memory of 3396	4600	WannaCry.exe	86
PID 4600 wrote to memory of 1784	4600	WannaCry.exe	90
PID 4600 wrote to memory of 1784	4600	WannaCry.exe	90
PID 4600 wrote to memory of 1784	4600	WannaCry.exe	90
PID 4600 wrote to memory of 792	4600	WannaCry.exe	91
PID 4600 wrote to memory of 792	4600	WannaCry.exe	91
PID 4600 wrote to memory of 792	4600	WannaCry.exe	91
PID 792 wrote to memory of 3596	792	cmd.exe	93
PID 792 wrote to memory of 3596	792	cmd.exe	93
PID 792 wrote to memory of 3596	792	cmd.exe	93
PID 4600 wrote to memory of 5044	4600	WannaCry.exe	94
PID 4600 wrote to memory of 5044	4600	WannaCry.exe	94
PID 4600 wrote to memory of 5044	4600	WannaCry.exe	94
PID 4600 wrote to memory of 2308	4600	WannaCry.exe	100
PID 4600 wrote to memory of 2308	4600	WannaCry.exe	100
PID 4600 wrote to memory of 2308	4600	WannaCry.exe	100
PID 4600 wrote to memory of 4640	4600	WannaCry.exe	101
PID 4600 wrote to memory of 4640	4600	WannaCry.exe	101
PID 4600 wrote to memory of 4640	4600	WannaCry.exe	101
PID 4640 wrote to memory of 2036	4640	cmd.exe	104
PID 4640 wrote to memory of 2036	4640	cmd.exe	104
PID 4640 wrote to memory of 2036	4640	cmd.exe	104
PID 4600 wrote to memory of 3672	4600	WannaCry.exe	105
PID 4600 wrote to memory of 3672	4600	WannaCry.exe	105
PID 4600 wrote to memory of 3672	4600	WannaCry.exe	105
PID 4600 wrote to memory of 3012	4600	WannaCry.exe	106
PID 4600 wrote to memory of 3012	4600	WannaCry.exe	106
PID 4600 wrote to memory of 3012	4600	WannaCry.exe	106
PID 4600 wrote to memory of 1940	4600	WannaCry.exe	107
PID 4600 wrote to memory of 1940	4600	WannaCry.exe	107
PID 4600 wrote to memory of 1940	4600	WannaCry.exe	107
PID 4600 wrote to memory of 4424	4600	WannaCry.exe	108
PID 4600 wrote to memory of 4424	4600	WannaCry.exe	108
PID 4600 wrote to memory of 4424	4600	WannaCry.exe	108
PID 4424 wrote to memory of 4560	4424	cmd.exe	110
PID 4424 wrote to memory of 4560	4424	cmd.exe	110
PID 4424 wrote to memory of 4560	4424	cmd.exe	110
PID 3736 wrote to memory of 4840	3736	@[email protected]	111
PID 3736 wrote to memory of 4840	3736	@[email protected]	111
PID 3736 wrote to memory of 4840	3736	@[email protected]	111
PID 4600 wrote to memory of 868	4600	WannaCry.exe	115
PID 4600 wrote to memory of 868	4600	WannaCry.exe	115
PID 4600 wrote to memory of 868	4600	WannaCry.exe	115
PID 4600 wrote to memory of 3868	4600	WannaCry.exe	116
PID 4600 wrote to memory of 3868	4600	WannaCry.exe	116
PID 4600 wrote to memory of 3868	4600	WannaCry.exe	116
PID 4600 wrote to memory of 2788	4600	WannaCry.exe	117
PID 4600 wrote to memory of 2788	4600	WannaCry.exe	117
PID 4600 wrote to memory of 2788	4600	WannaCry.exe	117
PID 4600 wrote to memory of 4300	4600	WannaCry.exe	119
PID 4600 wrote to memory of 4300	4600	WannaCry.exe	119
PID 4600 wrote to memory of 4300	4600	WannaCry.exe	119
PID 4600 wrote to memory of 2708	4600	WannaCry.exe	120
PID 4600 wrote to memory of 2708	4600	WannaCry.exe	120
PID 4600 wrote to memory of 2708	4600	WannaCry.exe	120
PID 4600 wrote to memory of 4452	4600	WannaCry.exe	121
PID 4600 wrote to memory of 4452	4600	WannaCry.exe	121
PID 4600 wrote to memory of 4452	4600	WannaCry.exe	121
PID 4228 wrote to memory of 3544	4228	msedge.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
236	attrib.exe
5044	attrib.exe
6060	attrib.exe

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:236
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:3396
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 94701739645699.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3596
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2308
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2036
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "dlgwolxsejgaup088" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "dlgwolxsejgaup088" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4560
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3868
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2788
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2708
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:416
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3136
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1924
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6092
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6100
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:6120
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4672
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5240
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5376
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5380
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5368
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5844
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5840
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5816
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:6012
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5996
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:6008
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5784
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4448
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2328
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5184
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5072
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5212
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1664
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5244
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:740
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1480
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5380
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1684
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:5540
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:5812
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5816
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:3184
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:5972
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5976
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:6024
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:2156
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2948
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:1400
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:5504
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5964
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:3472
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:1468
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2288
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:884
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:3240
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:5308
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:5716
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4380
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:4172
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:3780
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6128
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:2988
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:3808
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4116
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:2684
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:1076
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3572
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:5268
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:5548
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:232
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:4640
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:2940
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3500
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:4148
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:3384
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:328
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:4856
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:5988
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6004
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:868
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:5844
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5020
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:8
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:6060

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
  TaskData\Tor\taskhsvc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4840

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTFGRDg5NTQtRkM5Ni00M0JGLThBNEEtOUM1ODM0OEVCOUM0fSIgdXNlcmlkPSJ7NUIzRTM2NUYtNDk4MC00NDQzLTkwQ0YtNEE2ODM5QThDNTBEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODhDQkRGOTUtMTBCMS00MjM3LTkyQzUtMDU4OTcyRTY0QTk4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjQiIGluc3RhbGxkYXRldGltZT0iMTczOTI5NDgzNCIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzY2NTUyNTM3MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUzMTQwMjA0ODUiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\OutLock.xhtml
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffd27753cb8,0x7ffd27753cc8,0x7ffd27753cd8
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6436 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6624 /prefetch:8
  2⤵
  PID:412
- C:\Users\Admin\Downloads\InfinityCrypt.exe
  "C:\Users\Admin\Downloads\InfinityCrypt.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7096 /prefetch:8
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7148 /prefetch:8
  2⤵
  PID:1028
- C:\Users\Admin\Downloads\Rokku.exe
  "C:\Users\Admin\Downloads\Rokku.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4832
- - C:\Windows\SysWOW64\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\services\VSS" /v Start /t REG_DWORD /d 4 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3204
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:560
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop vss
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vss
      4⤵
      System Location Discovery: System Language Discovery
      PID:4544
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop swprv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop swprv
      4⤵
      System Location Discovery: System Language Discovery
      PID:5584
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop srservice
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4368
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop srservice
      4⤵
      System Location Discovery: System Language Discovery
      PID:5600
- C:\Users\Admin\Downloads\InfinityCrypt.exe
  "C:\Users\Admin\Downloads\InfinityCrypt.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,6883412156343365445,1232071952237298766,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6940 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
16B

MD5
977ff6dac3cc9937ed05a7387c08f95f

SHA1
994b510e9e12b04d3ab2aa967bac6f746780b9b5

SHA256
100b95d5c91fb34bc0b1ce5bebf3f880f174a4e7cb1e267e096ce50c2ff896fb

SHA512
ddfc8555bb117a0f92cab6453ac257bbdc1ac0a56e64bb77e4be36f5070ab2118c7e1e9bca98b35e77313860e2e9105ae3601f4bfc8f4ec7a774d6ac0b364442

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
720B

MD5
79582075111126701fe7508add0255e1

SHA1
44605068d160b9a0e8450a44b09e9464abd6e3be

SHA256
fce2fb0ea1dec733ce32bc3400fb4318acd22c75df6cd3e6e60b09b51e16b1a6

SHA512
35841448e875479de7e8faf64de831014c4bdcb52bc24f44de1d4ab339d7fe9c8ce8b9bed349d58569e70bea125510ea78bf602b345171aa2b4bed48651c04ba

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
688B

MD5
0e6c6f6256ceec3eefe9e8c08f814654

SHA1
d8b92365977ed120cb2213efc865be762516722e

SHA256
0072846889b5b660544ebb6e8c759fc7b666afd96022852c9faf0086ff098a5f

SHA512
00b8086030c66d8a90ac1e59abc4a328d716c9d36c458cdebd0bdfef765154b867b490cdfd4dbbbbc5a49889c9226e5a24a71ac6a9360e63477603e144c0ae10

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
1KB

MD5
ec57cc50074a4a1bb4dd878fadf67649

SHA1
9e47e2eebd5b38b2c5c428fe0cebb8e3346781ef

SHA256
33930d24fb67c8fe05b17f09821632e3a1420554beb5003e93ffb6ec000ed5ae

SHA512
cd5fd3e5ffbede6eda514dad7ec418fa18d93bf1819dd2efcb8535ceb897b709a31807272b0dc6ee4abb05f9eb7296d8b56bfaf1f50ddf43269cb23059c75389

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
448B

MD5
23386923a183fd4910f13ab0a7e62473

SHA1
8b4fcc7f7d5fbb4e6c979907adbce97ae67354fd

SHA256
02d5cc488872366afe6f89e212aee04acb6b2f7f63fc2e426071be4d2389cf75

SHA512
a3bd035a10fe8cdfe47c03f972ae23a6ee7d4c38aebd78e491ced122fcccda4e7d6cb857fad5f6fa70ec0b3c570077ff3eef9f468b72f7b26f212a0ccb203849

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
624B

MD5
84160dea68a84cb1a4383de140c42321

SHA1
4c86a7c8cb6661e38fae355347d38bb342a48229

SHA256
16730adc7a38421cfd8fbbd94a233e3d44d16232c2fb6fa8a229b12d6fb77e3c

SHA512
b0674d192cbefc2c24dee77c48c5aaf5103e5b119a7b29c4196723a93542c1b439550302c66a5cacd79806597664a614499f75e078996df3bd4e4fb5b6d200a0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
400B

MD5
334aba8bed54a750ac99660e3f715dd0

SHA1
9896658120a1f2afa9f4d9c7f1bab1a04ef751ef

SHA256
da8e74fb0ec91941bb0544f7f3de7203250fd2c17329e0b528f03451a083ec83

SHA512
1aeb932e8e2d17fc05a7466ac737be27e47003342b86a9b1d7b4e3120a5462f54ec1339d1097217ed48eb9c354d36377502009f0729634b06e08b3dc3aae92a2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
560B

MD5
1ceffdac3cc09ca2c2b3c223ba1dd670

SHA1
dd06d9be3a5fa01242370b3272200d3351e122ac

SHA256
eede6e85b3ac1f151c9d2ba2f1346d509711c0d5d2a49c9b86b520635822aa4c

SHA512
50f10ebc87fb3be84f266aaff4a747fb6213262687006961b74da177cd413a9fbd2d8ac8a53992e28b945cde08d55e1249f98d9188e882756e05becb459215dc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
400B

MD5
3c4f7b7dd25248a969025c9e047bc0aa

SHA1
9d24c88cabfc6fbf2288e7e810b0f7b7ebaf5a19

SHA256
da061523284d300b7c3cdf711f683a1a2eba4f35fb53a2691441311759bf24a2

SHA512
f7519f7fa537419186fbda8964cd89768dc75dde71e8e6330538f6e7d594dfece6b59be302b98471a3ca70749411c7153177bc08bd26a0d520d53c954e40168a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
560B

MD5
09dafbb0ba5e43ed3b273d19ddaf247a

SHA1
3f0055c6f54695d001dc599219bc6541855a2d98

SHA256
9cea587e2c3276096ea8ac2ebee71d0494da0660979eeff7dedce00bd128d861

SHA512
44b712d9311886195d256ce4bfc02b297ed25d260a04cf8369feec1ca63c5b6ea146e13cec281394d6f528d1bd422fa122692552c64fb207d2fec59f0d8bb76e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
400B

MD5
e568bc5302b7a907a12b1a3b3aa30615

SHA1
c3b0c30dff2ce79a83caca048d1dac8d23023010

SHA256
f49ada7e11fa703db8d7b01b7209e79ad40f16d65034465b51bc6c8d447973d4

SHA512
8a5122614b149d9b79fbe408913c8e107e534d40b5aa99e6e2e1f299797ec1fc15e15709b1890d6e49196ef5eb7eba27fb03374825eb72c74c5cd5b428025fb0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
560B

MD5
f00b5af6feeb955d8ee236b6f48b754a

SHA1
be884076501130d4d81376fa00f75f3416fc1945

SHA256
57b8693ac8aed5714c3e2930313557beb45fabcf8d2f4b59ddf955805fc04c6e

SHA512
d3c77d288d582d3ac2ee1802d66307eeeee69c881c9baac6d481879300cc3649ec168df2d65bfc50a0bf7eaf7764b8912719d36ae89264931c3c1bb26be2eb3a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
7KB

MD5
7739c928fe8747822f3f237d893dbd62

SHA1
b05430866593aaa9ffea84b48a3bba6854bf3f2f

SHA256
e33da683c7ad28877c577a3bf08b844ab976986f2407dfc3f1143634f107482c

SHA512
b5736026dbeb5be130fd30ac866f576c5b1a54d699aefcb510f44d7dc554966d96391592f793f42fa5bcd7816eb43754d3f63a57a4da6fe164ede885ce95ce0e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
7KB

MD5
c6d4cc47081a62f901e1ec44025a89df

SHA1
a481357ee1a61178e9449aa3f376ea7b8c7c847a

SHA256
ce5b7188c1002c376c71c79765add5806de8eadb9c2448e4a06c4cca165a7b77

SHA512
07c0ad51940e536be7d838292f3994bf46be77c42ea1b9c30a41878a9656c25c6ee216a6d03b593e99dd993f44dcb6bb003be22824a730226dbb28c90ad2493d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
15KB

MD5
e9a488adca2641dd1e0de07a6147dc0b

SHA1
afaeb0b8012302f7083378eea4fe5b36d7c3ce68

SHA256
9981c2f63ee42fea7237a57380bb73a6184e0379b6aaa8ccdfd07a673b43f8e8

SHA512
a1342837fe0e5189f6058a5ace6137e46840efe0c0b1d65022cc8e495d4f40a568e4c292575b5d7a83469c084e3e0cca3585eada52d5dd03e88747028ee705ff

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
8KB

MD5
81724fd27be028c6959b5e032e4ca7d0

SHA1
4b303a5f30f7713c670df45014be6e90c072d260

SHA256
e2109d515d7af00ee2b002a6cbc6b92ac070dce65bbc5b84660b895563b3a9c9

SHA512
8f71425aa581fc944d27cd8155b50703afcd53f6e7fb531d5985d0c719c447d16239ed001d3e681bfc65c22b0c9fcae1f180c236685352531d406590cc92a2b1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
17KB

MD5
f5489f21440e448c5abd5cb68bd4a846

SHA1
f518cb19cd1beb322ca495a3e59e5848d3a22537

SHA256
acf7929f08e188f5844b43e6b7511cfc68cb8206562eb4179a1fc7b8e093e045

SHA512
fe1fd33c557e0b814689a12c08144428c68e74eac6a02cf384302479d0bc061c9d04be839bcabe397f2a3abd0683608e0cade606c218a4741afb412d29ba9fd2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
192B

MD5
47524d1c432c3da7e32f1fd4f8a5e49a

SHA1
1198a127103ff1987080c3763e9cb09a4ef74d5a

SHA256
649bd9158c9ddd138518f32846b9b07e0142fe21eb309623d502a763c844095b

SHA512
965263efd4927a6165557ffa76b07cc2732ee4014c22b674292be40a5c9f9a2f43974b45ee3d45839423c9fc69d0f92da78b5d65b784dde1373f829eb73dcba5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
704B

MD5
df42ee97002a2b6bbafb95c4a0694eb3

SHA1
d55d4807256545544f6d36d63631cdb14ab6afeb

SHA256
8316f4d727ebeeea92041f73311c72d342d52c5467eca7abd17840dc10471747

SHA512
7abeba4c57d5bfb766968fcceb44b0e54a872a30e18dd2ec781543dc463c8c0dd7247f1e63f5661630dda333d69e1084fb0e31f52804dc97a2c33f54b4370219

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
8KB

MD5
000cd243add920e5d8c2ab1d863eafc5

SHA1
56b5e8d0cc8c4a3fe1a6efe69c02ea89ff056450

SHA256
d0a66b4472ec848f90ee5b877222bd41802ab685a5f526297b6d816a924cc83f

SHA512
5942e6b9ed73514444583b387b277bb1c432e8f17bc8557159e4d9a0c5cd02e568672b31198361e0999658a6e14b1ff7a3a2eed0fe36244311f6ed315ac43c21

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
19KB

MD5
0dd18d90985a09848de2e5a16e899c4a

SHA1
f7bd78d4c2ac2a9866bff02743ebfe071085572c

SHA256
caf129054df0121c7d7701f0a4646f2cb6329265d00f4be6e1ab9ed3a92b9920

SHA512
3dbb1edcb0dac224e2c7f2295ed84d8c5a4d27041a5605b42ba4910663d15e99104b621ba20f9a89afbf78ab4b5fe6f58907dbbbc0e4481dcd9461f73c4673df

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
832B

MD5
463dfa02d8f93033de104705b54b2aba

SHA1
2524d27acccc00868138381ccf40a5253af37ec6

SHA256
a45c3c6359e592cd9181eb03a7928c4b6762af524f3c41f0ab94fc2a1fe290d1

SHA512
97f2f2d94a2f5afe7383efb91ae6e2160b5e3efdd4e47908af51d6b0afe4b6a1120d968e99217413b48cabc5b7192938d007e3f348fad0c73cc2062581176b4b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
1KB

MD5
08620a3f3ecb7510701d73ebb47b1d32

SHA1
de52149ca980a02eddb5fc7937d68caa3b69c5b7

SHA256
1ec9e648e23f198f3702e1fad99d59840225e887b37731cb5ad13806164f23e9

SHA512
dea454b34e0103fd15615bb5b48916603ab3fa78f2aa40943a99e7ce0a0ebae1103cff78f764fa4cbc499a730af5bc55691fd6616e05714275003ff695229c89

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
1KB

MD5
fcce9fe151f84d9d43752aab75c06330

SHA1
68e30244de95a99c76d9dc925fdbbaf632d99ff2

SHA256
8fcd6ddaa37e14eb64b708132516b5fda31312e2b4a11e667991864f29c0f9f8

SHA512
b0a42fcae5a14ff2df8cf17d59dfc6ac3e94b22c3172aaa329675e39f54155a6e5b51ee2dcc766fcbf3574e5f010a32c0e90e13181883a2970d2a36063e2be8f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
816B

MD5
5f405ed3017e37f67dfc553eb59faf2f

SHA1
0c3208f6429215607f85a525cb152e93591dca60

SHA256
847cc9c5f40dad380de1d78ec7988b90d019713ca269a942343c96d0db8aa184

SHA512
19711e1126ef6fd2d17dfb251cf45d30066a0563c19d9c769c1de4d1fb0be6b421e3c1fb4490ea426a6afedba7fafb2c40585cec0547d8a690d806818fb3f2a3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
2KB

MD5
527f5df496ed7ca936af5c67ac0f14d2

SHA1
89584b82df2425e81f9b075d780c91d84a7b9242

SHA256
b712bc2c56b27b1f0aabfe179a8cce2f3897dd24b7cce6124e29ee4557430b69

SHA512
d46425b4d8590e704840e0520306cf7304c638d2fd8e1535c65454e0b160e126c0df5c0a8fca2aa5bca06a9e13c1aeb7040104f51e0e7616d777941136c894d1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
2KB

MD5
eb4373b6267bbca307a36223dafa8904

SHA1
1ca9eef47525d85dc2fab7bb66397fdaeb335293

SHA256
aa10bd66698e4afd386353d99465f91e875d5959ea261edb7e287966a9916b9a

SHA512
2f9e2eb44e789019619941ad8bb8ea728dfd3a8c151f304086864245d1446fcc9bb6b80c3723f0fea47af3deebd6b8f08a477da677cd4ab453d0141ede2c23fd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
4KB

MD5
0534f4cf5fd3de477325d9c58b7291c8

SHA1
10c93662f430c8be4d13148b45b86175c461edf0

SHA256
27c145c4f181e9d55de2da14409a9ff697b8b739eb262b82bc772e7171f44a4f

SHA512
bd7010432be76f5ac9f667f7064e4bd7e312b611e5a13eb4136a23e40db7f8b43d077ca7a994e589443529c3cfd79c184211e2b7a283c3be0ac7e6e7b24fd892

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
304B

MD5
116cd6a252d1c61de30876293c11ef06

SHA1
082587c1e8496f7fece21ebda56a3e4678d3ca57

SHA256
c783e13f876bea5114d82c7394ffc4837687e994501822cc225de390017e741b

SHA512
6e1827563826e6b8541980b1949b312cdd91ad05e0e7471d71cffaea8740173195421522b4b906b5559f8ca8af5cf250545443589eb9f4ece46dff5e25d45792

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
400B

MD5
5406672a55e09d30b8fda634d6a2d9e6

SHA1
ebabc8ad6feec47712889b41a15dba104a15dfdc

SHA256
187c901a93a30b2d651018cb0733d1995ccefe5ce54dbbada74a5c167e13c331

SHA512
e06f6ab73b1a1635df771eaa4a79cfedf043111a66f18e8af123b595496a530b3d2067b86323eb7fe6469f918666784e3d51ea2d7415bded87f51c421af8e457

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
1008B

MD5
9321e15fcfc5b140fb74c3896ddf41bb

SHA1
2073503d08a449a66427c859b616845941f71113

SHA256
ab63a6f2e15ec55afc1f6146a745c4747b041cab36776f9b572eb9e2a736f497

SHA512
bb9cbcc374e1de9ff1fe1d949f6296cd661fb7be9bfdfcd29275aef593dab2105beb4f4fc20a2e262105a390ac9b2effe163ec4f4837af540b86f1bfa7d829e2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
1KB

MD5
9546ea82ccdfe19904c04de3deb3191d

SHA1
025e945d5d15eb889e7d8a43458a9ad92aba32ae

SHA256
acf5e02d9593fd0868cc864d5033d31c497c51e1ef79748143f044a2309750a2

SHA512
a76c96e821d19a3aa8292e053f3156f292fab36c4c4f6a62f935985c607e05befefa91ebd6925532e521462590cdf787ebbfa9d753d59d312d6a8f6ac4c758f3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
2KB

MD5
af7aabcfe4ef83a84c52e9a6bd8cb28f

SHA1
f0a0051bd8842f1e2ae8071db31a057ff849d923

SHA256
c5e9266c5b982b10425375d0423e50cc526753314fb6ce33e161c0f1deaa2b42

SHA512
1e7a1ea8d6ed986f86bce58e39a985fa2cb15c1fee6513ca8b717ecefecbc63ae6b692b795d3388f936f1c9df832d718146b99cbbe038d1fdc506b9226583c94

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
848B

MD5
504004fdfe49f2d6c1e0040d9044efdf

SHA1
7ef401054597fa94788cac6696fec6f2d604f085

SHA256
96eabbd82a7d3f19c9133468e9bcc5e9ccb55990b90455fce04b08e863a7fc35

SHA512
a5f3bc96d99206cf7fb683d9cf3e1b5a96bf8ca5cb51802572524ef68eb4b65cf9244528295b433c760705d15f0f7370f3d22fb2521c0ec0132cce8bb8b21ac1

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
32KB

MD5
8f936fe5e118d4f8b66c2b0730ec08fc

SHA1
767f732cab0eec9c28b7f10d245a8adb3e9b1f73

SHA256
e181a348227fa86952299f381f9718af9f7d6dc1d322a15efc4b24c2ba42e5d6

SHA512
61c2bd294cb113817be2499e51cfd80ae4c000a97958ec515369d0a15e5295c7a4ca38ea5068afa504b35a71b61408f4e87288a91d289b1a2813ad731d2f6687

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Trust Protection Lists\Mu\Other.DATA.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
48B

MD5
05e7875c24f451d2497aed412a85459d

SHA1
877d026f162fbce6d7726259449c5bc953c3d298

SHA256
3509116b83ef2c3af5c1bc66d3234d948d4dcf9ced9c2cf3f1747616d619f190

SHA512
053056b1e4795e0824efd02ca6943412c195b638989fbad7fc0a1feeaec4c2537a2ee46ae6a7403af20e35625fc23fa90f1725af3cdd644e4bca01ee5cc52606

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\identity_proxy\win10\identity_helper.Sparse.Internal.msix.DATA.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
56KB

MD5
7cb10e144d89fb9545b50d8863314981

SHA1
8a8495cae819301a00d2c8d5a846f0566149d9c2

SHA256
b80fcb833cd90279981cae84f14505d52398e58868cc4b4e54310b8c6bf19215

SHA512
4e9224771b12b0087fcf220e0066629c22894d9dcbba802ef3ee6992578a6d2a15e49af1e323494e0531076dea2a9e7c74399858df8da0d9482f1ec53c940f3c

Download Submit
C:\Recovery\WindowsRE\README_HOW_TO_UNLOCK.HTML

Filesize
1KB

MD5
c784d96ca311302c6f2f8f0bee8c725b

SHA1
dc68b518ce0eef4f519f9127769e3e3fa8edce46

SHA256
a7836550412b0e0963d16d8442b894a1148326b86d119e4d30f1b11956380ef0

SHA512
f97891dc3c3f15b9bc3446bc9d5913431f374aa54cced33d2082cf14d173a8178e29a8d9487c2a1ab87d2f6abf37e915f69f45c0d8b747ad3f17970645c35d98

Download Submit
C:\Recovery\WindowsRE\README_HOW_TO_UNLOCK.TXT

Filesize
330B

MD5
04b892b779d04f3a906fde1a904d98bb

SHA1
1a0d6cb6f921bc06ba9547a84b872ef61eb7e8a5

SHA256
eb22c6ecfd4d7d0fcea5063201ccf5e7313780e007ef47cca01f1369ee0e6be0

SHA512
e946aa4ac3ec9e5a178eac6f4c63a98f46bc85bed3efd6a53282d87aa56e53b4c11bb0d1c58c6c670f9f4ad9952b5e7fd1bb310a8bd7b5b04e7c607d1b74238a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ca9db6aa94730283d8a369e08f8f710c

SHA1
c1ef5c3b08fa3ee3edec4155a31cd20312cb7b09

SHA256
60ac735f5b28b26af18d6f5b4cbaa8b81a01ada539c946bfd8ec32379b0c3b33

SHA512
27d982e3f854ee4e6eaba491679ecda3f60aa086bd5a75ee7aac61d01db177a68d9f1185e7039c623793974ae478cd1b3d35b5df4cade0204d5c0eaec4ab9d06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3a14c2ec70a0175c20aceee2cf4d425f

SHA1
47d680bf85143e5a941b9a2e459bca4c9f8e51f8

SHA256
8e424c207cf0e2e4780c5fd51143b92e9e7a8ad36a9477a8a6819e4b3d4c8d79

SHA512
b9c2dd9927a4fbf1628537235178fdc98f849a30ade35607cff43f479011ab82cff20ce21df9ac3e9d6aceda4d8481e30de973a12451d9ee05a091d9098c11df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
b243970aaf09aa4a196ab4a83a8470bc

SHA1
f37c5f7b2d3a71086eb1858dd55bbbf8583d8267

SHA256
3761e6f80a10a7b8286878c8cbeec688f1e39d5091ae35a8f47e69fa136c4bfa

SHA512
8b537edb3dd3d5121a8fa105a331f1d3267cd7b7a9882d6f5b8cbe00fff14b632b4d95840b8c46f94528cc5dbd836f0ead7c9180992d1993a2a1d96d4731a8a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
4c862e5859de394e7defe9b53523a22e

SHA1
6358f3d84a68b0ba4baea709f91126903255d4f2

SHA256
81f0abca5b575aec451f5059df49254d754e1bb190ac6fcd3f29f88fbb0e455b

SHA512
aa912d927a04a2494426540a7483e389df1caab31651e242a631df9d3a73544ab2dd1ca26e852e6d5d93aac918cd1b4193dbf907ab4b318f97d15ba47bc686a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d06a2dad5e11c594d8c1fdb3042aafa3

SHA1
ca6724da0757c8090cc03aa7c3f006ed9630ab18

SHA256
73e76d8ffa5ec1fade35457b03a24c69d65aa4c89b16f341f2909aa37384a67f

SHA512
14a98695c99bde9862835e8e9988b5a262ef79007bfae80939903622359ab5d883ce37e3abf076263fbc16bae00a5acf1c1716bf4c58d8cfd764a32eda99a09c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8613046c49b748ae1ecf33b8ec0edaa6

SHA1
8f95430e16ed4f1fdfaaa4a90ebec60439c70330

SHA256
04b0a3453541b9ade741935e69bf57f4b300efbe9f77c150b57664a7881976da

SHA512
da8f2e0dc44d77f7f3f380ae711ffac29ae406a85b463d9169b88f653ca6883c476bffefbed2398b0efd20111c4e00496390dd823aa9802008cb7d263b1b64d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f677a0d34fb418a0ae668b20c1e3e468

SHA1
aac7d9122cf7b8ea496debc4fcf5a1fa3b40d772

SHA256
33c31e18eda4dd7333a745e2bf3b1f062275a77ac3a16fa866d09825ee96830f

SHA512
3b56d81a62da230d82c3296c1866db7be441d4021a1936b16acee498baa5fcbf6ba05ba4b4cdba58744298012c22be65f71b093ef912b6c4c74c09ff1e361240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dc3955051e28f4801f4de40efff596a4

SHA1
e104bd384d37c0ccd6f0a17fb68f4dc8a5be6d71

SHA256
0bf96f527de0cf58f1b1fbad1b55d10bf0ef2617674066db22a96ed80af4e3ca

SHA512
28cce23247c6811468c52893815e0bb41e931992fcf9d2b560e6df2a0fc6cc0af533cd8f634a44298a989abd9364e5ab817fa44c5e2adab90d1ee4e9460055ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ae9a9f47547928909ad6361d33f0308b

SHA1
84a66a02a466316c99839d9c6eb85512a1cfb221

SHA256
f321c98ccd226893c8f5622843aaf84e260065d9231ebd2ac9b1d3f1a4a3375d

SHA512
a6d464e8e410c994bf293faa7878d9a7b5d9bdf5235e80aae7a99c8ee94e2581dec82cd78e773d2dbdb62aae923e4caba7358b6b614c5920336357f6919753a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
54aaa4baa50d5e7f6a950d62a680b19b

SHA1
c21f02b0b04ce78b908ab3512e87570df4b66f93

SHA256
4ebd586de629c3c8e172b856a139183db795a047b5af6d26245b67105b5e25ac

SHA512
dee4c3619a886321e6d44e09b08859686068836f53ae36075a61311647ac686f7b34935bb527030d6351fc9fb9e85b08096f93f5c1c60cececae5bc9c8ad05b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8e2215e787dcf9f9b579605c7d534afb

SHA1
4292e584fdb42217b1eecdc7cc9e6a42cf71f9ea

SHA256
0be04981fc90badf675706b9297650958a23ded4da85c49f2900f0cb1ca3be5a

SHA512
9bf299612ef68f532ef3da2c513992e4193e4d233f77ef7840c33ca08ecf03c4d6c286e9a49620a827b849638cd895018bd4c92b7381c5ff7ee076db033e0b22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c74bf6ff9c5874f9d881bacaf130f33b

SHA1
99765ad4ed4455abc3a8b4906c77d321549afeba

SHA256
1cceef95497eb9e2c4f1539f9196cbf9bbf0abc1eba5a2b6743218588c0b219d

SHA512
18103c10f30dbb54815ae5241f190d34c9fd48f21373298f02f56dead96576111415a7444d01fdafb100190527160c1c95d3c703816371e7ab23fc1f39dfc0c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
176f3cd478ff4500af952ad32aa011b0

SHA1
0718c9ec0cbf1bc21c0d6a64ff9dac2f80a77cd9

SHA256
40df64ed0a5fa3f9cb8f77ec52e2d6c2861f25961c54768df829c8461923cfad

SHA512
e9f650e38c058ddc4aeae285340b48d76dc8473ea24947e59d766f1cb2523d62691ad4e3d4d70870ac469db9930d2e80955ed65049ccb20749299317449f9849

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59b02c.TMP

Filesize
873B

MD5
4c594220d0a00d354cad854a6c27e4b9

SHA1
db29e2ae03ac0afcd4a682f688a9ee70b0e47fd3

SHA256
92d02b8f2916b7721177dbafb198f707ced7baad1100f487550cd081b9635e9f

SHA512
36d686d5fa2b2155b9452db163d161b7d6ad1614611bed521b9da4fd709b37c2e585666be5c0e50b85b293e55aa86585966b595c6aec54911440fba4a8d06c2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e7953e5a-0375-4dee-9611-55991deeddc3.tmp

Filesize
6KB

MD5
716d9dd4c251feb66888d01cd2987e4a

SHA1
7f5d27295e228ec9b25d47b9c29ffffad7bc6006

SHA256
f1d5a038a2d09ecd0ba517950e7c5be56ce1e16c0da8e6768c9aec8b29f3e5bc

SHA512
baec6b9b3c603907f2de2aa0bd87a24f724227679cdd28ff8d8eea5cfb68be015ce6d99ce7785a285ef45deb4457450ac2a8cc3bf3a3cc4d8d47b708195c78f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dcb722ea60811ec3360b2b6b95e2fa87

SHA1
3f03000e098cabe162bc7e92ab0c43fbc605a99f

SHA256
a459d705edcfca392e15f8c42f4f9b61a4ee07938e23a96834cd60ae865dd1cf

SHA512
3e01918150a9e36de77c484bb51c13b11ffb478c4bd64703f9ea517754f2d6edfefc7e103c02b13daf50a995b247b3a6887d2777f5c60a727c64adc1f45b6c92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2ad6bf60a115b1b85e79804160ed6987

SHA1
ef159e1861cde28cec3cf01ee9f40a5186290390

SHA256
c3cb4f3a20194211636c7ac381729bbc1eafce96d96a18b06b9fe6af0f044425

SHA512
47057d6958a97118bbcde3af9b7c8ab4d6524e100ffa3f10dece189f08a244b3deaabe66f28175311f198cf3ccbb187b314fc6aa36a74e9f785132cf6491f36e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b26dbc6460e6301cfddfd528f02daa48

SHA1
1e7bfd17ec34293742b60fdcdb93853f5eb3ab7c

SHA256
11aa683e8358a93de8857ae81cae0a795f011761e45c780beb18cc0a6f311e0c

SHA512
8ad12c5dd0ee15ebfe62e2f02dbd4db928ce3d568e8c2397e7242c5b0b53f7ebd1736d47b6df2b430639b12a601a26d21e8fbbc908a388ddab0cf42144a7ae2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4e6a8ebec15e821c509105e3c70711e9

SHA1
52f6491081f29ef2875434a8b2e7736fd5212f3f

SHA256
3b3115e7f9e555fc21db3a8ba6ae4d1f8528faea40594fb875f1e84d124b88fa

SHA512
8e98713d8b850ae68fec883629fea96a6af9e115cb49530d853f986193e221016a54a9d4d316a6e4adc519b45af5b94032b6ed5e36173131d6f8b144dc2a3ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.eky

Filesize
1KB

MD5
04a6408d2b48dfb9a28afaef35bca3e0

SHA1
f3976dae14e20efeb0118becb72653a2c31b4523

SHA256
c32434de9b73f693e67bf5ef07862e0d2c3312aa01cbb6760b13689d208e46b0

SHA512
b83376de1907f15474a76f03bfadc17586b9822b9f9010798a724b6d501490edd10f1fb471d15bed61f3af61d37dce473155e78c147ff3721500d28f796fbb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
3322c30d228b89d3b336c32282695ed3

SHA1
b81c4ea0a202d4fe1876741c45eb28ef02c139fb

SHA256
7a72ae16cf9b8c1b8ba2674d77b07ea21afa731edb597bde6f7a2c3fef930981

SHA512
4b1f55339d6ad80090cbddbe60de8d00791bc64c9284afd74f4ddfc2990600859dd7060066b09c568857559bb940b3a5f2f94399c1b36453d75a73df41f518bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\94701739645699.bat

Filesize
340B

MD5
3867f2ec82a7d77c9ffefb1aac8b7903

SHA1
06fccf19b9c498b5afa2b35da00e3ab28d56f785

SHA256
4e25c23aa5babc853889d3e1e79bb01ca7650837b250314a8d50f2e2c4b6730f

SHA512
b413994e5b9f0ecb956055c7befff14845b56bb658fd8280d3213fdfa175ff76bc56e082174f2475fdf2d1f9eff618ebfd80ee2b67c091eaf1fd9c94697da5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
1KB

MD5
7dcc65e4665a9f72580185a925124d66

SHA1
f0a6502572fa8cca6ae94e50c6b2d2ad30f7bf29

SHA256
67b2930d3a4256dddd408b38cb656ef7d53944a3a70799be0ebad487ac3bea84

SHA512
8414443a9d10dcec4c9594223a220846923821720f0a31405e78c7c2e4eb1f4b69913b91c9ff08b18d7fc5a8984550011e79480cdbcaeca57734d08814145e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\LIBEAY32.dll

Filesize
3.0MB

MD5
6ed47014c3bb259874d673fb3eaedc85

SHA1
c9b29ba7e8a97729c46143cc59332d7a7e9c1ad8

SHA256
58be53d5012b3f45c1ca6f4897bece4773efbe1ccbf0be460061c183ee14ca19

SHA512
3bc462d21bc762f6eec3d23bb57e2baf532807ab8b46fab1fe38a841e5fde81ed446e5305a78ad0d513d85419e6ec8c4b54985da1d6b198acb793230aeecd93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\SSLEAY32.dll

Filesize
694KB

MD5
a12c2040f6fddd34e7acb42f18dd6bdc

SHA1
d7db49f1a9870a4f52e1f31812938fdea89e9444

SHA256
bd70ba598316980833f78b05f7eeaef3e0f811a7c64196bf80901d155cb647c1

SHA512
fbe0970bcdfaa23af624daad9917a030d8f0b10d38d3e9c7808a9fbc02912ee9daed293dbdea87aa90dc74470bc9b89cb6f2fe002393ecda7b565307ffb7ec00

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Filesize
702KB

MD5
90f50a285efa5dd9c7fddce786bdef25

SHA1
54213da21542e11d656bb65db724105afe8be688

SHA256
77a250e81fdaf9a075b1244a9434c30bf449012c9b647b265fa81a7b0db2513f

SHA512
746422be51031cfa44dd9a6f3569306c34bbe8abf9d2bd1df139d9c938d0cba095c0e05222fd08c8b6deaebef5d3f87569b08fb3261a2d123d983517fb9f43ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Filesize
510KB

MD5
73d4823075762ee2837950726baa2af9

SHA1
ebce3532ed94ad1df43696632ab8cf8da8b9e221

SHA256
9aeccf88253d4557a90793e22414868053caaab325842c0d7acb0365e88cd53b

SHA512
8f4a65bd35ed69f331769aaf7505f76dd3c64f3fa05cf01d83431ec93a7b1331f3c818ac7008e65b6f1278d7e365ed5940c8c6b8502e77595e112f1faca558b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

Filesize
90KB

MD5
78581e243e2b41b17452da8d0b5b2a48

SHA1
eaefb59c31cf07e60a98af48c5348759586a61bb

SHA256
f28caebe9bc6aa5a72635acb4f0e24500494e306d8e8b2279e7930981281683f

SHA512
332098113ce3f75cb20dc6e09f0d7ba03f13f5e26512d9f3bee3042c51fbb01a5e4426c5e9a5308f7f805b084efc94c28fc9426ce73ab8dfee16ab39b3efe02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

Filesize
105KB

MD5
fb072e9f69afdb57179f59b512f828a4

SHA1
fe71b70173e46ee4e3796db9139f77dc32d2f846

SHA256
66d653397cbb2dbb397eb8421218e2c126b359a3b0decc0f31e297df099e1383

SHA512
9d157fece0dc18afe30097d9c4178ae147cc9d465a6f1d35778e1bff1efca4734dd096e95d35faea32da8d8b4560382338ba9c6c40f29047f1cc0954b27c64f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.vbs

Filesize
219B

MD5
82a1fc4089755cb0b5a498ffdd52f20f

SHA1
0a8c0da8ef0354f37241e2901cf82ec9ce6474aa

SHA256
7fbdc49f4b4ba21949eca0b16c534b4882da97e94e5ca131cec1629e60439dfa

SHA512
1573a0c7333accef2695efefe1b57cba8f8d66a0061c24420ee0a183343a9a319995267d306ee85084c95580f9855bcdf9dee559b28a200b27fc3cc353315e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
4.9MB

MD5
8b60f41557a2e01600e681322ec8942f

SHA1
713100aa39df6053a2ca3551fb0717660557bc47

SHA256
be8c4915b22daeeed933d24e2ddfb05387bced7e642bf2169497195104d425fb

SHA512
ff945ed9ab8d15842d7c6634f6317b7a5632cbcc5555d9e53c74d225e8c90a51d46747df24d6ca8bff077072a78e7d0bc95556e55b65a7fa5ac9cf8e98c0d55c

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\README_HOW_TO_UNLOCK.HTML.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
1KB

MD5
aa6dfa3288d2daa456310d0fbb6342df

SHA1
bbcde77f1143c14c3b774761f33f857c6c9fa4c8

SHA256
27810195d72a3cba541d0d775e669f8f2f70ac313b84cd19e23c4051efd2777a

SHA512
5855661de2df90cbf215a4125c62acf5afd8de43a2ad182aea1771043113c56d5cdef90ab42477e6b5effaa9c595155863675e6b58c16d1c0b3e5de15e6a8e81

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\README_HOW_TO_UNLOCK.TXT.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
336B

MD5
b95ad2581f8debf01d3e8003a5a7a7c5

SHA1
c134f88762dadddcc173b075cdfcd3bbbe779fc5

SHA256
96d7067761170a581320df6d7f87fe6489c2ed43d76c08c858bf1de617291f8b

SHA512
c7b34ce2a1782bb1f99b9efa08fc826dcc0da61ae293546515f1f277b3d8061db7b4a3ec62db6c401e0a6e6603745ffab810d16238d4199ff47ba94f81da85ca

Download Submit
C:\Users\Admin\Downloads\Rokku.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 747992.crdownload

Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 794747.crdownload

Filesize
666KB

MD5
97512f4617019c907cd0f88193039e7c

SHA1
24cfa261ee30f697e7d1e2215eee1c21eebf4579

SHA256
438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499

SHA512
cfbb8dd91434f917d507cb919aa7e6b16b7b2056d56185f6ad5b6149e05629325cdb3df907f58bb3f634b17a9989bf5b6d6b81f5396a3a556431742ed742ac4a

Download Submit
C:\Users\Public\Desktop\@WanaDecryptor@.exe.C199FCF5F6DDD378FA92DB9587BE1F854D8AC48DFBF581FF43280C45BD9A85BB

Filesize
240KB

MD5
6050819a84b10205eb3af469beb18fb4

SHA1
642eb345092735bf44cafbe7156ff169d25388de

SHA256
ee90dabba19d0eea18c23cf624c76b1d978600a1d927f1ddf290d2a3b7973038

SHA512
684d30e78e023f7c9780de97d6b4508424cab008e29f6c4507accefcd84b6396dd50e07b74fb497f659509b9c56dc4e0ef51b150679d7248d0931d57256b2fc6

Download Submit
memory/4164-1966-0x00000000000A0000-0x00000000000DC000-memory.dmp

Filesize
240KB

Download
memory/4164-1967-0x0000000004AF0000-0x0000000004B8C000-memory.dmp

Filesize
624KB

Download
memory/4164-1968-0x0000000005140000-0x00000000056E6000-memory.dmp

Filesize
5.6MB

Download
memory/4164-1969-0x0000000004B90000-0x0000000004C22000-memory.dmp

Filesize
584KB

Download
memory/4164-1971-0x0000000002550000-0x000000000255A000-memory.dmp

Filesize
40KB

Download
memory/4164-1972-0x0000000004D80000-0x0000000004DD6000-memory.dmp

Filesize
344KB

Download
memory/4600-39-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4832-5006-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/4832-4753-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/4840-1591-0x0000000000450000-0x000000000074E000-memory.dmp

Filesize
3.0MB

Download
memory/4840-1406-0x0000000000450000-0x000000000074E000-memory.dmp

Filesize
3.0MB

Download
memory/4840-1410-0x0000000000450000-0x000000000074E000-memory.dmp

Filesize
3.0MB

Download
memory/4840-1416-0x00000000734C0000-0x00000000736DC000-memory.dmp

Filesize
2.1MB

Download
memory/4840-1445-0x0000000000450000-0x000000000074E000-memory.dmp

Filesize
3.0MB

Download
memory/4840-1451-0x00000000734C0000-0x00000000736DC000-memory.dmp

Filesize
2.1MB

Download
memory/4840-1452-0x0000000000450000-0x000000000074E000-memory.dmp

Filesize
3.0MB

Download
memory/4840-1412-0x0000000073820000-0x000000007383C000-memory.dmp

Filesize
112KB

Download
memory/4840-1458-0x00000000734C0000-0x00000000736DC000-memory.dmp

Filesize
2.1MB

Download
memory/4840-1462-0x0000000000450000-0x000000000074E000-memory.dmp

Filesize
3.0MB

Download
memory/4840-1469-0x0000000000450000-0x000000000074E000-memory.dmp

Filesize
3.0MB

Download
memory/4840-1411-0x0000000073840000-0x00000000738C2000-memory.dmp

Filesize
520KB

Download
memory/4840-1402-0x0000000073840000-0x00000000738C2000-memory.dmp

Filesize
520KB

Download
memory/4840-1403-0x00000000734C0000-0x00000000736DC000-memory.dmp

Filesize
2.1MB

Download
memory/4840-1413-0x0000000073790000-0x0000000073812000-memory.dmp

Filesize
520KB

Download
memory/4840-1414-0x0000000073760000-0x0000000073782000-memory.dmp

Filesize
136KB

Download
memory/4840-1518-0x0000000000450000-0x000000000074E000-memory.dmp

Filesize
3.0MB

Download
memory/4840-1404-0x0000000073790000-0x0000000073812000-memory.dmp

Filesize
520KB

Download
memory/4840-1597-0x00000000734C0000-0x00000000736DC000-memory.dmp

Filesize
2.1MB

Download
memory/4840-1405-0x0000000073760000-0x0000000073782000-memory.dmp

Filesize
136KB

Download
memory/4840-1415-0x00000000736E0000-0x0000000073757000-memory.dmp

Filesize
476KB

Download
memory/4840-1775-0x0000000000450000-0x000000000074E000-memory.dmp

Filesize
3.0MB

Download
memory/5728-5940-0x0000000007890000-0x00000000078F6000-memory.dmp

Filesize
408KB

Download