badrabbit | hxxps://github[.]com/Endermanch/MalwareDatabase

Resubmissions

17/04/2025, 00:02

250417-abss1sxvby 10

16/04/2025, 23:53

250416-3xnems1pt6 10

16/04/2025, 23:50

250416-3vm14a1n12 7

Analysis

max time kernel
95s
max time network
97s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
17/04/2025, 00:02

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

10^/10

badrabbit mimikatz defense_evasion discovery persistence ransomware trojan

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000282c3-747.dat	mimikatz

Executes dropped EXE 6 IoCs

pid	Process
3436	[email protected]
1200	system.exe
6056	system.exe
4108	[email protected]
4992	8C3D.tmp
1612	[email protected]

Loads dropped DLL 1 IoCs

pid	Process
5288	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
100	raw.githubusercontent.com
101	raw.githubusercontent.com
102	raw.githubusercontent.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_signed_out.svg.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\vi_get.svg.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\optimize_poster.jpg.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\da-dk\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_history_18.svg.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Acrobat_visual.svg.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\sat_logo.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-tw_get.svg.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\version.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-press.svg.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\sat_logo_2x.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_cs_135x40.svg.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover_2x.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\plugin.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugin.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_TypeTextFields_White@1x.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\flags@2x.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pl-pl\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee100.tlb.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\sendforsignature.svg.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-default.svg.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_hover.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\edit-pdf.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\progress.gif.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluEmptyStateCCFiles_280x192.svg.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ro-ro\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_fi_135x40.svg.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\bun.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\plugin.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-down.svg.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\am_get.svg.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-It.otf.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons2x.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugin.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\sendforsignature.svg.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B	[email protected]

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5920_792014230\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5920_792014230\protocols.json	msedge.exe
File created	C:\Windows\infpub.dat	[email protected]
File created	C:\Windows\dispci.exe	rundll32.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5920_10920079\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5920_792014230\manifest.fingerprint	msedge.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File opened for modification	C:\Windows\8C3D.tmp	rundll32.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5920_10920079\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5920_10920079\sets.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5920_10920079\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5920_10920079\manifest.fingerprint	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	[email protected]
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	[email protected]
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133893217712115737"	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "75"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2123103809-19148277-2527443841-1000\{8B090BA3-6B35-4A9E-8D71-747A633B8F9F}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1800	schtasks.exe
4740	SCHTASKS.exe
744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
5288	rundll32.exe
5288	rundll32.exe
5288	rundll32.exe
5288	rundll32.exe
4992	8C3D.tmp
4992	8C3D.tmp
4992	8C3D.tmp
4992	8C3D.tmp
4992	8C3D.tmp
4992	8C3D.tmp
4992	8C3D.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	3936	7zG.exe
Token: 35	3936	7zG.exe
Token: SeSecurityPrivilege	3936	7zG.exe
Token: SeSecurityPrivilege	3936	7zG.exe
Token: SeRestorePrivilege	5728	7zG.exe
Token: 35	5728	7zG.exe
Token: SeSecurityPrivilege	5728	7zG.exe
Token: SeSecurityPrivilege	5728	7zG.exe
Token: SeRestorePrivilege	1540	7zG.exe
Token: 35	1540	7zG.exe
Token: SeSecurityPrivilege	1540	7zG.exe
Token: SeSecurityPrivilege	1540	7zG.exe
Token: SeShutdownPrivilege	5288	rundll32.exe
Token: SeDebugPrivilege	5288	rundll32.exe
Token: SeTcbPrivilege	5288	rundll32.exe
Token: SeDebugPrivilege	4992	8C3D.tmp
Token: SeShutdownPrivilege	1084	shutdown.exe
Token: SeRemoteShutdownPrivilege	1084	shutdown.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
3936	7zG.exe
5728	7zG.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
1540	7zG.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3636	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5920 wrote to memory of 5936	5920	msedge.exe	83
PID 5920 wrote to memory of 5936	5920	msedge.exe	83
PID 5920 wrote to memory of 4240	5920	msedge.exe	84
PID 5920 wrote to memory of 4240	5920	msedge.exe	84
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 6008	5920	msedge.exe	85
PID 5920 wrote to memory of 8	5920	msedge.exe	86
PID 5920 wrote to memory of 8	5920	msedge.exe	86
PID 5920 wrote to memory of 8	5920	msedge.exe	86
PID 5920 wrote to memory of 8	5920	msedge.exe	86
PID 5920 wrote to memory of 8	5920	msedge.exe	86
PID 5920 wrote to memory of 8	5920	msedge.exe	86
PID 5920 wrote to memory of 8	5920	msedge.exe	86
PID 5920 wrote to memory of 8	5920	msedge.exe	86
PID 5920 wrote to memory of 8	5920	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2ec,0x378,0x7ffeb952f208,0x7ffeb952f214,0x7ffeb952f220
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1812,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2280,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=2252 /prefetch:2
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2612,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3460,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3484,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=3620 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4240,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4816,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5432,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5472,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5472,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6296,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=6332 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5652,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6784,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=6796 /prefetch:8
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=6808,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=6740 /prefetch:1
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6888,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=6896 /prefetch:8
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=744,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=6964 /prefetch:8
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3376,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=7020 /prefetch:8
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7064,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=7104 /prefetch:8
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=5656,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6448,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=6572 /prefetch:8
  2⤵
  PID:5864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5292,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  PID:252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5460,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:8
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6600,i,16201267017749295040,8508604513354318720,262144 --variations-seed-version --mojo-platform-channel-handle=7012 /prefetch:8
  2⤵
  PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:4816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4348

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BadRabbit\" -spe -an -ai#7zMap15275:80:7zEvent23270
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3936

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\7ev3n\" -spe -an -ai#7zMap25929:72:7zEvent10814
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5728

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\InfinityCrypt\" -spe -an -ai#7zMap13919:88:7zEvent27175
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1540

C:\Users\Admin\Downloads\7ev3n\[email protected]
"C:\Users\Admin\Downloads\7ev3n\[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3436
- C:\Users\Admin\AppData\Local\system.exe
  "C:\Users\Admin\AppData\Local\system.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2776
- - C:\Windows\SysWOW64\SCHTASKS.exe
    C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4740
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5108
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Modifies WinLogon for persistence
      System Location Discovery: System Language Discovery
      PID:6080
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4252
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:5576
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5000
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2148
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2444
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:688
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5852
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:4952
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5820
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5060
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3940
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -r -t 10 -f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\system.exe
1⤵
PID:2888
- C:\Users\Admin\AppData\Local\system.exe
  C:\Users\Admin\AppData\Local\system.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5280
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:5692

C:\Users\Admin\Downloads\BadRabbit\[email protected]
"C:\Users\Admin\Downloads\BadRabbit\[email protected]"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4108
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5288
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1116
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:4964
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3474244183 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:932
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3474244183 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:744
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:21:00
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2140
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:21:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1800
- - C:\Windows\8C3D.tmp
    "C:\Windows\8C3D.tmp" \\.\pipe\{5DFB9388-9AA7-43C5-B5E0-60980E1B2601}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN drogon
    3⤵
    PID:1360

C:\Users\Admin\Downloads\InfinityCrypt\[email protected]
"C:\Users\Admin\Downloads\InfinityCrypt\[email protected]"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:1612

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39f9855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3636

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
16B

MD5
0c208ed8381eab52593956493344fea8

SHA1
bae62bcd0c2269ab470a7a281ab01d8f5c03d7ab

SHA256
d62f599d55023280f5aad8da7908d2f439d409f6116633d53ee7ef0acfc180a4

SHA512
d6494f33f8c20b6a76177e4dc465ff8afa0598dbf9f3b8cb0cf5f41e105229aaffa73e9880a7cde5e014ada36abcaf9e452e6ef588b6d1e32eb070a7a6e09662

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
720B

MD5
2a945508864134092d22ddc88739dbb9

SHA1
63d97675fbe3b959b127e7886b45acb33f3d4679

SHA256
2d1469004e004cc05db1c67ad2f15fcc0d1569db1294452b72aa21d1cb3a355b

SHA512
710c8d5efae39f3166c00b10b905410deef2854e47882b30b99fc0ee4396eb8653c5b0e74333b20aacb5af223a9a15dd74d5d1d1c44f182c9c36ff7466a09095

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
688B

MD5
34bc0d95bc17f6e2aad2ba4a111ee37e

SHA1
a3e298afdec4e473d515c4297130102a31d357ad

SHA256
f23bf61e32defdca8dbdb7c3888a19c9e99f2134ba33f517a12852ae6c50de0c

SHA512
185d63364a2de1670d85979293c54e46be11c7522509bfed8fd3ccb10dae30f184dce18ab941b0ee692694c0f53a1c1e5a59b176369f6022fd927e82ba4382c9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
1KB

MD5
f1bd6aa1f708b10829c122eefef162f1

SHA1
f641d3ce02d1ca8dee2c6b9dc109b87eeb2473dd

SHA256
42267bf72f51818921ac9d5acc4d25adefd43ef0137a7b70ca169f460da572d3

SHA512
c756e09c1deef833e0712fb35a4747c89c46b41305ae3f20d34828f7af7ea9d1079e902f8db2b33d5df5a0fd465e48a9450c5d99c1aea0410ed876eac0a4a3e9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
448B

MD5
c902f05b2eb9aa7282f561189d4418e6

SHA1
b6ad770639462655435bfb5be9c0a1bf8347a818

SHA256
cc3e0d2b9bec604358a1b40528f76d2301324928d5458a369563e0368afa1a22

SHA512
d31ede36067bb11fb29868d2161dff49ce4ee85d967a72182d281f1a3ef1fe7add1fee27ed4761ced6800c47d4476f3998bec7b05136151f8c90134b0c884491

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
624B

MD5
0545e28f94ef0f723104c5d8e83004e4

SHA1
6a22c43bc21b7efe3a1eacb1fa0a8d305a0fb803

SHA256
349a2844d5b91f00eea512449eb0439cc5f8bc77c3672b12b675912a7bb53a6b

SHA512
fecc7f53066e40625807a09542867fe23fef9aecdb046a6bcb88fc09b9d8ed8a75903fd07e9e257944636cf87c3fc4ffce1d7aca845d53b4605277e85ec942db

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
400B

MD5
0c94910d890525bcfe9cf0247e53f472

SHA1
e2b8ab4a620486cf5e942c0f94f2a2af77db4d43

SHA256
cfb29a9c18f4348f85d5a7fd169c71a22e3c79194e47d2f275ef83344476e7d2

SHA512
c6880d235a5c448d7d139ed2809006d8e0a1df25036ed2bfb8762436c6f82ea91680bf7f55b00e22306dce1a653f69630fd0446885ee85aed9d0ccc8070c1b42

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
560B

MD5
a5d0c342c003fe4c3f8d0643e9d6d60d

SHA1
7026890199571b44cb41cc432d613a1b3df3d656

SHA256
f4558e4ee906e2f11afa0649fe7c6abb9126ac8e38464a66bc1f807247b2694c

SHA512
9c17c7503a9582e26ceb233051101400e60ba665bccb0ade6ad54668b957b744acc3ce71181ba2718c9129a26499703631a7dfd763ec7ad6eaa80a634fb2fb7b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
400B

MD5
f3676c9e2f544790436b41bb48da837e

SHA1
7d2d5d9c0c26e56da5764d2ce84e3f9618dda94c

SHA256
60d3008e2469956f3be83055a352559a085f5b75ba7231daf0a13eaee0a59e11

SHA512
ace9c7f452a789f0c5a574aafcfcb8cec7041cc613f43d9a013cac72e17f5bc606b20bda7a3f385a516c7a6a46d7445b43c11b6cf22623a03b95dd21d5f7e2bd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
560B

MD5
e67b81d01d81557e5f1c66b72cacebe8

SHA1
4c397df7fc12fe85a412b6b8e7b9d974e0267146

SHA256
d7d22d651aaf40560140759b6ad39405e9bbca90485e04fc663b09875d12ca41

SHA512
b9a579e362827db50b1a7c8566b993a37517ac286fbee23dba34462eaeb84efc88e5d48ef5868e467737d4e7d2c9270302673bdbcd5bff9da87bea4a9838e115

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
400B

MD5
b3384b29be087742205e424e22095cf6

SHA1
3f4129f03e1a298c878c6198da34521336f87f9a

SHA256
e7e24132257603d688046b1fe403e391688bfc4d1581f1114ffdb2741abc50e2

SHA512
2442ee1378935c43578ee103b9a6354efa7fc4dded8db6c346aea4144e7572f681879366931ac6012ba5dcb1f0e6a5210c03636a437acb5c3a9eb6578cfac413

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
560B

MD5
df503d129128956f06dcc547f6403d56

SHA1
7ca7231fb760aa2492d0cb47f9d9404285cfc575

SHA256
5d4d228cb32ef412fc2f0ee6b2389e0209110defe4fb4f8b94010163acf1d4b5

SHA512
383aadd9f338f8fe234d890739617a0f2f3d7a55112a8a16d48398878723d37cc7b5dd7dd2ec572ef2b79ee7748c60c3bc6b5d547e7f01b06abb270a3db9309c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
7KB

MD5
85f2742d3983a4546c64895bd1ea776e

SHA1
dae05272abfc7a0e71b24110ec835de61b339f49

SHA256
feb0ccd99ea65578809195def444e3a9e1c4da768a6d104258701c62884c29eb

SHA512
a6927bacc2229f70d2fe13eac9b4758314a5209646cf6413553e74c08b678a2ab30dfd2d9c39f7e72c89e5058028bbd7e9aae02f374bccea1a36a7030c0c192e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
7KB

MD5
2da82bc61a0547d122e699b91fd4ae13

SHA1
e003832da467dcef4e236d622acfffb92262f33f

SHA256
24c1aa187c7c605c12b896d61c917153b42441aa0dc2474ac4b538a54190d08f

SHA512
3429743b4bd8f03d7e527ab50def30b858a76d6df5d8c4b3e5ab47096b5e3dcef93f5571ae875565a28f41e5a06769bbff7b3e33f7992936fa314fcb999fa363

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
15KB

MD5
4f18cf9c8277cd77503350b69aab439a

SHA1
534ce7c03ca1774c4f723d86f58753baefdec00c

SHA256
de55e85b3d0910bf341c10299808fd50ca9fd107d5a6bb25526154c8157e31ea

SHA512
889198c954e2c638f78ff01d20ae0306c55ae72e5fc33075ded46037b859e058f98347fefc77e4fc433f470c56fd4567daac267633a5d46dca0996b6ce3bc515

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
8KB

MD5
3b573996270b4e4beeb6cadd37e9d366

SHA1
5af5e88db1883190b9b5489fd7593aec734b89a7

SHA256
a072126686478661c6aa4974905ec789c8c385d0d6a48bf53a47cd6ffe77b791

SHA512
c41017317ccdeddfc0298cfda3d6c8d6aaebbccd91fbcceebae30f04b545e3f52e5d14ebf7aac1e7094efa09599b66bf1160def1752e9ffcd06ce0d2d458038c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
17KB

MD5
507a53afcf9b8d3f5fa8e94ba6785667

SHA1
6c05ed3c0a7bb265199481056af2dc9a34083d5b

SHA256
3cbd4d82f55ddb90cc334429782a8cd63eca0999a5b94c5968addb1ff5575298

SHA512
e4060ac9c3fb0589b15a44df8bc0765ce4a2cda4b90b4e99773d8853f49e8dc050623ca8c41a2a3afb9e59d1f2f95b6809c2cedb003b5293411af40569a4d5c7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
192B

MD5
a34db2eea545a1d093b0ccfde7f42c3b

SHA1
4383cfb5a763a027e371f224092fa97420676e96

SHA256
47baa73caf68b58edc55cc4fc5f60d98ff6b4d55f7ca74f0bfee5a5e6ace296e

SHA512
c1ecd6f18ada8bead018f25435a1aa29be1e3265ee2857738a94a91d33418e49a3c4dd72486cb878bffd531fc6db8cd6b1667a72e3a75d1daf20bd4d654d729b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
704B

MD5
0082734d2457ccb3ce3ede5a9ba7545e

SHA1
6b02de5c3802816628a16b24dbf8ae98f0b2ae61

SHA256
59c4448fd7bbe14a1cb160747e00f20510f8695778aff361c2357f56467bc3a8

SHA512
d9a9eb7289d9bd263f65a05bb92a16603306d666e14b97b3effddf7d55d496013e7cb76ad59502722a3c5de662ade6dc0d26e212a75f078be39a7f22711cc2a3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
8KB

MD5
dd5b7cbdd0f003209572127f0376e96f

SHA1
9773cec9d0d9cfb237a56e0f34677a6294d71767

SHA256
e4bd512520b42449e0802105f0f2a5895278df36ec847690cf7ffd124e9d8719

SHA512
d8aa886361bf751b0686072becf0bc5a7ac7c2bb131c9cdc45863605ab5bee4c08480fb04d77a6c2ce3c560130660f2180e048eaec4fe99b0fe0aad6cba4afac

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
19KB

MD5
47ade222037bd350c9e87125994f0fdb

SHA1
208dcd114157d6afc0b2e43f52b4a98269829807

SHA256
d28d3bb2c7ade07616029ac2ddc5901f0f2f50d501513d327526cb431aad9bda

SHA512
a86f48ad6c7a60e93d6a4bee1c58c81efcafddd95ca2e1cab7fc8c54c3cea64c3cd38726856f82df838a0a19b8c6a91adc6467b007543f39c7d5bc6b52f0491f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
832B

MD5
0f695238e857b3f4dd19974fd9c41eb3

SHA1
d71de7f2038757f808ae75bebab333766b7d0cff

SHA256
08c9f5340084bbe8208456eeb6a655556101d1ba31996f7815e00cd063dd25b4

SHA512
2b73ad991e73d3b905a789f0257146baba0ebd5afab5cf1de4e977b12661caf3bd41ba0a94d230f3eba2772366f3e8e36f86876b66aeddf305bb332b4bc89c02

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
1KB

MD5
242cf1e7f3cb0a6cc2c1d60d7722d190

SHA1
701c4f6afa906820f2b23979608ab24ea99f9c44

SHA256
5fa2f7a949bd8228acb706a70c7b7f2a944913233870f52aad7be45cf664e1c3

SHA512
544f2906684c8bd30dcc3ca03b49de73612757f49d48c2415365fba0b67f2349c0353fe42de7d0cc58b9ec04c6f4d65d4e97fa80d91557cc46587155222e33e5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
1KB

MD5
fa4defdc009969f8fea572f1f1f90efe

SHA1
c424d36be41970adc462997f559f8756905b1e4e

SHA256
402de313ba29436a447bdaa55a0682b39e04f9e89a9cfaffbf5765d672da27b1

SHA512
7aa396ec964f9912fd3d7227b8a9c216a6d613d1c2c2d91a46931280de7db5f1e4b028b9cbd75c4a6d5fcd6a1b0d5377fc37858f2d42d00523cbe469510ce8a9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
816B

MD5
ddc4107f7df8e8112cb911e7aedf5455

SHA1
5eaa65ab7a3133bd99f3472426f7fb4ad30d10fb

SHA256
903559237d19fa70362ab6418148d2b85b5253aee0b43f73735246b87c18e98b

SHA512
843cbb98dbf409d0338eb114fbd939ee519180b5a79c93cd2ea3c215c087d8614c2300855a865702a5d977f2fb02d502ef95fe52d73b48e692092288704cbb7c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
2KB

MD5
4269379eb2df4b92f6e534542f23111e

SHA1
073bd41d5183c73128c3791aa6b9572fd29741be

SHA256
d66b6b2855fc75cbfb1ca2d5ed94ced710d87bf0a3e1846329c402ad2614846c

SHA512
dc116b38fa8769af73584eb2002dc865ad6804aabfbfed3dbd902bab21f089a19d2b4d49920896500e65fb657181a0df1a94b4e64098cbf203d516fa9a80f0f6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
2KB

MD5
67e5262b4c00db1f9564d55fcdfd542b

SHA1
735b544fe35bfd8943de80bb8324528fc3d432ae

SHA256
a06c892da9ede5a7974ffc23b879ee0118c1d1af51445d1a2f6922d06f1074dc

SHA512
be8ba8705bc6386d2aacdcbd3d8c12d47aaf4b755266c9761b62584b3b7d409f6713b751f0492ec35506e8f0596adcb370a62abc0b3e253df333cece6dcf879d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
4KB

MD5
85089511375e956821f0851fed8ae906

SHA1
ddd18b1c15e996bf5348fc8293c2a645d5cbcec1

SHA256
46653c8c324ba506e0f665a9058cc82996241950c72d713cf377c67bf0b25df8

SHA512
e9a403296bc69934f0c59cccdf72b496d44331d7e46e8de3608c5fe7ce6dba45d5d1f249ebc98f5e67dd91a357628d6b2b3447f2badf37b768190642d1a3bc4c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
304B

MD5
4706bb3887856628c82fca1b2cc7ea2d

SHA1
c28f33c3c7f4fa4ab42aa40f86e06789376fd9dc

SHA256
2793e74e2469bf70ae39dd6580da744f8c6104837fe95ef5bdee504f5552cc6b

SHA512
5cfe226e48add5ac1816d5d1fbab0e25744bb2bd0811a94f045bc924bd1f4927efd066e08a6dc7c0815afa57e54a9298202a57797e70195b155e23760ac81988

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
400B

MD5
719dcdd9afab3580ec1a1a9d62031ff8

SHA1
e3b599b70e48780cd71d075953461d31d664e2da

SHA256
df2ffa1d6d5d823f4e86543b68409c1b3940b1863c39c7891a00a1f21d3801a3

SHA512
186fd879fdfcf5447b32666aa5c00020762a2c15e1cf64686c6c2849eed5ffd6ad21d2e998f4e21b8135ef38c5d1ada280a8953685bdfda0abe43c8a8c21954f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
1008B

MD5
f4f1c7551db18764c7b254e2ec205d52

SHA1
24b69022e05c4c263129f900dbccbfb65b482d3d

SHA256
4685f86aefeb2d723bc62795c251170d1931e8e8c3032b6ed25ff3ae34860fe6

SHA512
b6dc7de278c3f5b3918063443acc0738ff26d8d59e85244fdbdc1bc7490581dc1ead718a7e43d4a6c136b389120f693b2e90bd83e9f7b61d0657d16fce54d9cb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
1KB

MD5
1319efbb21dcc933be9549fd85b0123b

SHA1
b9592504bd6f6d33eb35ad6c9cb71a9bf5c10b29

SHA256
293784d53240750e8e37faa0b81757522db949806190c238f4b1fb85a3e9bb1f

SHA512
313f557e51e54ccc04dca04a7527167deaf27cb9ea916d289ff3106c0b32b9c9e6ddc96b17827f5d941e1fc81f4f202344d2161408e18f49f905485329842b9d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
2KB

MD5
7cf07a891ee6d268eb051fe9d840d7d6

SHA1
f10d7fa73d3bdc2ed3d7106af6546c59f981bf5d

SHA256
bf70d19854d72d7d7a8311a2b775d54968fc41903abacfb98c2ea5f426348fe9

SHA512
aaa56169a92fe919db70688c84a4559b28700e0a5e1aa837ffde115735322c267c3cc817c4df9595c738d8cfd805d841df7fa664f0873cfa92dbb78c1c5014f0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
848B

MD5
11bab059ba88892bc5a7ae79744fafe9

SHA1
7b04e45088c82c916545cc9b00bf6a44a79ba3bb

SHA256
1d1b1283b3cb4362fd8a545d268078ec26d1e5c28cc50ebbdc305b012411cf7a

SHA512
837ff410441f2807f6da2522588489ed4c7ee715f15540204856407a3ab907bef019a7b85e04ac3cddb0ba3713d878654c8bed3515bc2b426c99d87a4e346614

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.ACE324E494CB17FC8589AE44FFD68C3F41337F76DC257A527235B2A1E84D405B

Filesize
32KB

MD5
6a07b10f00f977f4365dedfc9b385649

SHA1
e115da475e899fbbf017e290c82cf22b28951592

SHA256
2cf934a635d7603538f02187d447dcd0819a9e45bff98eafd56dc85f7afdd585

SHA512
797e0aace6e31c85a5b3b31db1d76169e33a2b84ff3b40abd440b9c4328cb5e6b9d0af42b8f038f997e5aab037e9c8760fbc2c6056ac08e633191974d526753e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_FB287BEB63DB9E8D59A799779773B97C

Filesize
471B

MD5
e8ccdf6dfa9cc79c9b60b78b70e89722

SHA1
052f27dde1ee099e4647da6c79b76a81be6581c5

SHA256
b5da3d8f1b00cd888425154ee0c938c3aa16ad287bf553c1fb3cab24efbabd04

SHA512
31c723614b9753c392f906ea9cc6eb5618de417fb7b3d19e09bed8bb3a4acb96c40f441e8810f7fa1e29698d8e5d00a456182f251834fe0e940185b929dea25e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_FB287BEB63DB9E8D59A799779773B97C

Filesize
420B

MD5
19e8d586877987cc9fd92310dd375050

SHA1
33088143195fe7377ca2c0088a987fd86c8e63b1

SHA256
0a755d9ba9f7e32b18190a15f487661c5cd1c5f90d3955eea17b104526d94909

SHA512
69189c4080459d89d7456f19235c1c23d8c813aa3bed5c9b8362cb0729ba6bb5561f7206a64dee03eeb86ee45546d98f26385915be681f5475fbe4abb99483ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
7da492a02c29529dc0ca538b502e3379

SHA1
cee6a1b81936f6a20f1c9c4f35c29394338ff54b

SHA256
553164a83cb91c4905a86373c61bd899bc1007e7719791878bb95290f1f27f36

SHA512
3a1aaff3da507ce35c4e06ff9fd2516c65780849b24fab33417da2e799e20bda3594e5f2f32b1326dd1d3da560c76dbff1f626c147e99c7a990fe09ab0a2e89c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000078

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
8ec09c575af13edceb120cd14f609cb5

SHA1
ab0bb5712f73e38514c48b4a47e89e70a9d6552f

SHA256
ad0906ac0b3a48f072e012abcfb84e11f2f089e2c5c7226113296de676736457

SHA512
0dc7bb9ce1f4c419df2364ff18eb73322d8cc06c3492ac3980961a378b13e22560c50a6efc5bd66309acdea38c15e12f262eaa3e97c99caa48fe82160502bb7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe58150a.TMP

Filesize
3KB

MD5
9a35251a6c78995d78bb9a081bfe6bfd

SHA1
85c6ba0a7ce02cbb4c695c45d6e9ba6a26c9b3fa

SHA256
9e32f842e38d39c590b5a27af59fe1bdfb46902da152894f2e80cc19408f96b0

SHA512
e659a27f16b43c6eeb22e8eb28e6045221664dc12585f9b86e2139aa9dded2ff441f51b87abf51fee2c09c7a9e74890c6826356aaa945492d0693cca1cb48481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
163a268357c1c951590066f531a1abd0

SHA1
880f66f6eb8feddd0c81637895d50be62df897c1

SHA256
b2bf19eec5c6caa157d35aff4d98afd067ec0764e0a644c98562330664542539

SHA512
554a2aeff78b361010015f26b11e1ab3b26a8ed5e5380a93dd9eceeded9d01b0ddbb946197dae836afc7871b4ef81b4b570b60cc38c51f3cffcd2b159f1b7574

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
baa8da754eca1d65df5c4e1cea3507bc

SHA1
6433109b9670970c9d0cf4ef020ad4fd9554498e

SHA256
b3c9762ab60f2d8f0ebab10516bdcd68079affe5a41775830b3f6e8d74e606ef

SHA512
97d7dbecef8e6759f16cc3728d9799d0c62371b2140d4a25cf0bf5625a2757a55963bfd97942dd6245ef4c21fb2a329a29d5b42c58f0f20650bd07ee9aa417cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
9e114c16778a60b2ec41e247feb6dbc0

SHA1
7269b56e8f8a3d79e504e7b00827cad362673cb2

SHA256
5b9f4c76db4563d61bcd33b5339e31afc340316b098934606bb788217b01af6d

SHA512
85e1c7e7f04a7e1db72e1f0d3ace60ba1e833448ae04bca6c1d214d5ccf1b7edbd52f41e7df91480f74611a22ebb378fa3273789b000dfcb8f351ce0687c93e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
bdd337756f5f5231c26d58eeed7c561e

SHA1
a326d93e059238be24c2ef28aaa5637b7096436d

SHA256
f4cbabcb41f233bc09dad878c5a5cf894bae94913331055c445d709002c9751d

SHA512
58b73da4b1df1a6ad43f0449a7f10cfb7d951ae99e57183fb5ac22202fa8ff819945a9ce0dbb0296b4033e423ff1b8a6338371f5d0f230daced0e999b140a955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
d669e047eb77477bd4bc638c02ce2f75

SHA1
ae1216cdd71a133d7edcc5a9abf50534a63e1483

SHA256
f140a1dddbf026033dbc13e81c65a79a718cf4445bbbfa7430d84e9020cda1f4

SHA512
f8d7f1d41714ed1aa4149c1271053521e096233a04b6982ec8a03fb2ceecd33f98e4f85e2e8d54cb088f7acad11d4e368bdad70d7f9a2590d9f7e4b69272c3f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
896B

MD5
9fd49513b59a45bab95fc3b7f51f501e

SHA1
d80e36240b84504d8911c8034751fa177f615bdf

SHA256
c62baf1180c5eff372fb95fd4c7ffde461ba8f4ea9ade99adb484deadbdf1a54

SHA512
a195ee7196f3c87f9af1da9e623349c73f9389070be48a97588a04e4ac3e65eb31a68d834e7fb029234bd11ff127421fda62ed858350884970a840cc76735cf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
465B

MD5
6f1b6b2ade5c69be1960440e8e06a1a1

SHA1
2a476e58edcd2b9aa3a6ae40d89fcc0f7cffd5bd

SHA256
14141aa9c0b44eda42e1cc5294c29db92241cf66af4962bdd4962aaf6db53417

SHA512
8324ea703a7972e7573e9be663b16c46319a283c49d85882cf23213686e1e0fd493ec2ea5e60b0fa0ab7d5ea764c74cbb11d7fa8990b9fda03eaaca68d6fb71a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
9b5fa251758022b7cacb45df1e0ebeaf

SHA1
e75db6f2b8cdee46175445e58e777a3442039af1

SHA256
f7c726307a5e1c0c3ecb3a3345fb0121828b7d95d04e5bda1dc121e68cd55bd7

SHA512
e4da15c9cbaf89b45e8623cb16c069bb002df916860bf6045f51aedef5599bf3e53754e236c24c4eeeee67341c2722bedabd8863eeeaa54ead085b9bcb6d8862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
5d443b1c47b3c418ba445bbcf4ae1b8a

SHA1
e9489d3987e4379d298f06266b3a6344f2459953

SHA256
98699abd69b7db101527deca98aad2dd905c179b125e7f0884c1a2c788982fd4

SHA512
dd6084c96a1b7e0180232ce3e8c59b3e83b1895eb566ec2196ac0fdd3c4c5f88868f28b9bdb2fbd5025e7779ccc6076b8ee6383da5bfc4c72ddfb81d69d5eb4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
6fa8ceb08f05e0237208c2b03ea9b686

SHA1
54ba03ed4c34ba71655b05abd683c621914c1758

SHA256
0956518902f11005937d5d9aa7c5d42bbe2b7d12a44bcf1d1958b47b2e3faca9

SHA512
049ff993d77bdf4c94d0073a7990d7bed924c50d19b3c110518210580458cad8d1533013744f720539f66538b6550ae433e3d63fb90ec51b843c5ddec137f843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
210302116668065cdef5656c7a02b948

SHA1
7f78b525ee1d6a51facd9561eadb99cd8cb19782

SHA256
ab767f09ae30102748b17b9f94c2fcfc4dd027a71e81f4f61debbec7559c4632

SHA512
c2b19437097467126e4c0e8555033997c433bb4dff39592f6f81788e1cf06f549791159f07eaf561a6f91d4fc2c59ffaa865e38569f1c430fcb38f5a9b84f40f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
b96f620f54f5823ad1283c6de88d887a

SHA1
d9edcdb715bf869d7928eff18afe13a7a99d0458

SHA256
9090d6b48403bb16e282458847f2d9bb6d59c51c4aa990d5e336e61dd5c3fde6

SHA512
5422725054fbb553c0935281229b22a83e8657fbcdbdbcea5090f11fc5f8ab334d378b66fbed7b76db0d2c3b127213767d0fcdbca432ae9e9d47abbcb4730963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
c1243f75e036d3973ca470d7986370f7

SHA1
0e894f6da0924f8ee058d7ed2caea5cba5eb8840

SHA256
386e98c0c6329bec79477c6957c4b91391ea653d3c7d5e1f89d7e44df5eda614

SHA512
da2c90abbb03c8c4c84eb00e30424557a6da3cd821165f70321482c017adf439216d6fedec8eef3e5a559cdca7b62d75ed6cc54c90070b7082f7b5e6654eadee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
6083feae56b7e9e6ca03ec9e8d4f5eff

SHA1
05ad80cbb44b5e05e9edd281b212f86f1fa0e04e

SHA256
b1b217a33f35b2a09cc6773c46e1da3c85c588d3efc37c06c609ade2e36b4707

SHA512
67053295a0b1562c2e90771523f6b5f9fb1574fe0898759134e19363292e2224d4782216f91da4edbf04ccc6dd3e2d5f9e8f68bd512a6a302752abea97c2fc71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
b1d65248063851aa107910c8aec9ac44

SHA1
0b9800f26e3666e8324e2b1047b758866fd2542c

SHA256
84c5dc7d7edf676f9933321a4623397d7b3ca011bdf36247f74fd2418e4739c1

SHA512
25697518b92fa1039bd1d9ab68debdf2396bd094b988194a8c0419a10c21a9521e5dc5c6a2768a25239a737969a855fc08bff749921737cf819c228a69de3185

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe583bdb.TMP

Filesize
392B

MD5
99b816339a89245fdfc77e065b9f2c39

SHA1
4f3ee1d707177ea9c6c035850ae0d583aee20e79

SHA256
90e3a99d328789bf6141b7abc15b818dcaac893fce7be4e7a6939e09a0312b63

SHA512
31b509bae974ec0d445f2f836fd0562c3f65510503c9d255443ec57a5122ee691adf916121da3daf1e1a42ba148e8e6145098eefdb3eb81e76d0e35aba32cc52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
77db156f1d4cb1a57198ec9c39f00016

SHA1
6bbe14058f0296adf4025b7e02c5a8b5335a291b

SHA256
ec90414adeeb6d59520e0b5790f5ae722b7344dcbab6289c30c276177aa4c2d4

SHA512
4f0cc31ddb19d92ded7bd9642c18f0ae5121a1f98a021cdc0e1885bca8b86d96feab12e0eac2a57d34f1ecf4f70f6b95262350182faba37c83da6081aae9f27f

Download Submit
C:\Users\Admin\AppData\Local\del.bat

Filesize
73B

MD5
d3c830e076f1218799413e6a2440d0f9

SHA1
b66fa7a6aaca9263fb5f80364a52fdaffe725092

SHA256
a0dceeff45a8998138fe2d61be9e4ecea705b142a81a91999366e85f24edcb9f

SHA512
c7e3bd78d17db59bfe9547d396d2a7569c1ba17a1949cdbaecb09e0a032d616e19e76a1bfb07871f535b37fcfbecc6aa70d2e02c2ad1098a6905415e36fdebcc

Download Submit
C:\Users\Admin\AppData\Local\system.exe

Filesize
315KB

MD5
5667742960ef714d2b634de00627714b

SHA1
96a63a6924b21196e7c4c080ae9843ad67b2a557

SHA256
85a6378d3e901efee9131edd13a8584469690889cac5879e3d739b3f46472ecb

SHA512
48130b769e8f508760d92ec3d9f4ada83a83cbd3803cb80e3d993d0fa22f629a8063a0077ffb69d4c1b5540909b14421f27bbff430c617d04680ecf6cd0deedb

Download Submit
C:\Users\Admin\Desktop\LockBackup.xlsx

Filesize
10KB

MD5
2788d073851fbde7dc9043820ebeb0ed

SHA1
3742951867ce648e55b9478bd7c036999c05277a

SHA256
db494424fd710b0e2f66cedf9d84e5573a70481816714926cc80f2c62a6807e3

SHA512
b8aec924493fb00475e14d5f678077116ac02a444b97675c04bf238cc0f1faf2b4dad76a09e85d7954a652be9fc490ee77f1e85a7771b9e637fb509c8654a0b4

Download Submit
C:\Users\Admin\Desktop\NewConvertFrom.xlsx

Filesize
11KB

MD5
cd7cb922b1c25906c7e01971de4c5d22

SHA1
77dc0c0aa695ae501d1aa152f3bad9fa1d451aa4

SHA256
4eef27b9b4c4e036238216a7bd5a935dae016ed02ecf80707bbbf9ecec48748d

SHA512
7f968e2d2a544398a3c90aea98970300d703f2a3a15c5fc859630daaf727ed52a019e01d91b733fa200967b74daa009d425f8aa7c4a37fd9cd8b2582591eb018

Download Submit
C:\Users\Admin\Desktop\RestoreAdd.odp

Filesize
913KB

MD5
c0883f9f2f01dbf8d8665b136242a6ad

SHA1
bdffbb95fda239344a96f58f15ed92035c97a511

SHA256
0aea69d930a62348a9b76885a0a2857be92042b99b0a5c9ced650597d4ad03c3

SHA512
047a103481bc7b16dd0d8fe33d953e99d425ff52d6d2d7bb3a331f1ca62657e392bc1a6618c2dcbc1fbfebc13ea773d9e56265443afeb564667f2a5b451b2efe

Download Submit
C:\Users\Admin\Desktop\UnprotectUndo.txt

Filesize
542KB

MD5
5b468e7f0e374df6459266980dffd554

SHA1
4228a43d9ad0502430522e578c71788b6fe6e02b

SHA256
07a328d21a4dd65de984a19d541f4ca13fbbb8d777b6e9847171a30d50e6d549

SHA512
5b376751ee8c324d74234731fd6715e2ab8b0e41f28bfc6f4b28d2b51908a7bba15c23201441bef358fdd194f3eeabdcd991d9472d5bd276fb3763771b507a98

Download Submit
C:\Users\Admin\Documents\BlockOut.xlsb

Filesize
588KB

MD5
8077f867c5cfde20a1455ef9c39a3368

SHA1
56e483be98a5da7c7fec86a8e7bd95448fd5754a

SHA256
7ddd0a329a53becf1c2622034c0d1bffdf3735b0e643bf67ea86fe06ece72355

SHA512
ba5957e5dd3e14cd9bd27f6c50f2e1339713b498d643b661e39e7a6f4c1fd36f13a4466e464fa64ec7f63527252482ede51c93fb9bb09a8690f92355728b4e74

Download Submit
C:\Users\Admin\Documents\BlockOut.xlsb

Filesize
705KB

MD5
95d6b3cfa97a2d5c321f64047e308647

SHA1
9a9ac8996a71a18caa731231ee8ec3bab3043f79

SHA256
ac4371db906f4bbcce9d6237e9a98ba01e626276d49835c3cb5dd56cdf317ae3

SHA512
2787a7a3f31054ed3c6f64c159e9dea80ea67ff61f88c9dc6c1afdab6b175bfb5a4b6561d2baafdb448034aa42622728e93ae530c4f9c6d5d4b850e340d5cbda

Download Submit
C:\Users\Admin\Downloads\7ev3n.zip

Filesize
139KB

MD5
c6f3d62c4fb57212172d358231e027bc

SHA1
11276d7a49093a51f04667975e718bb15bc1289b

SHA256
ea60123ec363610c8cfcd0ad5f0ab2832934af69a3c715020a09e6d907691d4c

SHA512
0f58acac541e6dece45949f4bee300e5bbb15ff1e60defe6b854ff4fb57579b18718b313bce425999d3f24319cfb3034cd05ebff0ecbd4c55ce42c7f59169b44

Download Submit
C:\Users\Admin\Downloads\7ev3n.zip

Filesize
139KB

MD5
f46972b08986242bfa7fc25e85842989

SHA1
556eb02d1be97a43c4d74cc874a130f96717f57e

SHA256
dd5dbdccd329cba14ea492715a664b5f0ed507337e58f416bad2bd939b2e0c34

SHA512
315684a612930c07b4f34e61049844f7c4e1d83cdd0439dde0ef3838bfd82b3807b838a7a0a2bbed09bdafd6ae83d6def759e1b2001ab2b80a58aa43916687d5

Download Submit
C:\Users\Admin\Downloads\7ev3n.zip

Filesize
139KB

MD5
1c678701c0d124c4d611693b035589b4

SHA1
e7dcf4c8b9fa65858f02bf34469d70530c735120

SHA256
4d47d760c590fb880ca28ebfb6972abfcf1effc55a092c2dc654bc6ec6ac336b

SHA512
8f33df9449be38dd2533cffafb6dfe819389a9bc5ec2b250ade24d1f8addf909188a68ff85fd507bf8df6d8cdb1628e85291c9d7b0946a3eb823e0c6e22ab7ae

Download Submit
C:\Users\Admin\Downloads\7ev3n\[email protected]

Filesize
315KB

MD5
9f8bc96c96d43ecb69f883388d228754

SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953

SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
2819dc201e740784c029092d2674ff71

SHA1
f79249afb4d4c29954cc3e0f780baf8e65b4d1a8

SHA256
608eb84c730a99f0d3db3184540c3e383828fdec715df41dc7ee869b262e6f3b

SHA512
df93af9becc040416c28e034fc7d599d4562dd5784c617c6f4cc735917516d6ea64cec7e7378e13eaf78424de222faada0e1ce1cdd5d2dae68ce79357bba6c63

Download Submit
C:\Users\Admin\Downloads\BadRabbit\[email protected]

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\Downloads\EnterSend.doc

Filesize
696KB

MD5
55ba2147c5d5cb2c8c1f7ae25f3b5dce

SHA1
d22d3c322b1502932a39503a18435c7dd3b11d01

SHA256
20b18e7a0e0a5cb8c55b0ec5e30063a39fb8a6a9368bfc5ca863a4bf5a58eac2

SHA512
496a4a511ed68150609024ca86f96b6aabd825dde732d481ebbcc6a12e47737a6d10a7c15a552befd4ec091b975f7d0083283c4e07187af8289a8aa03e329670

Download Submit
C:\Users\Admin\Downloads\EnterSend.doc

Filesize
716KB

MD5
4123f9771a7f56a81bd211250e8fed29

SHA1
996cb037a80f16db34122cd3edcd78ecb2627e17

SHA256
515330ebdcff9b347f1bf9ab50d4f6aaf27c4cdefedb9032fad47e9cec7ecb00

SHA512
c33216b2bfe74a7b9a0f776dea716c1f4a9e0940754254cf3fddc7e2f30a8113d1d9d8fd1b4a25119a462b9531de58c56f88de158451756041add8034f1838ba

Download Submit
C:\Users\Admin\Downloads\InfinityCrypt.zip

Filesize
33KB

MD5
5569bfe4f06724dd750c2a4690b79ba0

SHA1
05414c7d5dacf43370ab451d28d4ac27bdcabf22

SHA256
cfa4daab47e6eb546323d4c976261aefba3947b4cce1a655dde9d9d6d725b527

SHA512
775bd600625dc5d293cfebb208d7dc9b506b08dd0da22124a7a69fb435756c2a309cbd3d813fc78543fd9bae7e9b286a5bd83a956859c05f5656daa96fcc2165

Download Submit
C:\Users\Admin\Downloads\InfinityCrypt\[email protected]

Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\Downloads\ReceiveJoin.jpeg

Filesize
596KB

MD5
e43f7419536bde7e4723518139f01d76

SHA1
eca675843f7bdbc6bf2c5a45effac88d8fb08d87

SHA256
c40a62a8bfdc5361fda1ee3bbf8abb717aa80a1a4b44a9e485b404fdb3127a28

SHA512
44278647cfe122076b83e60cd872696c909d3023dd2c27df31afa0e7388d68c47950aff9da1f5cd5a62335f2a70a0e14f62686cd4b7a07da8868a7315947b23c

Download Submit
C:\Users\Admin\Downloads\ReceiveJoin.jpeg

Filesize
757KB

MD5
1d6cb4f2383a29da3b8f61fb72d1d54c

SHA1
b03b018ce86ceadb353c2cedcb2104bf09aa7bd4

SHA256
daa7b53bdb975c2f8c6ee68ce7ee7a51ecec374ea14dd21b0e41724d00dbd360

SHA512
67438656f7905da23f0d7fa11a072b201b9dbae600cc072dfecc5c6760ae1900c197255b6c2d9ea9f7fb2982e35a37d1f5f4aee59a6444509ac99432b007533e

Download Submit
C:\Users\Admin\Music\GroupPublish.zip

Filesize
345KB

MD5
d55d68f46d0edd31493e5c822940aef9

SHA1
a40a40a1cd7062e967f58bf74448fae3bc6f646c

SHA256
64b1dd8de4817957ff4b6d9854f0627631229b44015d3f024964b02b8a6c3ea4

SHA512
efef25aae71f5cfb8fcab29112c383dccf696480e19c73159011ad0b8e990bef3f5fe52a6ebac651c08f659751aa9a215f79d1deea08a16ed4e2ab8953d24768

Download Submit
C:\Users\Admin\Pictures\ResumeMeasure.jpeg

Filesize
1.3MB

MD5
88b19ecf6c8bd39b0dc5c8ece2e31274

SHA1
ae5785edc52d2e7737b54889d3256a84b63c0327

SHA256
6ac3f45071beff4cb5d0b5af445a2efedf995df336d0d90f0b7909bea3e2d88a

SHA512
362621a50fbd035b5768272dc61f997a579a2b55d4734d69849fc7e0219a72ad497e148a6477505553fe87a899d1b3932f7476cbd0e9a9b14daa9871c87c90ca

Download Submit
C:\Windows\8C3D.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/1612-847-0x0000000005910000-0x0000000005966000-memory.dmp

Filesize
344KB

Download
memory/1612-846-0x00000000057F0000-0x00000000057FA000-memory.dmp

Filesize
40KB

Download
memory/1612-845-0x0000000005870000-0x0000000005902000-memory.dmp

Filesize
584KB

Download
memory/1612-844-0x0000000005D80000-0x0000000006326000-memory.dmp

Filesize
5.6MB

Download
memory/1612-843-0x0000000005730000-0x00000000057CC000-memory.dmp

Filesize
624KB

Download
memory/1612-842-0x0000000000D10000-0x0000000000D4C000-memory.dmp

Filesize
240KB

Download
memory/5288-741-0x0000000000BE0000-0x0000000000C48000-memory.dmp

Filesize
416KB

Download
memory/5288-703-0x0000000000BE0000-0x0000000000C48000-memory.dmp

Filesize
416KB

Download
memory/5288-711-0x0000000000BE0000-0x0000000000C48000-memory.dmp

Filesize
416KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads