badrabbit | 5627d60a6e27c4f16d888a90372f89bd8eb34b787a98bc67825dd1f4a8a5001f

Analysis

max time kernel
396s
max time network
399s
platform
windows10-1703_x64
resource
win10-20230621-en
resource tags

arch:x64arch:x86image:win10-20230621-enlocale:en-usos:windows10-1703-x64system
submitted
21-06-2023 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1tl6myb9.html
Size

195KB
MD5

4d3f5c9faf7f8770a587efb81cbde114
SHA1

2a6cc16644e4722d2e8c584478bdaa22677aa681
SHA256

5627d60a6e27c4f16d888a90372f89bd8eb34b787a98bc67825dd1f4a8a5001f
SHA512

dac4ba41d0b8b02a20d07ec16fb0952b66f1d5fdde55f8c18b9dd5750aae0d6c2aa899877dc2ce8e075b977053998ee2f81a415a3513958234ed126f5c348f2f
SSDEEP

1536:DAW2QlQSbxfGEDO440vgdxCXqGv5EFM37Y3CXP4X10k50W0U30zU0Yj/bz4sIkBM:DAWXk0c3+P4X2Sj/bz4sIkButb3hmi

Score

10^/10

badrabbit cerber fantom mimikatz discovery evasion ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___2EAU_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/5010-3EEA-F66E-0098-B586 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/5010-3EEA-F66E-0098-B586 2. http://xpcx6erilkjced3j.19kdeh.top/5010-3EEA-F66E-0098-B586 3. http://xpcx6erilkjced3j.1mpsnr.top/5010-3EEA-F66E-0098-B586 4. http://xpcx6erilkjced3j.18ey8e.top/5010-3EEA-F66E-0098-B586 5. http://xpcx6erilkjced3j.17gcun.top/5010-3EEA-F66E-0098-B586 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/5010-3EEA-F66E-0098-B586

http://xpcx6erilkjced3j.1n5mod.top/5010-3EEA-F66E-0098-B586

http://xpcx6erilkjced3j.19kdeh.top/5010-3EEA-F66E-0098-B586

http://xpcx6erilkjced3j.1mpsnr.top/5010-3EEA-F66E-0098-B586

http://xpcx6erilkjced3j.18ey8e.top/5010-3EEA-F66E-0098-B586

http://xpcx6erilkjced3j.17gcun.top/5010-3EEA-F66E-0098-B586

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>Bv91Vcvha+qL3+GNgWdJyda4x+Y1FTq9dPm7ck/fjUGZ9vFxA+CzaMxNrh96YCzUaCSHWwP44AcZo1f8XXyHxAq6BLXkEeVDul1iubcyqwXYzP0BbsBA7H+ujlHUohxnb2t7nsxY3s0dpgYlTd1/K5jbVMZWTg3Uq77/FHjrYiYooR59AJJX4stCiX6LqD1vKNtOfBuexcrYBg4ogukxlhn0ekaQNu3rwgcyhDKlxjPpESK1sIA3+pW16vy8j1UbEffdDZ2NVwWPNADz2zqu5xnqI6yO5NoFbsfxeIPkqziyQz8W95JyKYvG8bkrOTyqa8KhzBmTydUoNrs9DMa5yg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Renames multiple (1919) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

mimikatz is an open source tool to dump credentials on Windows 2 IoCs

resource	yara_rule
behavioral1/files/0x000600000001afab-491.dat	mimikatz
behavioral1/files/0x000600000001afab-494.dat	mimikatz

Blocklisted process makes network request 5 IoCs

flow	pid	Process
3373	4408	mshta.exe
3378	4408	mshta.exe
3380	4408	mshta.exe
3382	4408	mshta.exe
3387	4408	mshta.exe

Contacts a large (1122) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
64	netsh.exe
4960	netsh.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\InitializeShow.tiff	rundll32.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	[email protected]

Executes dropped EXE 2 IoCs

pid	Process
5096	296.tmp
2268	WindowsUpdate.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	[email protected]
File opened (read-only)	\??\g:	[email protected]
File opened (read-only)	\??\p:	[email protected]
File opened (read-only)	\??\s:	[email protected]
File opened (read-only)	\??\w:	[email protected]
File opened (read-only)	\??\y:	[email protected]
File opened (read-only)	\??\z:	[email protected]
File opened (read-only)	\??\b:	[email protected]
File opened (read-only)	\??\t:	[email protected]
File opened (read-only)	\??\r:	[email protected]
File opened (read-only)	\??\h:	[email protected]
File opened (read-only)	\??\i:	[email protected]
File opened (read-only)	\??\k:	[email protected]
File opened (read-only)	\??\l:	[email protected]
File opened (read-only)	\??\n:	[email protected]
File opened (read-only)	\??\q:	[email protected]
File opened (read-only)	\??\u:	[email protected]
File opened (read-only)	\??\a:	[email protected]
File opened (read-only)	\??\m:	[email protected]
File opened (read-only)	\??\o:	[email protected]
File opened (read-only)	\??\v:	[email protected]
File opened (read-only)	\??\x:	[email protected]
File opened (read-only)	\??\j:	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	[email protected]

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp55F1.bmp"	[email protected]

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\iheart-radio.scale-125_contrast-black.png	Fantom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	Fantom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html	Fantom.exe
File opened for modification	\??\c:\program files (x86)\onenote	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\RedAndBlackReport.dotx	Fantom.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\SmallTile.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-white\StoreLogo.scale-100.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-io.xml	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-256.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml	Fantom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-200_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\No Symbol_icon.png	Fantom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml	Fantom.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Stars.htm	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_zh_CN.jar	Fantom.exe
File created	C:\Program Files\MSBuild\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-40_contrast-black.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.html	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square150x150Logo.scale-100.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_zh_4.4.0.v20140623020002.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c\SkypeApp\Assets\SkypeTile.scale-125_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\SmallTile.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72_contrast-white.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.ja_5.5.0.165303.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-72_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-GB.pak	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar	Fantom.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\WINDOWS\SysWOW64	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	[email protected]
File created	C:\Windows\cscc.dat	rundll32.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	[email protected]
File opened for modification	C:\Windows\296.tmp	rundll32.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	[email protected]
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	[email protected]
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	[email protected]
File opened for modification	\??\c:\windows\	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	[email protected]

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3788	schtasks.exe
4700	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4364	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings	[email protected]

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4332	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1480	PING.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1704	chrome.exe
1704	chrome.exe
1360	chrome.exe
1360	chrome.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
5096	296.tmp
5096	296.tmp
5096	296.tmp
5096	296.tmp
5096	296.tmp
5096	296.tmp
1204	Fantom.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1736	1704	chrome.exe	66
PID 1704 wrote to memory of 1736	1704	chrome.exe	66
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 2736	1704	chrome.exe	70
PID 1704 wrote to memory of 3160	1704	chrome.exe	68
PID 1704 wrote to memory of 3160	1704	chrome.exe	68
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69
PID 1704 wrote to memory of 4084	1704	chrome.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\1tl6myb9.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9958c9758,0x7ff9958c9768,0x7ff9958c9778
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1844 --field-trial-handle=1756,i,13629616872588559261,16487774389424518923,131072 /prefetch:8
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1676 --field-trial-handle=1756,i,13629616872588559261,16487774389424518923,131072 /prefetch:8
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1756,i,13629616872588559261,16487774389424518923,131072 /prefetch:2
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2912 --field-trial-handle=1756,i,13629616872588559261,16487774389424518923,131072 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2920 --field-trial-handle=1756,i,13629616872588559261,16487774389424518923,131072 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4336 --field-trial-handle=1756,i,13629616872588559261,16487774389424518923,131072 /prefetch:8
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1756,i,13629616872588559261,16487774389424518923,131072 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4648 --field-trial-handle=1756,i,13629616872588559261,16487774389424518923,131072 /prefetch:1
  2⤵
  PID:784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4848 --field-trial-handle=1756,i,13629616872588559261,16487774389424518923,131072 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4996 --field-trial-handle=1756,i,13629616872588559261,16487774389424518923,131072 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3204 --field-trial-handle=1756,i,13629616872588559261,16487774389424518923,131072 /prefetch:8
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5072 --field-trial-handle=1756,i,13629616872588559261,16487774389424518923,131072 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4836 --field-trial-handle=1756,i,13629616872588559261,16487774389424518923,131072 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5040 --field-trial-handle=1756,i,13629616872588559261,16487774389424518923,131072 /prefetch:1
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=828 --field-trial-handle=1756,i,13629616872588559261,16487774389424518923,131072 /prefetch:8
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1756,i,13629616872588559261,16487774389424518923,131072 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5056 --field-trial-handle=1756,i,13629616872588559261,16487774389424518923,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=932 --field-trial-handle=1756,i,13629616872588559261,16487774389424518923,131072 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2980 --field-trial-handle=1756,i,13629616872588559261,16487774389424518923,131072 /prefetch:8
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1572 --field-trial-handle=1756,i,13629616872588559261,16487774389424518923,131072 /prefetch:8
  2⤵
  PID:5108

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1284

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2904

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Official_Windows_Support_Online.zip\7\jquery-3.2.1.min.js"
1⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"
1⤵
- Drops file in Windows directory
PID:752
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Modifies extensions of user files
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:4384
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2777632572 && exit"
    3⤵
    PID:4328
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2777632572 && exit"
      4⤵
      Creates scheduled task(s)
      PID:4700
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:39:00
    3⤵
    PID:1244
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:39:00
      4⤵
      Creates scheduled task(s)
      PID:3788
- - C:\Windows\296.tmp
    "C:\Windows\296.tmp" \\.\pipe\{B2E32C45-20C8-43C2-92E3-9DF07FA2353A}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5096

C:\Users\Admin\AppData\Local\Temp\Temp1_Fantom.zip\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Fantom.zip\Fantom.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1204
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  PID:2268

C:\Users\Admin\AppData\Local\Temp\Temp1_Cerber 5.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_Cerber 5.zip\[email protected]"
1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1956
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  PID:4960
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  PID:64
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___0UCYNC9_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Blocklisted process makes network request
  PID:4408
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___WDCF04_.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4332
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "E" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
  2⤵
  PID:2904
- - C:\WINDOWS\SysWOW64\taskkill.exe
    taskkill /f /im "E"
    3⤵
    - Kills process with taskkill
    PID:4364
- - C:\WINDOWS\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Network Service Scanning

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
0165eff11bedadae057b2a65c9f90fb4

SHA1
8cc86b61024aa4fca66967ce4e4bfcf8ff747225

SHA256
3483b3f838a0dd4a92ee431733e43cbbb1cd647cf67cae96b36305ff61c344f9

SHA512
08621152829a96c2a281046a9845da7bf1ca39d5dc338cc214feb6532367d62a45081d419e378fa9265496442bdd75f1e95b3d69c0c16cc4630ee277cf54e8e2

Download Submit
C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
850076176fa697de84119832958ae8bd

SHA1
3309885865407b810edece09cd4a5b2ca91b9434

SHA256
57cb1253b52700b5dc815919d27c5949898602c2298ab82592993c653746e4ce

SHA512
9de80804cb35d4411a656c3ed5e90a0298ba9d94a05b8fd0938b7dd1aa20dbf70b01b592a55b497163b9fc2f91aa1fbba99947911fb111b001d62c8ec5b21048

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
7f790ac48d0a5e8bd77403e1c648e877

SHA1
d5c9d6775995b5262e03b485706b584649745ba2

SHA256
d3e8101ba36585eca8ca7ae24a07a02174d5ca56b0fff8e4ed59f895714ac88a

SHA512
6d42ae428c6480d0d7e1bf084e30d6fcd7c0c61627a0f40a2faf35936cdfecc5759d6cfede1ff2c2e10e3fecfe0a34719f1a9f058ddd4ed3fe9d5c79fb484be6

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
76b172f2dad6ad3fad11d287dfb2fb16

SHA1
b5d33766c45f1034e36b6391f188aceff31d3288

SHA256
e7f4876d69ec0c77fce0b4f9f4a307b29f2b9e5a136e5c4d510ecf0360a6e7e0

SHA512
67178b9f2cd57b24a5218d176c38c63b974cb5c0557545e263e0ad14b7939ab58a9037bdcffa2859967413f6b3cf3fd7331465c88ed4605a97680f77ec32bbf0

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
0de2292a74ebdc55bfa97269b2af2766

SHA1
d0530e16b3a45526dc9060c713bff2c22b8608cc

SHA256
90dc467584f7e97647be87bd851488f753e66037a2f2be85e1c2768593506e88

SHA512
2166c3d18420f615eb2e24c90f7a23db6a9c7acdb53e481d28a187f2bb1ff4d3dfa9de614bbf96e34f358e75c5a618f94a4d8346ceac5bf97c0018306545903e

Download Submit
C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
107KB

MD5
0ff6f104912bda7c3035e985a848e2b4

SHA1
e543a3678bcac616b82b63e020d9d76d9704e104

SHA256
3fb9fb142a454671893c0b02ad6d44d51e6bf0a44e6fc42751f959343586fda2

SHA512
06f14882af7e874a1d15b10d016846bf4e33ee6d65994fba8f9d064fe9599ab3c6d4c462009afda7ba3fd5df5cfd566ea01b88ffee8f1e220ac7497a9c43d9d6

Download Submit
C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
6a7ca4859c996d296a4477b06a3b544c

SHA1
0e1eddcd1d9e1c0175ec093ed2ade55f9a887b29

SHA256
d4d187d6da3d4f653741754fe7d06b781564eac525b80dee669d8326445aae68

SHA512
83bedd67dc3b25825275570ea9a43755e6cbf62b9fa1cbe5ceb4ac65d09c506daf73434853877b8ebab8e49039cbb36d7a77a3ed495622cb8ac052444af149d5

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
48B

MD5
4c5fdd8c6a9530c9b1584c04d08350a4

SHA1
75fbd0b439d5e47fd2d78bbabd16b99f14d4da54

SHA256
f62e7d0da2ba1d5a1dc1cea0e1bc6a9c5bd246291ac9e78346789de3fd431cd0

SHA512
28fbd847cd8d74b6b9ea438e7204365e2474281c24fe46e1bb30c596268ccc7a4db253b35fa601750d7ec10f804dbd3155d3c47e295aa7dff34f31b13c79a335

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f49f3669a638514a24af771e95d78642

SHA1
fe51b791d3494b3329e1f64a7c4baadca0e9c4ef

SHA256
c0efce4b058252f942a7b6e260ffb753f2641dfc7bfca7b27dcd113203c2b077

SHA512
c0c5c4ce3401068d3f9d384d0e4725efac24772f84bbea6261a2f91e9a3572d5c7fb908f06978a4461ce5cb0ed6564234587b62fc4bf4219dbd105c75d423d0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
07dce53218a58a6994a65251d9f826e8

SHA1
82bf0750714b82e391209c852b608fb39adac6e9

SHA256
b89064fa39d787a180f23a870c0c5d9b84576fbf5f02c43909bc5d032dd2c1a4

SHA512
cd1cfb8268265436a8e962fcb9c6a08a51c35074a067d2d7b9abc6124f632a1e64f374212c4927a6ff0361e4432cc98578ac8843b66ef87a29086a74f9aa5cab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
7c75821ec6d00c164379dcd081616df2

SHA1
9d3ba30208d4213e25df801ac2984c84439f6899

SHA256
b59dc083f525e56d7b7b2f2b6b853ab2c4072576b6707101f9c24a4c256ff38c

SHA512
d980c2eb416e6e727ec1fbae0dc50784c2315351ef9ca040b65bf95e8898c4ce9b39a5966a36505c7e8b8cf3d7f77d471710b46bede38fd7da89908a73b1349d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
add0ab410a4fd161eafa8e13bb4217c6

SHA1
ff4ca64408d2b62c35c754046fe62ef05f12ae5d

SHA256
08c8a64ab8743d696be0bb40b455f97c042541794a6ee1a6e7585b155875c262

SHA512
981c1c5aaa85e5163e36c58fe9bee1cf3a96716d3b47d422878ba06334a65fc98a130b4dcde830f0d28cc71b732e8b494e2eb85aaff7d3802b8cd8bc6f2ad619

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
e70b8c3d29efc5848b8fe18a12ce5d0c

SHA1
34292306e9138218ba88d16e0af3c829dc21dbb4

SHA256
12d0d6d99635120d0c433bca09d04e4e58dd74e85c8d54ce779d63ef8a5a44df

SHA512
0327095a0a5354d3b246da10359cafd901243fc853586ca000739cdc59fa46bdd4e4da1d4946a8df44ac0e1f3abd8db9476f03f01868747546a487c9099a224c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
41629edd9d8d0d94638617357dc17626

SHA1
15e882a53c282b935d2fc7386ab90d9184c74d0c

SHA256
db7f975a2b31027259908c6e43714659d1ac41e38fc6adb2a9a0ea6a186a43e7

SHA512
ff3c1beea0d1cad8f5c1efd2e848aa71740d877159c71993f808037a88959325126f2d5f1f0f018509a22b38729a1feeb338eb4500690d70fa62971b00608409

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3c31132192d235cbd1248d2b37b5eac5

SHA1
129ba3c1cdc87e5ad6fa9cb4065428e815a4a9c0

SHA256
8c33751e2b66b300fa593afdeb1700d8ab319d3261b74997f7e128d529403d4c

SHA512
326786fbdc933807b8c01189380a7bc955e2d067466f1adb3058a52e7f67c2bb547438b3e3da4a484f275447c001c7a16811520129e751a552a4cfd86c85a7a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3e6255d975456d9794dbb74056a60889

SHA1
f2155470b2df15ce31765108100c105f6e1ed661

SHA256
20c9b3f5a3e31121df3901ecfbf7d366b211008302eb9f5b131439f773a2d0d2

SHA512
be61446812168fcd2a038f5bb05353f25abe2d863c36507bd8ff7de4076d6ef6fa9a74eb1f2871601fe55c781a4ef061ef4a5fb68e01665b9d886faa2dace2f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
85b58c97fab49b66e2343e4b53adc2cf

SHA1
d88f8c7ede48c0afdb9a5d4fec19a5b97d8224fb

SHA256
cf069dbac122ea7aeeb11b9db31f2ef82e43b9124c5031e99fafe28f53a7cfdf

SHA512
1e00408ec42035d79c081cc41da10318025f9bf2cc25409609b50eaa67daecceb6510fc5f27f04f7f14c5b8d8ced6d7032d1baef67389caf6dcd1f9837fb2a4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d3350b2561b235cc41cbff91fd0e1b07

SHA1
15469a64ce330d4e4b2052f44bb6abb45b5512e3

SHA256
1ade010cda437afae9eebf81a315fbd3f8bf33ed095e31d276d6cdbabeaf3029

SHA512
adaeb1e2cbff18e05ef5288a21102b037c59369bfe6c315d53dd188e9a5c697943866da0b30738c1e39fab9b2039136ea109ea6ae0abeb9a9148bf315f1c101d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
47a947727f65c62d243e1fadf416b9c9

SHA1
996159b7623cbe464df9a1b080270217286f4f01

SHA256
2b486f34054438f8916787da30399cf5653f64d84fdd4746e36f739939e1aae3

SHA512
2ab35ecd7da654ca00418c4ef7ae2fee6ed49e2ab5c6e0794dc3ab1ccf13c51df292444519d787f785dd543446a2564c62e2546ddca4578783dc54cf80718221

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c24f611b420771d169ae053bd9daf414

SHA1
8cbb7eecdb3abf0021887462a4803e792d9bd882

SHA256
cfa95e2780654b99f370962fe8aef933628981d7b8d0f4c20d99557720eb7448

SHA512
86decdeb2703cd67493bc0c77dbcb6626d5da27496de9776fd887b29bc0a5c6d361ddae3f9bfe15bbcf2fefb0db98ea3b1061f34bae0dc0637af787f185739cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e8cc7903877a7e6c92bceeac9c73a5dd

SHA1
f53ace1697e4936ee54a688f141fad0958623aad

SHA256
f967dd35f191b58620ff3a3c9e4d746ec263d8afbeb842efec07dab0bea78cd4

SHA512
8b0080ce3f6ecf257b20934d303065ec36e8c96412f8e96f133c4c9a3d181e730010d67eb91992ac83de3d033e22b75ba535db5d7b26acff6b22a94086b322b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5c477f17f7ef1595b6682b75693d8ce6

SHA1
1ce7560faed0bb71c7b1f02faca1fb7e28b04405

SHA256
ea73f689191b212ea0fe84bac5415f6277124846773460829b004d4fb64b01cd

SHA512
dfd93deadb4b7f24a14a93cb69d0baf58f1dfd4a2b7c17b1c12e8a4b065e0cd8f45256ca2479e8a61ee4754020e1a3fad44a7fc83bd44b9e40114edc3cfe7467

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
797b96b1a23acccb5819516e98d263eb

SHA1
ae9cdedc3874437a4f93d66576dfcd78fe24a899

SHA256
0ed3f6c86e0ab33768c43e8efdf5cb158e54672208f66ff327d31122fdd7ecdc

SHA512
8007366ab9ba5b5f928c6a6b846cbcc0aa9234197ae97a69734cb5e390f1c7147a42376c961c20c9cfbba6cd86ce9f335a91c839148a880588104b8ef44f140d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
01b277fb95ea0495ec7e970fca343125

SHA1
9549f597255c033dad1215fea664cdfad280a9be

SHA256
498eb1ee3194f591d2fb97b881011d760dba9ad4424e6127b3da1c0abb7b76f4

SHA512
d070a6b5b7ecc8e95ebaa96af7479c33fc891baeebf8da25228eefa2793260468c0475973736a9450a9ca73d63c5910c2cce61d8cc5f03384812688afe6571de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d7c8dbc3dca912082a621515cf83345c

SHA1
f6e2b2c8f36b47e4843a51d0919d1db8cd85250d

SHA256
7b5469bb7322c682653e1dec4f14aa75610bf7bed7b7c63bc4ca3250e4f6b4d1

SHA512
17772dbdb3801a856a47472c123868243d8379424f6ced2b92b4fc1f85da5c1547d030d4ee16dc1667aeffa657c1f2f61aa7b32b32beb7b5a194fe95a274e63a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1ce192847b642bad06dfcaddea2c94fa

SHA1
7b0cbbcc453a561849fb0a995dea93172e4e24bb

SHA256
764ea509054fe503cbe4f9fc2368ae4c188010185a9b078d57d6394928e18328

SHA512
f7cb6584ba3f9cd8d062bf4c7b79b2b9f682728d23449b458cf8b3ada581290bcf1db3a91d97aa3fa1674ce9ad72595421e75546921ec50a052cc1e8ec27bb1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
42b809da4aa2c28c656a70b28b860b20

SHA1
c38b0aa70ab4c520b2442b27f652f74ce9456185

SHA256
57f22df320cc1cca9059544337b6f7d44ff0769db32d84389c46b71bbf7630c8

SHA512
0e674e1788555f1f243ce741aa3e85439e4c36577c338b3490d0c479820d53fe19bf8465e12307dab354d2c2e92b8d78eda7ea8b7264885af248ac81fcf275e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c98c86ce2826ec61eb807fd6cd113688

SHA1
337284421bed51016f07d781d0caba61da2449ca

SHA256
9ade224cb36b1c6009044852c42a6b914b10dbc7cf7a2701d1a05bd8e980e697

SHA512
205dfb0c4caad96ba981f116f06f0f764fb481cbe78c008bbcafc3b9a7f67e5cdfa35998a63234d0a12e642ff298739bc88a4b7277a49a299a16d0c5429a070f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6fecafbaf8d45ba41d81dec830ae699b

SHA1
73a57f774e9f48eb02693377238609522022cec6

SHA256
b86bbf670a9323afa7c727fbd763fd7c37859bad9b2cd520634bcd446c3f1c59

SHA512
15ed62d927fdf4623ee4bd392184a1c672908b79b124ac98df245988d2b06c92f264598903732d350507e98e8c84dd3ae93b7fe8d64848f79e81d7b496440ba2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b96b899e5be8f9336eed5bec578244f4

SHA1
b8bc71af3e25ab184cbab9bae51fd8cf4d932cfb

SHA256
e124b12c1db4c7544fbe5990b26fb29b1e4b58cb44574b1284160cffdd932664

SHA512
db0c1dff2e4e9a3b77f152bf9c6190a441a3d1d7608fd34e9fb76b33f1c24fb5b240609492e84288fa0593d99c2540ebf05c9f4d1b7f80ef47f2ab8ef0829a30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8752d3f7556186ac33455097c92d5035

SHA1
906bee785db5fae724ff52a890c39cacbb85baef

SHA256
20e23d6fec32f38fb5b6c4395a38fcfc28799dddf235f3c1f9652a37fdd1a0af

SHA512
7f5368b4f4091e24afc869c68543bc1d84019d617c8c5e37f8946b65a48ee59bc4620ceeb02f3323492aa64b788280bc5696c254b849add8adc6b97cb345f662

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2e6de782e5bca2ed8fbce0859249fcfc

SHA1
9a037041dce8e915c65e5ad8799995c1cd7ec4c6

SHA256
feae13fe6abc98f5f8dcdd77cc8a6a0d5e188e25bf156a78a5f4a75560add3f4

SHA512
12192097007a44c4ecf2085a1212c602e9152c253439d2e9c2d453e62ae3058af3808d397d3d6f70308ecdc06f33db6dceb464dc8e64534dd820228bae32c413

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe56e227.TMP

Filesize
120B

MD5
64a514546f425f55b6dcdc680eea8155

SHA1
70df7a214d0546e77c2b58388712c1c5000fda81

SHA256
5ed59886ea6b23ac8f987a15677660543f8c1e90ff1e12d93c827e317a2887c8

SHA512
1edc1fbd36076c90af1db0407d2ef50d4c42a1f5f96bcbe4d5a77dd79d5f99d8db146aeac8bf62853b66bc7f5234d4189b8c8ca66963ae1ad50773d95d8c0dab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
88KB

MD5
fef2983904ffb06b4a2e079b8207b457

SHA1
e162e3c7420d7b7a0682cdaeb1eca2c8b6f20134

SHA256
97e5a222902f7b3c11f052da95980b4080ce73cde3a19ef9af2de4efcecbd24a

SHA512
68b160c50e09de5713c0232cd111310f3eee4c2db508aed7392d1470dc0054f82f796beff29a358553d80514581d17b834bc4c937a56d99bc6691bc4585e7c12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
6686b5cb4c06c9166cde38ccace9140a

SHA1
f4df8b8763ee9d73a115c11bb9d14a52283e3e84

SHA256
942a2903e38dd18c8b152269c157c3295ee6d706305848d43c93d0774c45ca3c

SHA512
8a1e31227fb41618cd31cf92b51d7e353113a91626929c0a7ed20cb382ae8e93edc55717ce719653f742a52d732defd66ddc0423f28f9f64ccfdb21f7df2d85a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57c4f6.TMP

Filesize
93KB

MD5
7efb35580d31dfe04ab7cba52f08993f

SHA1
0195753df8159afbc6cc60f7d4808dd6071603e9

SHA256
b97361b85e531cfff0f4069821d5415dfcc123941d3f451248af20fd661f7cc5

SHA512
b5768eb1a00589ed1b4eafd13dbb65e800b4c747b6dec0ae152d3ec91f8fc38f403a2fa7d0a9671415144be12f5dfe9aadcb9982151132f49d6ad8d0ed974f89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___2EAU_.txt

Filesize
1KB

MD5
06b1811b6fd3fd190ea374bcedf32e42

SHA1
23064d5e04102f7b687d47030288199f2850d426

SHA256
5ce8be783d2e2aa6ddc6ead58a32e51c820e4b3211879e55eb15688e26697c38

SHA512
44cdcb2b4a8024977c60bdce966f09e11a46c1954e6fade4a507608badd4e8e2623b97adea226740f5da4d443ec8e3b06a323fe2b300a639b3b55e79f8bb3105

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___2R358_.hta

Filesize
75KB

MD5
0024745a891fd6bcaac98be88a159ac5

SHA1
c4163892dfb6f573217b9d21f4d60eaed30b925a

SHA256
0e2b22c9271c8a6291a3b44d794be47d84e9eceb7cd4b9388ffe1f0bef21712a

SHA512
58d22ca3cd36c83341de24fa2235e9fa5e8a90418fba988a19b58ba040544c62d46b27e5f4c14ab46c27ee53e049bcedb4957d0ac97f89011f5666aee0a17ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___0UCYNC9_.hta

Filesize
75KB

MD5
0024745a891fd6bcaac98be88a159ac5

SHA1
c4163892dfb6f573217b9d21f4d60eaed30b925a

SHA256
0e2b22c9271c8a6291a3b44d794be47d84e9eceb7cd4b9388ffe1f0bef21712a

SHA512
58d22ca3cd36c83341de24fa2235e9fa5e8a90418fba988a19b58ba040544c62d46b27e5f4c14ab46c27ee53e049bcedb4957d0ac97f89011f5666aee0a17ffc

Download Submit
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___WDCF04_.txt

Filesize
1KB

MD5
06b1811b6fd3fd190ea374bcedf32e42

SHA1
23064d5e04102f7b687d47030288199f2850d426

SHA256
5ce8be783d2e2aa6ddc6ead58a32e51c820e4b3211879e55eb15688e26697c38

SHA512
44cdcb2b4a8024977c60bdce966f09e11a46c1954e6fade4a507608badd4e8e2623b97adea226740f5da4d443ec8e3b06a323fe2b300a639b3b55e79f8bb3105

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
ccf003aad97e95a341cdd420ba64292e

SHA1
f7978d14201bd0916761e9881dd2ae1f6a778102

SHA256
211d605283b70edb6af3bb1be1473c4c59e644cca7a86247cade5def41ebad5e

SHA512
2f3f33a39e6103d1e261112eec09cd0d52c477e8e39f93d21ab0994eecce53634c9cd7fde8f73506b2d748afd350b5958a1f045b61eae4b2ce15ee1d926478df

Download Submit
C:\Users\Admin\Downloads\Cerber 5.zip

Filesize
181KB

MD5
10d74de972a374bb9b35944901556f5f

SHA1
593f11e2aa70a1508d5e58ea65bec0ae04b68d64

SHA256
ab9f6ac4a669e6cbd9cfb7f7a53f8d2393cd9753cc1b1f0953f8655d80a4a1df

SHA512
1755be2bd1e2c9894865492903f9bf03a460fb4c952f84b748268bf050c3ece4185b612c855804c7600549170742359f694750a46e5148e00b5604aca5020218

Download Submit
C:\Users\Admin\Downloads\Fantom.zip

Filesize
198KB

MD5
3500896b86e96031cf27527cb2bbce40

SHA1
77ad023a9ea211fa01413ecd3033773698168a9c

SHA256
7b8e6ac4d63a4d8515200807fbd3a2bd46ac77df64300e5f19508af0d54d2be6

SHA512
3aaeeb40471a639619a6022d8cfc308ee5898e7ce0646b36dd21c3946feb3476b51ed8dfdf92e836d77c8e8f7214129c3283ad05c3d868e1027cb8ce8aa01884

Download Submit
C:\Users\Admin\Downloads\Official_Windows_Support_Online.zip

Filesize
458KB

MD5
e54619d1690eacbd0c49e6a133c2106f

SHA1
965a5572e1234d1f8a53e67c0e9dcd5c14443160

SHA256
176656b8babcfa8b93853fcb7c796d2f9fc653874beeaeae0dc6f149222f05be

SHA512
921f4cd18eca33c688c384b9f42dc8ee4f7aeb260818250ab8d169f9a93ab826ddbdd57bf27ef6584b4a0a9a728ec7dfc0965970000813f72130d85972d54450

Download Submit
C:\Users\Admin\Downloads\Official_Windows_Support_Online.zip.crdownload

Filesize
457KB

MD5
330c64ca5ca09c6493825be2f484e519

SHA1
604d0286e3754b2453979fbd335c61542d68c8de

SHA256
7809e6ccc8848ea8aacbac970afda837ee0792dbb38e55caba1bd771c7b578f2

SHA512
62ab3f6349673ee48c509552ab512e900dfd35652e794c8a1c214241f7990fe60f2fb928bf96d3c52ad49af5281ae546bb9236b1911194d634fca700fcfd08d4

Download Submit
C:\Windows\296.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\296.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\_R_E_A_D___T_H_I_S___B6CWV_.txt

Filesize
1KB

MD5
06b1811b6fd3fd190ea374bcedf32e42

SHA1
23064d5e04102f7b687d47030288199f2850d426

SHA256
5ce8be783d2e2aa6ddc6ead58a32e51c820e4b3211879e55eb15688e26697c38

SHA512
44cdcb2b4a8024977c60bdce966f09e11a46c1954e6fade4a507608badd4e8e2623b97adea226740f5da4d443ec8e3b06a323fe2b300a639b3b55e79f8bb3105

Download Submit
memory/1204-709-0x0000000002570000-0x0000000002602000-memory.dmp

Filesize
584KB

Download
memory/1204-711-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/1204-718-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/1204-719-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/1204-720-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/1204-712-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1204-581-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/1204-580-0x0000000002380000-0x00000000023B2000-memory.dmp

Filesize
200KB

Download
memory/1204-579-0x0000000002170000-0x00000000021A2000-memory.dmp

Filesize
200KB

Download
memory/1204-717-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/1204-584-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/1204-594-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/1204-710-0x00000000050C0000-0x00000000050CA000-memory.dmp

Filesize
40KB

Download
memory/1204-586-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/1204-582-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/1204-588-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/1204-708-0x0000000004B90000-0x000000000508E000-memory.dmp

Filesize
5.0MB

Download
memory/1204-1176-0x0000000005DE0000-0x0000000005DEE000-memory.dmp

Filesize
56KB

Download
memory/1204-689-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/1204-692-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/1204-590-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/1204-688-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/1204-592-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/1204-596-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/1956-763-0x0000000001490000-0x00000000014C1000-memory.dmp

Filesize
196KB

Download
memory/1956-1161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-1154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-764-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-1578-0x000000001AF60000-0x000000001AF70000-memory.dmp

Filesize
64KB

Download
memory/2268-1214-0x000000001AF60000-0x000000001AF70000-memory.dmp

Filesize
64KB

Download
memory/2268-1182-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/2628-485-0x0000000004E50000-0x0000000004EB8000-memory.dmp

Filesize
416KB

Download
memory/2628-482-0x0000000004E50000-0x0000000004EB8000-memory.dmp

Filesize
416KB

Download
memory/2628-474-0x0000000004E50000-0x0000000004EB8000-memory.dmp

Filesize
416KB

Download