badrabbit | d3b1623d3be54832a44b509d1d0b7a8685abeea26b42c7e09a87467927dd8f7b

Resubmissions

15-11-2024 16:47

241115-vavans1pcl 10

15-11-2024 16:46

241115-t96x3s1pbn 10

Analysis

max time kernel
890s
max time network
892s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2024 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

drum kit_sound.wav
Size

187KB
MD5

cc3076fd52cb56a0e8b5736edf9355c7
SHA1

deaa3a347763021649e8aae1c5c5f23b8f8a8143
SHA256

d3b1623d3be54832a44b509d1d0b7a8685abeea26b42c7e09a87467927dd8f7b
SHA512

ab54ea1315d70f88e4f7c0afc4f321ccfd056daeb77a53644eb8f31ee82aeef47a0af9d109fc95b779add7f61e900d6f703d9781370a251b5adb54962e540519
SSDEEP

3072:uul7lHZycwPgqmt+iGTvIiA6/N6HJatSHvArukZHbVdJy6ynEQ1irxAw0O:uyVcGqu+pv7ACNhgH+Fy6T

Score

10^/10

badrabbit mimikatz defense_evasion discovery persistence ransomware upx

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Birele.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\\Ransomware\\Birele.exe"	Birele.exe

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource yara_rule

C:\Windows\DC7.tmp mimikatz

resource	yara_rule
C:\Windows\DC7.tmp	mimikatz

Drops startup file 2 IoCs

Processes:

explorer.exeInfinityCrypt.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f08cf37c.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f08cf37c.exe.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe

Executes dropped EXE 1 IoCs

Processes:

DC7.tmp

pid process

1964 DC7.tmp

pid	process
1964	DC7.tmp

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

Birele.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	Birele.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2032 rundll32.exe

pid	process
2032	rundll32.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Birele.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\\Ransomware\\Birele.exe"	Birele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f08cf37 = "C:\\f08cf37c\\f08cf37c.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*08cf37 = "C:\\f08cf37c\\f08cf37c.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f08cf37c = "C:\\Users\\Admin\\AppData\\Roaming\\f08cf37c.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*08cf37c = "C:\\Users\\Admin\\AppData\\Roaming\\f08cf37c.exe"	explorer.exe

Drops desktop.ini file(s) 7 IoCs

Processes:

wmplayer.exe

description	ioc	process
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmplayer.exeunregmp2.exe

description	ioc	process
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

138 ip-addr.es
136 ip-addr.es

flow	ioc
138	ip-addr.es
136	ip-addr.es

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1496-5482-0x0000000000400000-0x0000000000438000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

InfinityCrypt.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\selector.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons2x.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pl-pl\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\selector.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\plugin.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fi-fi\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Stamp.aapp.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag_retina.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_cs_135x40.svg.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\version.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-disabled.svg.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\de-de\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\tool-view.css.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-BoldIt.otf.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\new_icons_retina.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\es-es\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_ok.gif.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-down_32.svg.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview_selected-hover.svg.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HighBeamCardLogo.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\extensibility.dll.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\cloud_secured.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\plugin.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\bg_pattern_RHP.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\dd_arrow_small.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\el_get.svg.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\delete.svg.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\vscroll-thumb.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_en_135x40.svg.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-gb\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\submission_history.gif.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-hover.svg.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\SearchEmail2x.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main-selector.css.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-si\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ro_get.svg.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7	InfinityCrypt.exe

Drops file in Windows directory 7 IoCs

Processes:

rundll32.exesvchost.exeBadRabbit.exe

description	ioc	process
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\DC7.tmp	rundll32.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.exeschtasks.exeschtasks.exeBirele.exewmplayer.exeCryptoWall.exeexplorer.exesvchost.exeInfinityCrypt.exerundll32.exetaskkill.exeunregmp2.exeFantom.exeBadRabbit.exeschtasks.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Birele.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoWall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfinityCrypt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

InfinityCrypt.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InfinityCrypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InfinityCrypt.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1624 taskkill.exe

pid	process
1624	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133761646095751422"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

wmplayer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4089630652-1596403869-279772308-1000\{087113C9-6953-47B9-88C9-031882CFE1D6}	wmplayer.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

716 NOTEPAD.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1444 schtasks.exe
4152 schtasks.exe

pid	process
716	NOTEPAD.EXE

pid	process
1444	schtasks.exe
4152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

chrome.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exerundll32.exeDC7.tmp

pid	process
4960	chrome.exe
4960	chrome.exe
1728	msedge.exe
1728	msedge.exe
1508	msedge.exe
1508	msedge.exe
1644	identity_helper.exe
1644	identity_helper.exe
2916	msedge.exe
2916	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
1964	DC7.tmp
1964	DC7.tmp
1964	DC7.tmp
1964	DC7.tmp
1964	DC7.tmp
1964	DC7.tmp
1964	DC7.tmp

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
656
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

CryptoWall.exeexplorer.exe

pid process

1996 CryptoWall.exe
3640 explorer.exe

pid
4
4
4
4
4
656

pid	process
1996	CryptoWall.exe
3640	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

Processes:

chrome.exemsedge.exe

pid	process
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmplayer.exeunregmp2.exeAUDIODG.EXEchrome.exe

description	pid	process
Token: SeShutdownPrivilege	2864	wmplayer.exe
Token: SeCreatePagefilePrivilege	2864	wmplayer.exe
Token: SeShutdownPrivilege	1560	unregmp2.exe
Token: SeCreatePagefilePrivilege	1560	unregmp2.exe
Token: 33	772	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	772	AUDIODG.EXE
Token: SeShutdownPrivilege	2864	wmplayer.exe
Token: SeCreatePagefilePrivilege	2864	wmplayer.exe
Token: SeShutdownPrivilege	2864	wmplayer.exe
Token: SeCreatePagefilePrivilege	2864	wmplayer.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

wmplayer.exechrome.exemsedge.exe

pid	process
2864	wmplayer.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exemsedge.exe

pid	process
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wmplayer.exeunregmp2.exechrome.exe

description	pid	process	target process
PID 2864 wrote to memory of 1408	2864	wmplayer.exe	unregmp2.exe
PID 2864 wrote to memory of 1408	2864	wmplayer.exe	unregmp2.exe
PID 2864 wrote to memory of 1408	2864	wmplayer.exe	unregmp2.exe
PID 1408 wrote to memory of 1560	1408	unregmp2.exe	unregmp2.exe
PID 1408 wrote to memory of 1560	1408	unregmp2.exe	unregmp2.exe
PID 4960 wrote to memory of 440	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 440	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3272	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3144	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3144	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1644	4960	chrome.exe	chrome.exe

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\drum kit_sound.wav"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:1276

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x478
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff979fcc40,0x7fff979fcc4c,0x7fff979fcc58
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2380 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4640,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4440,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5180,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5276,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4848,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5492,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5352 /prefetch:2
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5156,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=240,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4616,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:812

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff978b46f8,0x7fff978b4708,0x7fff978b4718
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3284 /prefetch:8
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5352 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4116

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\RemoveUnprotect.ps1xml
1⤵
- Opens file in notepad (likely ransom note)
PID:716

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c.zip\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\Ransomware\CryptoWall.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c.zip\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\Ransomware\CryptoWall.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:1996
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\syswow64\explorer.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  PID:3640
- - C:\Windows\SysWOW64\svchost.exe
    -k netsvcs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2232

C:\Users\Admin\Downloads\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\Ransomware\Fantom.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\Ransomware\Fantom.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2256

C:\Users\Admin\Downloads\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\Ransomware\InfinityCrypt.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\Ransomware\InfinityCrypt.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2500

C:\Users\Admin\Downloads\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\Ransomware\BadRabbit.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\Ransomware\BadRabbit.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5068
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3756
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3923073449 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2508
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3923073449 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1444
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:37:00
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1664
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:37:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4152
- - C:\Windows\DC7.tmp
    "C:\Windows\DC7.tmp" \\.\pipe\{E63A0C37-E6E5-495F-8EF3-438BB55D3F54}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1964

C:\Users\Admin\Downloads\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\Ransomware\Birele.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\Ransomware\Birele.exe"
1⤵
- Modifies WinLogon for persistence
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1496
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
16B

MD5
4a447d612c57add837eb9d0a176144e1

SHA1
87712bc75896bdad07bbfb6a73d301f4e1744465

SHA256
28dd6bb981be66012eb41516183f71ab883651ca13ff333df58ee2b090827008

SHA512
404a57e4418ca9412af52a1bda52f40477feab7af5b75ca8ee02085f2e6a4928289724c9ddfb09e92b23bea8f7b488be9b4b15f20bd472ec6ac578ba4e790c9b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
720B

MD5
1c5c704dc95138b576e0590e7fa35309

SHA1
6e941d9b92719e5d8416b5421b8a7e04645f4720

SHA256
c4cc5e565e6e72dcc9887c949a5867ae3d9f067200cf1920efc2f0fc29598ce0

SHA512
5b337df15b21412dd1547ee28bdc9868d96fbc9fb5a46c69b308053b674d329e83eebf10dd7a881291f224b238e344c56dfae53355442e7f805e3a41672573dd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
688B

MD5
866c6ff9f185f176d75dbc6a034b7a7a

SHA1
ffa5c2f64df15fcfd80d232e982bb489d7270ba8

SHA256
69c81394838c650d4f937a66ca707c56ffa7d010543b5b3f75b57b61bb40b8c0

SHA512
29330c15f75af79bd859024bad362c61e1ef19b9a546f06d0784e2594b3e025ad945317299ea408f5d91c5d6a1aed2539384dbb48f5884b2ccab5c4e07e39ec0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
1KB

MD5
2c54e11e85a42b5a14db08f6d49e43b7

SHA1
694e30cdedc4f2b776c160362c069bad9d9c30fc

SHA256
088f47b2ae3d4573e562e5a6cde86c64162312ff2e093f2ab56575c239539bd9

SHA512
fea4ba2b9d96a44736aa733540e871bfea1854711fe2b2a36be73641c6cefbf25d95667f411c4d6146522b952f90fe645a7029a5a52dfac37fe94f2a53fec83f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
448B

MD5
11da6ebfbd45032a4b064160063a721e

SHA1
59a3c78d96e93adb48ba44ea4ec37ae128a7c920

SHA256
9a8bcba1d7fa71f3d8b0cb14e6daa9e86cc583140c538567ca5187e5c8cc8dc2

SHA512
15b09b72fe2daa6cabfaec4b12b0ce7b799b3aa16a62b9b6e878a0e8be064bffc4f86475255a52dcaa8d8da6c0718c39e64513207fd36aa595afbc50a8981420

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
624B

MD5
4fda58186c5a6e97c8f421c8c2304573

SHA1
4a0f0d6c2c6280e257e865b917787e350289621e

SHA256
dee284aa2091722431851b566657e941a8ab238a04fc29cbc5ddf4571acb0037

SHA512
491447ab2232e3a516c6f381a768beee961dba188d752f58b2b4269338a28a3353946fbfde198d9f23666cbcfcc45f41c555b9ea867b0d3cd24c44399d84ae38

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
400B

MD5
bb200af0356b447598bcc1bddcd7d2c1

SHA1
fe890b5879d077649028a2f2c10b3093aec54a8f

SHA256
35c475a7bc378282029b0d4065dc79b029dca64cfe825ea8073b8408620cf24f

SHA512
08d9ea848dee2d6f06539cae3ac2809cf0851028a5da7ff2ad9243fbfc212deada05308341b2d94cbfd77a076d768da49b5d1ac444587f7475b022ae8eed7ea4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
560B

MD5
f47af283810a20aecd74c6be23d06452

SHA1
2019aa9d63af943ccf780ce75490bc159098acd4

SHA256
fbfa12bf2ba4fd80431aaf149d42956c3eaa4a9b2dad270733f1a04e8c895b47

SHA512
c89bd066073c56319349c8fc68b288d58f056d213e0be34d397f11e8c9a0495dd5271e0b1ea2fd6033dce75f2c90bf297beff08e0508afdcf030e665ce006083

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
400B

MD5
4c28f54f2e41ece2f74667fe41b70559

SHA1
a4f1ceb38d2c0db692833fbdc50982e5bceb218e

SHA256
c25e207d1e68a71056e7d1b30c82a9a5a88fcd5e4bd6e30a9394ca59955853ad

SHA512
a86304801200bbc797fd26eed5fa098157a495c934e2387381fd8584a1eeb2d44af4eeecd46831c5c01a3416235dd90be4ef97c06e557913462f4c3523da87c7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
560B

MD5
446d08dfabf488b6ab62514f0041953c

SHA1
d3c559eb8463541cf1a9b134bc268459baa16c72

SHA256
88a13c486c04cf46daf5f687d374027d695f50239f01a9e9bad909f7ee24df5d

SHA512
6df92c88a92a8e42b9d662ee92ef1def3d180e959337ff7e6cd5ef096d6591ab1d1783b4f5bc859f3473786b61798d015349d33febc4dd10d12c103351a67228

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
400B

MD5
8d15e6f965c3f6b8f024625c97fa85a2

SHA1
c57d18de8156b895ade1cb603199375ef5845975

SHA256
a3f45d5589165ed034001a06a99da7bf83196dc314df040f3b34898bd89896e9

SHA512
21441835a1b0df51e78271bffb1ca6cfdee9bd47dc4d6cfe4446add3a8305ff0857a7f967eaea085ebce49d9ed426d6ec020035ff5f2e998214247598428dccb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
560B

MD5
b7657401c489a2f8d7a9417565b9cfb8

SHA1
c167feb86569cfbc4006db87a2718cf9870becb7

SHA256
c5198305b06397e382f9cc1607736f0d879449c0c468d80a3a6fde0a701bca64

SHA512
9eea90c9c26bd36cf451a16ea141d6ad780cd3766d259eff4e7c4e7fd341e4b9f2af8abe708c3c64f25c8faabf20682753748d83863dfca0abc48067f4459a09

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
7KB

MD5
5fca2e3d6edbaaf45936f1502a517a94

SHA1
681aed8a526e04e91a07caa161a38a97f7ae8c67

SHA256
bcc9190c55f8bb9507d6fb8982d19f815dc418cebb1dda5f8ceb04dd54c665ca

SHA512
449cee167f1b474965a2dfeedaf404aedaea05c36596791764582f6cc8d080be198e466c1bb643dd3b2cf6582f61f1a9aa1b7aa484a1f1945056419f3377ca39

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
7KB

MD5
ec871a5b587169e619aa5eca692b0c0a

SHA1
e7035dfdf16769815f11010ca135763c94435b1b

SHA256
f1eddac6008db1b739a413b46cda7a105a2358d726ff8e5508fd33d1d953d873

SHA512
62f31f0cba9d088cc958f646268fad935c6da8df43f4dacf8283f251bd4093e4652ca2f585e43f81d059f1bba29b9ce813e78a9a75e7e3bf8fa96fa9e55161a3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
15KB

MD5
792a23d23609b0ab6dfad65f6ba62642

SHA1
11ee54113cc42c68b8bd1a2c3c4e863854a1d2d3

SHA256
41f7ca17ac0520314325c1a674e788c848180ccee76b06fa795bae83bae20169

SHA512
94f42a1ad6adb05adb1171f35f473fed3bd103b22f1f2ef1449412fe9b4f26890b59460baf5e65f3b6a772096ca83ebe8e58fcce08a331d6505b89008eb37c98

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
8KB

MD5
843ed3dfa925462c5aa2e8f6b5051de2

SHA1
aaf20bebbb7f9794dbcd9230d0d28a56d76a9c60

SHA256
aff45e4bfa756b03e014e4ce13037db2ff295f6c7e78be7fe2ddd7ed8f369ad1

SHA512
b507828348f3d88b40912bc1ace677757c459293f05569d1d093f0101abe369e7586e3aade99c46d540d62758145ab8b458976ccae8ffcf75c55a0a7b3e4f30e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
17KB

MD5
fb3cdea43b011b8a10bb594abb401253

SHA1
b10a9d08a326fbafe0d7776e0f9f1c6619e2485e

SHA256
7d45ea2b675f6c557017410b70cf85619eb93d4a0d43e8c42a1125c2e9e17696

SHA512
3763dba08cee8b6e8cceae73456cb3ea4cd4081025040ce1c681da2a25cccbaf69d1193ace0c8876af9e33187751c0a25dc6648b54150dd76e5f307352e89371

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
192B

MD5
6d0e00eaf6a83815da11626decc60692

SHA1
c6547f36f1454a719d30c9791154010c57365d4d

SHA256
57253ddaaadac3dd1b9d027eadd6e0e5eddb0b63c0abb9b0b93d1bb4c982c930

SHA512
3ed01f6452f8d7627730daa9a6e047955fb2228f0b2549e17f9cba19263a4f8d9c2bf20fbd2849e622bf99b29888a7763e72e5ab4d5b73f872d7912d20e30788

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
704B

MD5
45130d7095d2de3b8a81994fd836ef70

SHA1
15ccc60ba4152d56c435d798f84271bcda9f8efe

SHA256
5f432edc3db04a1d1000d70a98561bbf0c6ccc46beb2f0eb148254494cf6423a

SHA512
0af60c8fa75c32185fd91a18b9ec5fbc8225571b08425af32582d42d3357abe1beb99905c09cbfd0e8301789104d439b3dd29650ba0599a4160a42472bfd55ec

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
8KB

MD5
11188819a371d3b4d8ac03b760fc038d

SHA1
dc2955f7f498eb803a2db9a2e1b137dd680b10c4

SHA256
341f6f4a08db39539e750e217624b32d8541f6392813330a0281465c91447b42

SHA512
18c37b50701dde1fc03536f760976398cbed4a3bd6777984e4f00f741c74a72163f3fe0c43caf09ba7941f622a3897eae517b09472ae564a090525e357ecb03c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
19KB

MD5
b7936c0fe462dd4a97773930178d4954

SHA1
f5dfb2c24f71638b4cc615b8d4019ad8e67b31b2

SHA256
078d79425057a1f81b28fb6b42f20ceb4d0d4095827ce32420beed18b7018e3c

SHA512
870261d85e8492bf5ada70ac63220772d27d095f6d51e5644690df054287f537eb2ad5dd0f56b3c60a5691fdc1707a0d2166179f3d8415a01138938c767e38dd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
832B

MD5
9e2d312db9bece3a2471dbb4baf1adcd

SHA1
b610ee4c34b6ef47998c3f3b160e4fb7352e3624

SHA256
0c9d9cd90ac364a6dbb5761746b78c3ebeb5399fd2f7b3caefd3a1e3c90d96ab

SHA512
1fa0d4e15a05edd525263262824a096e6e6fbcf78142ab6361311e4c7c584dbe49d6a835ef76e1424441b1e8a00e82bb33b3a6bc23ee308b6d7ff88158f492c6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
1KB

MD5
d8f09dc8de8ef1dd61950ac9aa0adbe6

SHA1
a6eff82cc114e85009462a7142a3e918863453fd

SHA256
611e3ff069aac374030a3cfc3f07ef68c3c7713d37b65c0742b2a04806823f30

SHA512
ee7b30d7cfa573a91b269616ce01cfdfe09cefc3397e082a39d557b14ef9883836e9e0476b9b12b89c08272f56102b2994099b9b6f2b52373a37cbcf88e97836

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
1KB

MD5
1b16a036b9f0c8e6ca9f2048356152eb

SHA1
289646d90df6ae36ffdb132c714540742ab341be

SHA256
714aced718bff414767b5ae5773d23ca55add054b3e5f611470570f0d9f11c30

SHA512
445074f798818102095a99a7a6e7aef9e300466d5ce864d5a4e15ce6a4b0871bf0d5e03d4a0739cd2bc7cc4ac1d30051814a2084aa1a98f51dd099a3b618b4dc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
816B

MD5
fe60571b6c5e29de9705b9fac8f57466

SHA1
49735e24376b9f7643c3449c84d7be297536200c

SHA256
70ca2c5c7f149068c6f5c7de35846180a4a196de63f896905b12a1be1e30bff1

SHA512
932233e39226b4f475e18e9c74d6d849566be832d9efaca2dc1a8cae691c4b8f35b09237f7654f69714a13d6d779546546b71ec256064e52e80f97c9d2791a65

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
2KB

MD5
d1f14af43724965f4df6fe7b30f14754

SHA1
9467ea23855c70612bcf5f1ca9a6b36b2b091e78

SHA256
b1819219ced6b11981ca8a693f28a159df1e8f6f39c8ed41eb4896578977ee8a

SHA512
b82d58ac87c68b9520d0e3c1bfd1e485a9c61f89c5cb48dec3c314ec5bea415ed2732e4af27a7686b3878878c3dd0228c75f91df7f6f0263ee42cc07b264ca41

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
2KB

MD5
c4e7586992fe1a3ae6714bca84b10044

SHA1
05027b265bd8542be52df5671babde3b075c89ad

SHA256
80999cc35e7cdac74dadd4175297a0660c0313a3777ce97b547f12baccdf57cd

SHA512
5272fdf3ce9151da2b7114e4483c09cde00c91adc0723ffce223deca018a8dea6a35e3a03d9b81ef208e997c005009a01bf226fc6d522fccc8188c5c66351809

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
4KB

MD5
2e1fe5b466f5c69174acdc801f29a390

SHA1
4bab10847e52bf58d934d0732066a50eb1ec401b

SHA256
e5ed3600ff773fa5d4ae24da03f5cf1503210096083766efacba9fb73aa349f0

SHA512
83716f5004bec96e3d8bb7b6ce1dbdab67edd760150a7706475d67726497e885d7cfee8b482f02ee1ddd8a37c277bc6db4bb4acedb1e80e91495802a509831f1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
304B

MD5
4999ae65344295419db7889a338ebb98

SHA1
7037ef696e9bcf1177bd542f9404a2736299e3f5

SHA256
dc881addb9e3b2f31c0d68e6d680c6d59511747f08d3608274e232cb928232ca

SHA512
73ca549229ccc311e4fa30d34a7cb977c270524ebc984808b279873f8546f343efb17b61d50f89ad86149186e7dd2961f4fd450fa9168bd1de28d9090d0dec5c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
400B

MD5
58a0a0477d96bbf98abd15075d9dfca1

SHA1
ff3985d13b319b814e3c3fabbba03e8856847bdf

SHA256
e0edbe04dc6f5387ca64dd042b576aa4d8db05866a66d8a9fbd4b251a40040b2

SHA512
1e2458f485b9632a7830b974f17887448fa599e6da35aea0796d42a60c5ca6ec0346aa05811a072b4c296cc2d04e26b8f71d862af7750354a289a515790ffa36

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
1008B

MD5
0dfcf77043fac8f778b0fd8c3a69d295

SHA1
8f73c2dd59bc1ca7ea0d8c4ac6a2f9a3a7c335d1

SHA256
739276314821b900cdc22302912b89ba43cedbf3e672e3b13d893c3bb7ad31e4

SHA512
ca66b4f3f2cc1ff783572285ff30446ba9c9dc6c9cd72e90ad088795bbb8cdbd650659cae7e3abf460490a8f199048bc1f31c13228e00b6d126d9f5092632dd4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
1KB

MD5
80f4c46cb9a594925e75d8ab276b981b

SHA1
d6ee809f9e2ca3b0350ab6c320f5b5c500b397fd

SHA256
641f940f040b95ed122b11ac343cc43078119e3a0f6c03985babdfd4d1c44c6e

SHA512
69bf8d317451b04d346016a5c9be8fbd492952491921336ad7f63ce1fe6791a8ec251761d265de892a8b2929bab212baa5651b5f22f13e1622d8d76f9a675f28

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
2KB

MD5
6724528690d9a3a3d4b01cfada2c1ac9

SHA1
a3a8e51e36121f98a9122e69beabf95a3a68ddde

SHA256
1e4f12aa5dd1f21231f3dfe42f9f89c1558adc5a7a0c61c892b59a74ff8fd3ac

SHA512
021177f5fc180b1b850c2ed6945a4bc249768a9b75bb327a483a53fe84f26da51a9b31453efb0e6ffafff1dc0890b9c610658e3f73d0273ed33eabb79aed43b1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
848B

MD5
7e36b88992c4dfe75edf8fe55889230f

SHA1
321623fc8cb3c542d2a024a6a76e076adb997f65

SHA256
0e1b4d6b75b471796ca0065121e5b6db2e124b7448ccd476eba20e47dd7b0bb4

SHA512
0e32ce77e46df7cac2358e050d1711be6559c9971e933b87a143a9255319f589d7c3baa9ff4a03706b0a79cfc137d03b85f3184bbf41e1f507aea73cd2210702

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7

Filesize
32KB

MD5
1092ad178f74ca1871e4ade5e8117b5e

SHA1
2c3f944e8bd11ebf82db27bab05032d5367d7352

SHA256
1e829a8c1ef181930bd3eb9d1815f5c7246b2fc752aaa1932fab7ee2a1e3da85

SHA512
14cad059f4819069147282eae41d47bb68412c13e3acd4d004b7ceb7ef7bfc1ef369b7b30de7c5034349c23ba32ead06b026eacded2bf3493a2e4fcd3ca4c7b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9dad7cf6a73cd5fff128d815c275ac78

SHA1
8be6bc8b602ab222184a0f53fb14802752d69dc6

SHA256
2c3c33293f8855fad273b3a078c38d000dfb088d473799e3bfe50f2e44708f28

SHA512
3000bd429f0645f7cbecfe0e9636bc6cbef3f1a5d3d900a81663dcd6aa65ed252d472a69320f0fa5176d2c9e06e7232039dd3e8eaf961061f590c5dc0ee38517

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
0b882e6db38f22ddde91fef84c027410

SHA1
085167afd8ba76e00f6a9deb47709ef5172c5ef5

SHA256
5516d409871684c36ae93a7dffbcf9bc0c63042986074e351e697158db644f40

SHA512
f5c0ab5903557ed6a983d65cd714264c2afbcfae3166251c0b72f45b2e3813359779a9ad2e90de8d7fdf9d588c0e6ab45507d1380a3cb60a0954d52921f1535f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
092ade4f4155fecddada77a691b372a8

SHA1
58a76343f64f701445e7ad6a1ab13f63a8bdb450

SHA256
bda122ba9299d345e2cd035ec584f9126255a86661e31c6bde4da7b2e3def70c

SHA512
8dac0631a6dab2bc141bc9560095d77c36a9c57cd655dc1a0c46ad487c097207e47bae4664aaa884299f742816cad1d4a3bb6781b47cd7410c07ae7a9bd3ece5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
58a1c80350ed0ad9f2218e00146a5ce4

SHA1
4f412e1d20939ef4167bf3487adf28b459d947c4

SHA256
f78f4507884698c43199b81b5372aec16a736efff01c6412c2e1cffcfb124eff

SHA512
886877a7e9d8134d8ead62190f00e3c841c5bb6511a91c85e390aff05895eab39e5fdc38ef6fdbba7902e7b87b5e53057d2e91ff9bf3d9db2d87e261f7c2cc75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
90105ce30f0f6f47537592a8148df6da

SHA1
c010feeaa7bc8ae9a5abf0e0e0af2f6a921e98cc

SHA256
9b842e3ab15aefe686ed33c2a222ea9ae3a4d7b608731b8bc60a4a6258d35e16

SHA512
4b9f1f1289330b79a6143684eb849a1abc3cea2baa4dd2593654ac9d9f6e928039b9d8d0486a93e17097b4518d6d2c7a726b829527d5bba4a1f6849c07b3239e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
498741f555aca7832f63f9e91dcdab51

SHA1
2b01c77ed333882c23958ee5bee160863e8433f4

SHA256
71c5198993cabefe30156da762b2bf0165f0944036e3a0ffd76a3b2a59d21402

SHA512
337b1a1cff34dc7000ad2425b9b19a7b0a00a04ea57082402666f88b69e1783728d8654ced261b03fdd73a212883cbab244d21acb5419dd3a4d861b8729d1ae8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6b9c1c2df66fb2062e96d094be3a482f

SHA1
f590eeac8a3232392ebf9b964f1cac169d24c452

SHA256
3d3add8f2674ac41cff36abb87d4f6b1dad7138fb76c0de0f47d0fb53bb03f31

SHA512
2a6c0fd23adc8d026cba19244fb8c8fdbb9d032d9c651ae76d3049e221a2a8663c018b29cdfe72db413e67442044091d4be82a82f45706cdf771c1f91a834d3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
511e23f11d68a7a8e5dc8e7525d391af

SHA1
c566a411b23970d3549c1bacf833b6a28e48dba9

SHA256
c62154c497a83a60f9d554b02fffa019fa2b5db78c1424c531d0035d302c43e7

SHA512
3a8ced3006d84304535d394f4270d284da1a36e998e8e450290756ce7d3119329907a8a44120ba595b4dd9d7320ac2fcdf720e2697251b43b84e318dec9e9f5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
783a1d3eba0306865656dbdaf50bf876

SHA1
99db7026414bd426a048aafafbb43884d920abd0

SHA256
b3b27261c5c3b0ad7ea54c5c621908780e278b56c152478ab95e73a972df565d

SHA512
685f6bfac49be6669f29516a0b63c88cf59dc8e28314ddbeccf3f0a2134164ec86192d44176aa1bb758ebc306eff5d29326d69eea3285b3f28e52b84d50253bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
52e289b3f8f33b3ad246c39b0697658d

SHA1
38117c13afd54e4b0e6730d39d2ae6118006cdd6

SHA256
1b04bd423e961d1f1002facebfa85f2d7c10cd571ca3a0fefb675b0e9c48640f

SHA512
b88fddee1e313d0ea4d01e356221d1c82949dc41fdfc1359c0a1402a10b0036ea11d8c58136f8565f6463bf8c083a4bfd714214aae00f638c4edf87433aa9f46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a3ccebfe3354e2275a8afc94f630282f

SHA1
66fe4d9cced00ef329f992bdd3ea47d5c05fb85e

SHA256
eab32445b5b01e1b0218f1df192d2017b5c6b7d548ed5e3957456c49a9d1a557

SHA512
40a0e7996c294975e8532ee303dbca0fee3de58b42183efd9580df80ecaf23bec71502980c7926a9071d46f8b32a509f9e229425fdd9fe04c1d9ef6703211daf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
2fafd25a080fd0cf832d5f04dae4524f

SHA1
6e2cdb26ed0471c51a2aa7d975a352b1ed0ea3f3

SHA256
538742737473b76f1385f55ebd6dd659ef6fe8126a250bf3a06745509e78a9ff

SHA512
8a6e42bb5a5a634e35fd76100f8be2288164f9a5cffc39eeddc437e6437537564d64c3a51f358369b13bd579d85e3bc94a82e6c84891c38562c46235e8efb03f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
4ddc8cd03267bf3e33c53d5e2ee2b62e

SHA1
f93d31b36acf87e73eed7e295bf227b2506ecabc

SHA256
3de0aa0f09ad1a9eb26bdf4df0b186608110300498887e04cbba6006fa117502

SHA512
c64bc597411ddbb163e2181ca34698a1e2bdb5db8c6c981238be982cb29228de85612261c5ad38930e7a245339b02a8d32747147a295707b3fa838afb17284ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
379e53f90ef5706f970d9bc05dd2650c

SHA1
f52f22ac9a5e9d40a8dcb63be496374ae570fbba

SHA256
bf530be9979422954410ac78d0230e5abcdc91f1c57a213f8082cd458eb4c5a6

SHA512
c6936f3b2b30ae9b33d9312405b4ca82879b725cc567182ff1c5ce19ee19d88738d38688daf55046a8a3408df1ed344d84d8b76162efca1431bf797093016751

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\71eb84ff-8d42-419c-9603-5e6cd22987cc.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
5e95d9442f93900026ae26cb30da1e16

SHA1
d5286a253fab713471efd6437cf472f48ddd898f

SHA256
a69efdae13df1f6cfef781869713596a94e2ddd20118686725eb52d6dc22c467

SHA512
7aca8b91556466ba9e8e48fdd3468a17b5681a482bb8668e88e95161a89a075c0b6e9c3eb01c52c76f128b1390ed515446c380b7f33c2c66a9783acad084b9bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
934B

MD5
92a22324c6bb6c3e6c7681ea47f50843

SHA1
014d6cc53605b5cc38544f899f2b9414e5581d75

SHA256
2f27ba6923263a784680829cd74215be3b295428999af5e13c7bc2143805cec3

SHA512
a327de3407f167e685b119e4357f650dfe13572b021526d312ac9ffabacda3747709a79c3987f250335d6a8fd61e91b7f3217bc7aef01057012cecd96a3b2b9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
205736b29a243c826c5ceaedaebae640

SHA1
bfefc3e5e7a44f3bed43ffc7b18949252f77bc15

SHA256
e46d91e80f53209e4b135aed09807cd55aed5844bfd8589e99581f6d6b7bf4f5

SHA512
ad2e81dcb479dac55d1cc00d0b9f23202545797fb565e606fd772cc0fc0a4a3ecebc327e017104ef7c7f5837299446ed1b24c1f1a2e5f7d8474c5192829195ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f8fe52672c5a0e7a63883a3e1c496255

SHA1
edb0c1a18b8144a81834332f386e6fb1530e11e6

SHA256
67585e475957a151678761b90ba103b0254a8a758a67a4358b53099963819409

SHA512
a92e3c8a54c6ea88a7abf6291660e55e927caa1b4600262f65e329b25ee68a0755c13632047de58d2caba9403a3f5a968a58c47a28e535c08e454e654a0946b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3588fa3f267a73c283cc64c485d2d59

SHA1
cf2678a3953946b3502e06c1c7ac5fc02375edda

SHA256
310b21358fd01b2e60ffd1d834a9b483ae3a7b7138db98358981a1ef47306cd0

SHA512
2a6e937494f3e1af8479d4e3cdc21839dfab7983cf8db3bc67b5d1fd114a94e1eb9f7ccfc9b111b5223f0f2a0144823af97f933307e54cc53a03e7b52e3b8095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
92daf17859735767bdb0732c05347311

SHA1
c0113b99107c6af046dc238c12055db612401ceb

SHA256
281bbd780a6a233b134ffb6e926a6e69102ae5d6ef2fb75e114de09eee82ea61

SHA512
b4460f6a72e9e7a10a7358dfe952a0c00d07693eeb630e1d7483ab66debd6f1b198e6b814bd8862b3cfb6c10d0ba9e1555b684f04983589fca4f109101f4a799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f49fcdadc998e9dcc7c032818fcdbd14

SHA1
ea4e59675363bff193b1bb4423801e6a0f4c138a

SHA256
e4d951f3318333d3ee52a2c2a85a51c532206c73ba5950bf4f8ded0c5cea8a71

SHA512
a2bcc99d413c1ae9b71eb9587231f2b85d1dc755f042c843884dc0a456d341ef7b2d8dc7ec708d6dd5ec28f0e05524c6ae609e858810de5ddb1e19d313a7ebf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
da2cbfefb2da22f078f85c9b12aa6eee

SHA1
344b86ef555ee2738dfba2f69cbfb8a0ae449edd

SHA256
ac8aa9c3352559cdc299434e72ad2817ceaca295be6bf7c4c6b44e5a17ada630

SHA512
334e73016a972929f36c598b555a834f770ff288eb19ae8cb4df40ed28a21f55739e66ce29090891da23c18c12d964fe17c0369a06f954958a688fc775d8fb17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
01af9c45a93ad02d183abd27e3927b9d

SHA1
9b621cf8da340a440b9c1dff013a1ddf397d3bb9

SHA256
e6125b3255d7c924b8d76086610ca0c69866d4547bcc615fbacd0768e506d087

SHA512
0dba14a518ddff78ccd44ef83d638b0cec4760d4a583fd41e34576f5cf97d9d2a2e18b65d2ac05e7e4e7628de8dd10135c996b7c66bee902b3ab092be1acc46f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
318eca88ac5bcfe23606004af57ed90f

SHA1
ae49eeaabafb2ac10c84dbaea932de5daaf0d287

SHA256
153a52836d021ccbeb9cea07bd8db3833631b83873c4668c2c6e4c98ad45f21f

SHA512
31301860c9cab3e24f0660ad99776c687d1336a89161f4c8a5400468e60582906de8bc976b3bc5533a15a1dbb001675db81cf3d21f82b031661edbb7f1d937ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe633483.TMP

Filesize
1KB

MD5
f5c3a7cde20d3d17a4a7bac9f95bc77a

SHA1
14f9ed2cc679aa50f57889cf0d96678ad42d8858

SHA256
243d7e21cef0e1efe459912fdd06b97ebd232e4e8d52c1d00a298a601cb1f148

SHA512
492e7c4bc245c623a6c110b3055c8e852c96bb2a03af3ad15cf76a8776174022666255337de6bc4cbb4ce613f23813ad21da5395bc3f81113fd89afeb421b140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cfe98c4d8f433e1cafb5e10e52fbde9e

SHA1
377936e1994854ab023c24b381c63c34b115fa20

SHA256
4c8b169a822bc43381c68bd5c077152fe2d6070952ef018f27e19d05769da039

SHA512
6a3fb99e231aaafc428e5733b2cde182c6b0a9ac658d306f34819275355870e32d3deb7c333646e775c96e7066303a015ab2086a0953e72f07b91aa902dd270f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
103a415dae5ec7df35881e2c5ef5fe1c

SHA1
f712eb8028e6ad17f932262c2b9bc1f7e17ff79c

SHA256
b944f42334dd8f7340a5d851a33ffa76733e3c6ae135004bb0efd9e5f7be3f1c

SHA512
1032d73283070283f367ba3dc5eed8315372a9726891521dd92f061aa5412c7c7180ab6dabaf8a64bf853b67e8410b9871384f70c1dfb358896d10881f70c464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
adbd8353954edbe5e0620c5bdcad4363

SHA1
aeb5c03e8c1b8bc5d55683ea113e6ce1be7ac6e6

SHA256
64eff10c4e866930d32d4d82cc88ec0e6f851ac49164122cae1b27eb3c9d9d55

SHA512
87bf4a2dc4dd5c833d96f3f5cb0b607796414ffee36d5c167a75644bcbb02ab5159aa4aa093ed43abe290481abc01944885c68b1755d9b2c4c583fcccd041fd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
86415dbd028e71b44f58b671a5b3d152

SHA1
d025a578f168614ee46c6644ae025b28d3161932

SHA256
18a0b3db1f04c10bb3f2a799dd7b06c47a606638ba77149800b22aadf6c5cdc2

SHA512
41bece79715bdc68aeecec2d64f7d223d6292afb00d5e53b607ba4cad3645b818f1bf6893a3b1e9332224e016445436e7922a8c0feb1a87abcf2bc57f3633268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
bcf98164b9ea607ecf0f3fd6ee4bae2c

SHA1
98df8d04b473c745a2529b036155bbb38c1b748e

SHA256
c6dfe1fc80d55ae2a3e9ecd3d5f0ee30edc9ab17126de4fc8deb7665917b1163

SHA512
c66a56ab365ec0ef408351aa15d2acce9918a535825b63bdef0bcc00c5213e7e6ddf1913075e0f026c0c0489e92a5a6b6fe32b04801eb3c8b9039ec7f2f89b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4960_1781071359\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4960_1781071359\b65e67b9-343f-4b2e-bba8-66f080043ed0.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
9743a3a585131c917e7ae2c7c8cbdd7f

SHA1
690185548a75cb1d11ef8454efef4568e91a45ef

SHA256
23d7aa50ba05b31bc4dffa0f5b83812c69a8be07987890f6d051a27afea02b8a

SHA512
265a815e6225eb09d60a6865b7a95c53c3ec5b6db46de1385e380eb46f5317d9426efb2131feaee81c38d71d6b4c0a9a1a17b140c09a78c6f8609d8122a6e084

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f08cf37c.exe

Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Windows\DC7.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
\??\pipe\LOCAL\crashpad_1508_BCIZKSCJGASRMTUM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1496-5482-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2256-4613-0x0000000004B30000-0x00000000050D4000-memory.dmp

Filesize
5.6MB

Download
memory/2256-4614-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2256-4615-0x0000000005370000-0x000000000537A000-memory.dmp

Filesize
40KB

Download
memory/2256-4488-0x0000000004A90000-0x0000000004AC2000-memory.dmp

Filesize
200KB

Download
memory/2256-4487-0x0000000002520000-0x0000000002552000-memory.dmp

Filesize
200KB

Download
memory/2500-4626-0x00000000056B0000-0x000000000574C000-memory.dmp

Filesize
624KB

Download
memory/2500-4625-0x0000000000E10000-0x0000000000E4C000-memory.dmp

Filesize
240KB

Download
memory/2500-4627-0x00000000058D0000-0x0000000005926000-memory.dmp

Filesize
344KB

Download
memory/2864-108-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-107-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/2864-106-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/2864-105-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/2864-103-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-104-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/2864-102-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-101-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/2864-100-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/2864-99-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/2864-98-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-97-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-96-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/2864-95-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-94-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-91-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-92-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-93-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-90-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-89-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-88-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-85-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-86-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-87-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-84-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/2864-83-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-82-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/2864-81-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/2864-80-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/2864-79-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/2864-78-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-77-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-76-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/2864-74-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/2864-75-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/2864-73-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-72-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-71-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/2864-70-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-69-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-67-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-66-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-65-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-64-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-62-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-59-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-57-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-56-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-55-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-54-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/2864-53-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-52-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/2864-51-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/2864-47-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/2864-46-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/2864-44-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-42-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2864-41-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/2864-35-0x00000000045A0000-0x00000000045B0000-memory.dmp

Filesize
64KB

Download
memory/2864-36-0x00000000045A0000-0x00000000045B0000-memory.dmp

Filesize
64KB

Download
memory/2864-31-0x00000000045A0000-0x00000000045B0000-memory.dmp

Filesize
64KB

Download
memory/2864-32-0x00000000045A0000-0x00000000045B0000-memory.dmp

Filesize
64KB

Download
memory/2864-33-0x00000000045A0000-0x00000000045B0000-memory.dmp

Filesize
64KB

Download
memory/2864-34-0x00000000045A0000-0x00000000045B0000-memory.dmp

Filesize
64KB

Download