Analysis
-
max time kernel
890s -
max time network
892s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2024 16:47
Static task
static1
Behavioral task
behavioral1
Sample
drum kit_sound.wav
Resource
win10v2004-20241007-en
General
-
Target
drum kit_sound.wav
-
Size
187KB
-
MD5
cc3076fd52cb56a0e8b5736edf9355c7
-
SHA1
deaa3a347763021649e8aae1c5c5f23b8f8a8143
-
SHA256
d3b1623d3be54832a44b509d1d0b7a8685abeea26b42c7e09a87467927dd8f7b
-
SHA512
ab54ea1315d70f88e4f7c0afc4f321ccfd056daeb77a53644eb8f31ee82aeef47a0af9d109fc95b779add7f61e900d6f703d9781370a251b5adb54962e540519
-
SSDEEP
3072:uul7lHZycwPgqmt+iGTvIiA6/N6HJatSHvArukZHbVdJy6ynEQ1irxAw0O:uyVcGqu+pv7ACNhgH+Fy6T
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Badrabbit family
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\\Ransomware\\Birele.exe" Birele.exe -
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/files/0x0009000000023ead-4849.dat mimikatz -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f08cf37c.exe explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f08cf37c.exe.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe -
Executes dropped EXE 1 IoCs
pid Process 1964 DC7.tmp -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager Birele.exe -
Loads dropped DLL 1 IoCs
pid Process 2032 rundll32.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\\Ransomware\\Birele.exe" Birele.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f08cf37 = "C:\\f08cf37c\\f08cf37c.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*08cf37 = "C:\\f08cf37c\\f08cf37c.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f08cf37c = "C:\\Users\\Admin\\AppData\\Roaming\\f08cf37c.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*08cf37c = "C:\\Users\\Admin\\AppData\\Roaming\\f08cf37c.exe" explorer.exe -
Drops desktop.ini file(s) 7 IoCs
description ioc Process File opened for modification C:\Users\Public\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini wmplayer.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\O: wmplayer.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 138 ip-addr.es 136 ip-addr.es -
resource yara_rule behavioral1/memory/1496-5482-0x0000000000400000-0x0000000000438000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\selector.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons2x.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pl-pl\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\selector.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\plugin.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fi-fi\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Stamp.aapp.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag_retina.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_cs_135x40.svg.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\version.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-disabled.svg.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\de-de\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\tool-view.css.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-BoldIt.otf.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\new_icons_retina.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\es-es\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_ok.gif.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-down_32.svg.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview_selected-hover.svg.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HighBeamCardLogo.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\extensibility.dll.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\cloud_secured.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\plugin.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\bg_pattern_RHP.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\dd_arrow_small.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\el_get.svg.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\delete.svg.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\vscroll-thumb.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_en_135x40.svg.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-gb\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\submission_history.gif.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-hover.svg.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\SearchEmail2x.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main-selector.css.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-si\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ro_get.svg.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7 InfinityCrypt.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\DC7.tmp rundll32.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Birele.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CryptoWall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InfinityCrypt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fantom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 InfinityCrypt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString InfinityCrypt.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
pid Process 1624 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133761646095751422" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4089630652-1596403869-279772308-1000\{087113C9-6953-47B9-88C9-031882CFE1D6} wmplayer.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 716 NOTEPAD.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1444 schtasks.exe 4152 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 4960 chrome.exe 4960 chrome.exe 1728 msedge.exe 1728 msedge.exe 1508 msedge.exe 1508 msedge.exe 1644 identity_helper.exe 1644 identity_helper.exe 2916 msedge.exe 2916 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 2032 rundll32.exe 2032 rundll32.exe 2032 rundll32.exe 2032 rundll32.exe 1964 DC7.tmp 1964 DC7.tmp 1964 DC7.tmp 1964 DC7.tmp 1964 DC7.tmp 1964 DC7.tmp 1964 DC7.tmp -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 656 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1996 CryptoWall.exe 3640 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
pid Process 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2864 wmplayer.exe Token: SeCreatePagefilePrivilege 2864 wmplayer.exe Token: SeShutdownPrivilege 1560 unregmp2.exe Token: SeCreatePagefilePrivilege 1560 unregmp2.exe Token: 33 772 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 772 AUDIODG.EXE Token: SeShutdownPrivilege 2864 wmplayer.exe Token: SeCreatePagefilePrivilege 2864 wmplayer.exe Token: SeShutdownPrivilege 2864 wmplayer.exe Token: SeCreatePagefilePrivilege 2864 wmplayer.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2864 wmplayer.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2864 wrote to memory of 1408 2864 wmplayer.exe 84 PID 2864 wrote to memory of 1408 2864 wmplayer.exe 84 PID 2864 wrote to memory of 1408 2864 wmplayer.exe 84 PID 1408 wrote to memory of 1560 1408 unregmp2.exe 86 PID 1408 wrote to memory of 1560 1408 unregmp2.exe 86 PID 4960 wrote to memory of 440 4960 chrome.exe 104 PID 4960 wrote to memory of 440 4960 chrome.exe 104 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3272 4960 chrome.exe 105 PID 4960 wrote to memory of 3144 4960 chrome.exe 106 PID 4960 wrote to memory of 3144 4960 chrome.exe 106 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107 PID 4960 wrote to memory of 1644 4960 chrome.exe 107
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\drum kit_sound.wav"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:1276
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x508 0x4781⤵
- Suspicious use of AdjustPrivilegeToken
PID:772
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff979fcc40,0x7fff979fcc4c,0x7fff979fcc582⤵PID:440
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:22⤵PID:3272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2372 /prefetch:32⤵PID:3144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2380 /prefetch:82⤵PID:1644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:12⤵PID:2912
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:1176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4640,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4652 /prefetch:12⤵PID:3392
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4440,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:82⤵PID:4464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:82⤵PID:3828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5156 /prefetch:82⤵PID:1460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5180,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4980 /prefetch:82⤵PID:1404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5276,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5192 /prefetch:82⤵PID:4744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4848,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:82⤵PID:3372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5492,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5352 /prefetch:22⤵PID:4600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5156,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5308 /prefetch:12⤵PID:5000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=240,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5404 /prefetch:12⤵PID:2572
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4616,i,8789263172755399852,625518818763662798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:12⤵PID:812
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:876
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:1016
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1508 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff978b46f8,0x7fff978b4708,0x7fff978b47182⤵PID:5112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:22⤵PID:4312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:82⤵PID:3196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵PID:1504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵PID:4868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:12⤵PID:4284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:12⤵PID:1452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 /prefetch:82⤵PID:2212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:12⤵PID:3872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵PID:4056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:12⤵PID:4640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:12⤵PID:4448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵PID:3264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:12⤵PID:2256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵PID:2232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:12⤵PID:1932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:12⤵PID:2020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3284 /prefetch:82⤵PID:3448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,4155079144265218381,13147776673482765605,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5352 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:756
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3848
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2036
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4116
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\RemoveUnprotect.ps1xml1⤵
- Opens file in notepad (likely ransom note)
PID:716
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c.zip\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\Ransomware\CryptoWall.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c.zip\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\Ransomware\CryptoWall.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:1996 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\syswow64\explorer.exe"2⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:3640 -
C:\Windows\SysWOW64\svchost.exe-k netsvcs3⤵
- System Location Discovery: System Language Discovery
PID:2232
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\Ransomware\Fantom.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\Ransomware\Fantom.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2256
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\Ransomware\InfinityCrypt.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\Ransomware\InfinityCrypt.exe"1⤵
- Drops startup file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2500
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\Ransomware\BadRabbit.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\Ransomware\BadRabbit.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5068 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2032 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- System Location Discovery: System Language Discovery
PID:3756 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵
- System Location Discovery: System Language Discovery
PID:1616
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3923073449 && exit"3⤵
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3923073449 && exit"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1444
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:37:003⤵
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:37:004⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4152
-
-
-
C:\Windows\DC7.tmp"C:\Windows\DC7.tmp" \\.\pipe\{E63A0C37-E6E5-495F-8EF3-438BB55D3F54}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1964
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\Ransomware\Birele.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\The-MALWARE-Repo-a055d1fb4b8d9dd3cb1eed41504eb2694066f80c\Ransomware\Birele.exe"1⤵
- Modifies WinLogon for persistence
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1624
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize16B
MD54a447d612c57add837eb9d0a176144e1
SHA187712bc75896bdad07bbfb6a73d301f4e1744465
SHA25628dd6bb981be66012eb41516183f71ab883651ca13ff333df58ee2b090827008
SHA512404a57e4418ca9412af52a1bda52f40477feab7af5b75ca8ee02085f2e6a4928289724c9ddfb09e92b23bea8f7b488be9b4b15f20bd472ec6ac578ba4e790c9b
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize720B
MD51c5c704dc95138b576e0590e7fa35309
SHA16e941d9b92719e5d8416b5421b8a7e04645f4720
SHA256c4cc5e565e6e72dcc9887c949a5867ae3d9f067200cf1920efc2f0fc29598ce0
SHA5125b337df15b21412dd1547ee28bdc9868d96fbc9fb5a46c69b308053b674d329e83eebf10dd7a881291f224b238e344c56dfae53355442e7f805e3a41672573dd
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize688B
MD5866c6ff9f185f176d75dbc6a034b7a7a
SHA1ffa5c2f64df15fcfd80d232e982bb489d7270ba8
SHA25669c81394838c650d4f937a66ca707c56ffa7d010543b5b3f75b57b61bb40b8c0
SHA51229330c15f75af79bd859024bad362c61e1ef19b9a546f06d0784e2594b3e025ad945317299ea408f5d91c5d6a1aed2539384dbb48f5884b2ccab5c4e07e39ec0
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize1KB
MD52c54e11e85a42b5a14db08f6d49e43b7
SHA1694e30cdedc4f2b776c160362c069bad9d9c30fc
SHA256088f47b2ae3d4573e562e5a6cde86c64162312ff2e093f2ab56575c239539bd9
SHA512fea4ba2b9d96a44736aa733540e871bfea1854711fe2b2a36be73641c6cefbf25d95667f411c4d6146522b952f90fe645a7029a5a52dfac37fe94f2a53fec83f
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize448B
MD511da6ebfbd45032a4b064160063a721e
SHA159a3c78d96e93adb48ba44ea4ec37ae128a7c920
SHA2569a8bcba1d7fa71f3d8b0cb14e6daa9e86cc583140c538567ca5187e5c8cc8dc2
SHA51215b09b72fe2daa6cabfaec4b12b0ce7b799b3aa16a62b9b6e878a0e8be064bffc4f86475255a52dcaa8d8da6c0718c39e64513207fd36aa595afbc50a8981420
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize624B
MD54fda58186c5a6e97c8f421c8c2304573
SHA14a0f0d6c2c6280e257e865b917787e350289621e
SHA256dee284aa2091722431851b566657e941a8ab238a04fc29cbc5ddf4571acb0037
SHA512491447ab2232e3a516c6f381a768beee961dba188d752f58b2b4269338a28a3353946fbfde198d9f23666cbcfcc45f41c555b9ea867b0d3cd24c44399d84ae38
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize400B
MD5bb200af0356b447598bcc1bddcd7d2c1
SHA1fe890b5879d077649028a2f2c10b3093aec54a8f
SHA25635c475a7bc378282029b0d4065dc79b029dca64cfe825ea8073b8408620cf24f
SHA51208d9ea848dee2d6f06539cae3ac2809cf0851028a5da7ff2ad9243fbfc212deada05308341b2d94cbfd77a076d768da49b5d1ac444587f7475b022ae8eed7ea4
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize560B
MD5f47af283810a20aecd74c6be23d06452
SHA12019aa9d63af943ccf780ce75490bc159098acd4
SHA256fbfa12bf2ba4fd80431aaf149d42956c3eaa4a9b2dad270733f1a04e8c895b47
SHA512c89bd066073c56319349c8fc68b288d58f056d213e0be34d397f11e8c9a0495dd5271e0b1ea2fd6033dce75f2c90bf297beff08e0508afdcf030e665ce006083
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize400B
MD54c28f54f2e41ece2f74667fe41b70559
SHA1a4f1ceb38d2c0db692833fbdc50982e5bceb218e
SHA256c25e207d1e68a71056e7d1b30c82a9a5a88fcd5e4bd6e30a9394ca59955853ad
SHA512a86304801200bbc797fd26eed5fa098157a495c934e2387381fd8584a1eeb2d44af4eeecd46831c5c01a3416235dd90be4ef97c06e557913462f4c3523da87c7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize560B
MD5446d08dfabf488b6ab62514f0041953c
SHA1d3c559eb8463541cf1a9b134bc268459baa16c72
SHA25688a13c486c04cf46daf5f687d374027d695f50239f01a9e9bad909f7ee24df5d
SHA5126df92c88a92a8e42b9d662ee92ef1def3d180e959337ff7e6cd5ef096d6591ab1d1783b4f5bc859f3473786b61798d015349d33febc4dd10d12c103351a67228
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize400B
MD58d15e6f965c3f6b8f024625c97fa85a2
SHA1c57d18de8156b895ade1cb603199375ef5845975
SHA256a3f45d5589165ed034001a06a99da7bf83196dc314df040f3b34898bd89896e9
SHA51221441835a1b0df51e78271bffb1ca6cfdee9bd47dc4d6cfe4446add3a8305ff0857a7f967eaea085ebce49d9ed426d6ec020035ff5f2e998214247598428dccb
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize560B
MD5b7657401c489a2f8d7a9417565b9cfb8
SHA1c167feb86569cfbc4006db87a2718cf9870becb7
SHA256c5198305b06397e382f9cc1607736f0d879449c0c468d80a3a6fde0a701bca64
SHA5129eea90c9c26bd36cf451a16ea141d6ad780cd3766d259eff4e7c4e7fd341e4b9f2af8abe708c3c64f25c8faabf20682753748d83863dfca0abc48067f4459a09
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize7KB
MD55fca2e3d6edbaaf45936f1502a517a94
SHA1681aed8a526e04e91a07caa161a38a97f7ae8c67
SHA256bcc9190c55f8bb9507d6fb8982d19f815dc418cebb1dda5f8ceb04dd54c665ca
SHA512449cee167f1b474965a2dfeedaf404aedaea05c36596791764582f6cc8d080be198e466c1bb643dd3b2cf6582f61f1a9aa1b7aa484a1f1945056419f3377ca39
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize7KB
MD5ec871a5b587169e619aa5eca692b0c0a
SHA1e7035dfdf16769815f11010ca135763c94435b1b
SHA256f1eddac6008db1b739a413b46cda7a105a2358d726ff8e5508fd33d1d953d873
SHA51262f31f0cba9d088cc958f646268fad935c6da8df43f4dacf8283f251bd4093e4652ca2f585e43f81d059f1bba29b9ce813e78a9a75e7e3bf8fa96fa9e55161a3
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize15KB
MD5792a23d23609b0ab6dfad65f6ba62642
SHA111ee54113cc42c68b8bd1a2c3c4e863854a1d2d3
SHA25641f7ca17ac0520314325c1a674e788c848180ccee76b06fa795bae83bae20169
SHA51294f42a1ad6adb05adb1171f35f473fed3bd103b22f1f2ef1449412fe9b4f26890b59460baf5e65f3b6a772096ca83ebe8e58fcce08a331d6505b89008eb37c98
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize8KB
MD5843ed3dfa925462c5aa2e8f6b5051de2
SHA1aaf20bebbb7f9794dbcd9230d0d28a56d76a9c60
SHA256aff45e4bfa756b03e014e4ce13037db2ff295f6c7e78be7fe2ddd7ed8f369ad1
SHA512b507828348f3d88b40912bc1ace677757c459293f05569d1d093f0101abe369e7586e3aade99c46d540d62758145ab8b458976ccae8ffcf75c55a0a7b3e4f30e
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize17KB
MD5fb3cdea43b011b8a10bb594abb401253
SHA1b10a9d08a326fbafe0d7776e0f9f1c6619e2485e
SHA2567d45ea2b675f6c557017410b70cf85619eb93d4a0d43e8c42a1125c2e9e17696
SHA5123763dba08cee8b6e8cceae73456cb3ea4cd4081025040ce1c681da2a25cccbaf69d1193ace0c8876af9e33187751c0a25dc6648b54150dd76e5f307352e89371
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize192B
MD56d0e00eaf6a83815da11626decc60692
SHA1c6547f36f1454a719d30c9791154010c57365d4d
SHA25657253ddaaadac3dd1b9d027eadd6e0e5eddb0b63c0abb9b0b93d1bb4c982c930
SHA5123ed01f6452f8d7627730daa9a6e047955fb2228f0b2549e17f9cba19263a4f8d9c2bf20fbd2849e622bf99b29888a7763e72e5ab4d5b73f872d7912d20e30788
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize704B
MD545130d7095d2de3b8a81994fd836ef70
SHA115ccc60ba4152d56c435d798f84271bcda9f8efe
SHA2565f432edc3db04a1d1000d70a98561bbf0c6ccc46beb2f0eb148254494cf6423a
SHA5120af60c8fa75c32185fd91a18b9ec5fbc8225571b08425af32582d42d3357abe1beb99905c09cbfd0e8301789104d439b3dd29650ba0599a4160a42472bfd55ec
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize8KB
MD511188819a371d3b4d8ac03b760fc038d
SHA1dc2955f7f498eb803a2db9a2e1b137dd680b10c4
SHA256341f6f4a08db39539e750e217624b32d8541f6392813330a0281465c91447b42
SHA51218c37b50701dde1fc03536f760976398cbed4a3bd6777984e4f00f741c74a72163f3fe0c43caf09ba7941f622a3897eae517b09472ae564a090525e357ecb03c
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize19KB
MD5b7936c0fe462dd4a97773930178d4954
SHA1f5dfb2c24f71638b4cc615b8d4019ad8e67b31b2
SHA256078d79425057a1f81b28fb6b42f20ceb4d0d4095827ce32420beed18b7018e3c
SHA512870261d85e8492bf5ada70ac63220772d27d095f6d51e5644690df054287f537eb2ad5dd0f56b3c60a5691fdc1707a0d2166179f3d8415a01138938c767e38dd
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize832B
MD59e2d312db9bece3a2471dbb4baf1adcd
SHA1b610ee4c34b6ef47998c3f3b160e4fb7352e3624
SHA2560c9d9cd90ac364a6dbb5761746b78c3ebeb5399fd2f7b3caefd3a1e3c90d96ab
SHA5121fa0d4e15a05edd525263262824a096e6e6fbcf78142ab6361311e4c7c584dbe49d6a835ef76e1424441b1e8a00e82bb33b3a6bc23ee308b6d7ff88158f492c6
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize1KB
MD5d8f09dc8de8ef1dd61950ac9aa0adbe6
SHA1a6eff82cc114e85009462a7142a3e918863453fd
SHA256611e3ff069aac374030a3cfc3f07ef68c3c7713d37b65c0742b2a04806823f30
SHA512ee7b30d7cfa573a91b269616ce01cfdfe09cefc3397e082a39d557b14ef9883836e9e0476b9b12b89c08272f56102b2994099b9b6f2b52373a37cbcf88e97836
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize1KB
MD51b16a036b9f0c8e6ca9f2048356152eb
SHA1289646d90df6ae36ffdb132c714540742ab341be
SHA256714aced718bff414767b5ae5773d23ca55add054b3e5f611470570f0d9f11c30
SHA512445074f798818102095a99a7a6e7aef9e300466d5ce864d5a4e15ce6a4b0871bf0d5e03d4a0739cd2bc7cc4ac1d30051814a2084aa1a98f51dd099a3b618b4dc
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize816B
MD5fe60571b6c5e29de9705b9fac8f57466
SHA149735e24376b9f7643c3449c84d7be297536200c
SHA25670ca2c5c7f149068c6f5c7de35846180a4a196de63f896905b12a1be1e30bff1
SHA512932233e39226b4f475e18e9c74d6d849566be832d9efaca2dc1a8cae691c4b8f35b09237f7654f69714a13d6d779546546b71ec256064e52e80f97c9d2791a65
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize2KB
MD5d1f14af43724965f4df6fe7b30f14754
SHA19467ea23855c70612bcf5f1ca9a6b36b2b091e78
SHA256b1819219ced6b11981ca8a693f28a159df1e8f6f39c8ed41eb4896578977ee8a
SHA512b82d58ac87c68b9520d0e3c1bfd1e485a9c61f89c5cb48dec3c314ec5bea415ed2732e4af27a7686b3878878c3dd0228c75f91df7f6f0263ee42cc07b264ca41
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize2KB
MD5c4e7586992fe1a3ae6714bca84b10044
SHA105027b265bd8542be52df5671babde3b075c89ad
SHA25680999cc35e7cdac74dadd4175297a0660c0313a3777ce97b547f12baccdf57cd
SHA5125272fdf3ce9151da2b7114e4483c09cde00c91adc0723ffce223deca018a8dea6a35e3a03d9b81ef208e997c005009a01bf226fc6d522fccc8188c5c66351809
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize4KB
MD52e1fe5b466f5c69174acdc801f29a390
SHA14bab10847e52bf58d934d0732066a50eb1ec401b
SHA256e5ed3600ff773fa5d4ae24da03f5cf1503210096083766efacba9fb73aa349f0
SHA51283716f5004bec96e3d8bb7b6ce1dbdab67edd760150a7706475d67726497e885d7cfee8b482f02ee1ddd8a37c277bc6db4bb4acedb1e80e91495802a509831f1
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize304B
MD54999ae65344295419db7889a338ebb98
SHA17037ef696e9bcf1177bd542f9404a2736299e3f5
SHA256dc881addb9e3b2f31c0d68e6d680c6d59511747f08d3608274e232cb928232ca
SHA51273ca549229ccc311e4fa30d34a7cb977c270524ebc984808b279873f8546f343efb17b61d50f89ad86149186e7dd2961f4fd450fa9168bd1de28d9090d0dec5c
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize400B
MD558a0a0477d96bbf98abd15075d9dfca1
SHA1ff3985d13b319b814e3c3fabbba03e8856847bdf
SHA256e0edbe04dc6f5387ca64dd042b576aa4d8db05866a66d8a9fbd4b251a40040b2
SHA5121e2458f485b9632a7830b974f17887448fa599e6da35aea0796d42a60c5ca6ec0346aa05811a072b4c296cc2d04e26b8f71d862af7750354a289a515790ffa36
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize1008B
MD50dfcf77043fac8f778b0fd8c3a69d295
SHA18f73c2dd59bc1ca7ea0d8c4ac6a2f9a3a7c335d1
SHA256739276314821b900cdc22302912b89ba43cedbf3e672e3b13d893c3bb7ad31e4
SHA512ca66b4f3f2cc1ff783572285ff30446ba9c9dc6c9cd72e90ad088795bbb8cdbd650659cae7e3abf460490a8f199048bc1f31c13228e00b6d126d9f5092632dd4
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize1KB
MD580f4c46cb9a594925e75d8ab276b981b
SHA1d6ee809f9e2ca3b0350ab6c320f5b5c500b397fd
SHA256641f940f040b95ed122b11ac343cc43078119e3a0f6c03985babdfd4d1c44c6e
SHA51269bf8d317451b04d346016a5c9be8fbd492952491921336ad7f63ce1fe6791a8ec251761d265de892a8b2929bab212baa5651b5f22f13e1622d8d76f9a675f28
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize2KB
MD56724528690d9a3a3d4b01cfada2c1ac9
SHA1a3a8e51e36121f98a9122e69beabf95a3a68ddde
SHA2561e4f12aa5dd1f21231f3dfe42f9f89c1558adc5a7a0c61c892b59a74ff8fd3ac
SHA512021177f5fc180b1b850c2ed6945a4bc249768a9b75bb327a483a53fe84f26da51a9b31453efb0e6ffafff1dc0890b9c610658e3f73d0273ed33eabb79aed43b1
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize848B
MD57e36b88992c4dfe75edf8fe55889230f
SHA1321623fc8cb3c542d2a024a6a76e076adb997f65
SHA2560e1b4d6b75b471796ca0065121e5b6db2e124b7448ccd476eba20e47dd7b0bb4
SHA5120e32ce77e46df7cac2358e050d1711be6559c9971e933b87a143a9255319f589d7c3baa9ff4a03706b0a79cfc137d03b85f3184bbf41e1f507aea73cd2210702
-
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.586C4ECDB38D5215D38606CA2E0EF1356F196B61B940806B9DC5EA26A9B978E7
Filesize32KB
MD51092ad178f74ca1871e4ade5e8117b5e
SHA12c3f944e8bd11ebf82db27bab05032d5367d7352
SHA2561e829a8c1ef181930bd3eb9d1815f5c7246b2fc752aaa1932fab7ee2a1e3da85
SHA51214cad059f4819069147282eae41d47bb68412c13e3acd4d004b7ceb7ef7bfc1ef369b7b30de7c5034349c23ba32ead06b026eacded2bf3493a2e4fcd3ca4c7b1
-
Filesize
649B
MD59dad7cf6a73cd5fff128d815c275ac78
SHA18be6bc8b602ab222184a0f53fb14802752d69dc6
SHA2562c3c33293f8855fad273b3a078c38d000dfb088d473799e3bfe50f2e44708f28
SHA5123000bd429f0645f7cbecfe0e9636bc6cbef3f1a5d3d900a81663dcd6aa65ed252d472a69320f0fa5176d2c9e06e7232039dd3e8eaf961061f590c5dc0ee38517
-
Filesize
215KB
MD5e579aca9a74ae76669750d8879e16bf3
SHA10b8f462b46ec2b2dbaa728bea79d611411bae752
SHA2566e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf
SHA512df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640
-
Filesize
216B
MD50b882e6db38f22ddde91fef84c027410
SHA1085167afd8ba76e00f6a9deb47709ef5172c5ef5
SHA2565516d409871684c36ae93a7dffbcf9bc0c63042986074e351e697158db644f40
SHA512f5c0ab5903557ed6a983d65cd714264c2afbcfae3166251c0b72f45b2e3813359779a9ad2e90de8d7fdf9d588c0e6ab45507d1380a3cb60a0954d52921f1535f
-
Filesize
264KB
MD5092ade4f4155fecddada77a691b372a8
SHA158a76343f64f701445e7ad6a1ab13f63a8bdb450
SHA256bda122ba9299d345e2cd035ec584f9126255a86661e31c6bde4da7b2e3def70c
SHA5128dac0631a6dab2bc141bc9560095d77c36a9c57cd655dc1a0c46ad487c097207e47bae4664aaa884299f742816cad1d4a3bb6781b47cd7410c07ae7a9bd3ece5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
2KB
MD558a1c80350ed0ad9f2218e00146a5ce4
SHA14f412e1d20939ef4167bf3487adf28b459d947c4
SHA256f78f4507884698c43199b81b5372aec16a736efff01c6412c2e1cffcfb124eff
SHA512886877a7e9d8134d8ead62190f00e3c841c5bb6511a91c85e390aff05895eab39e5fdc38ef6fdbba7902e7b87b5e53057d2e91ff9bf3d9db2d87e261f7c2cc75
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD590105ce30f0f6f47537592a8148df6da
SHA1c010feeaa7bc8ae9a5abf0e0e0af2f6a921e98cc
SHA2569b842e3ab15aefe686ed33c2a222ea9ae3a4d7b608731b8bc60a4a6258d35e16
SHA5124b9f1f1289330b79a6143684eb849a1abc3cea2baa4dd2593654ac9d9f6e928039b9d8d0486a93e17097b4518d6d2c7a726b829527d5bba4a1f6849c07b3239e
-
Filesize
356B
MD5498741f555aca7832f63f9e91dcdab51
SHA12b01c77ed333882c23958ee5bee160863e8433f4
SHA25671c5198993cabefe30156da762b2bf0165f0944036e3a0ffd76a3b2a59d21402
SHA512337b1a1cff34dc7000ad2425b9b19a7b0a00a04ea57082402666f88b69e1783728d8654ced261b03fdd73a212883cbab244d21acb5419dd3a4d861b8729d1ae8
-
Filesize
356B
MD56b9c1c2df66fb2062e96d094be3a482f
SHA1f590eeac8a3232392ebf9b964f1cac169d24c452
SHA2563d3add8f2674ac41cff36abb87d4f6b1dad7138fb76c0de0f47d0fb53bb03f31
SHA5122a6c0fd23adc8d026cba19244fb8c8fdbb9d032d9c651ae76d3049e221a2a8663c018b29cdfe72db413e67442044091d4be82a82f45706cdf771c1f91a834d3d
-
Filesize
9KB
MD5511e23f11d68a7a8e5dc8e7525d391af
SHA1c566a411b23970d3549c1bacf833b6a28e48dba9
SHA256c62154c497a83a60f9d554b02fffa019fa2b5db78c1424c531d0035d302c43e7
SHA5123a8ced3006d84304535d394f4270d284da1a36e998e8e450290756ce7d3119329907a8a44120ba595b4dd9d7320ac2fcdf720e2697251b43b84e318dec9e9f5d
-
Filesize
9KB
MD5783a1d3eba0306865656dbdaf50bf876
SHA199db7026414bd426a048aafafbb43884d920abd0
SHA256b3b27261c5c3b0ad7ea54c5c621908780e278b56c152478ab95e73a972df565d
SHA512685f6bfac49be6669f29516a0b63c88cf59dc8e28314ddbeccf3f0a2134164ec86192d44176aa1bb758ebc306eff5d29326d69eea3285b3f28e52b84d50253bd
-
Filesize
9KB
MD552e289b3f8f33b3ad246c39b0697658d
SHA138117c13afd54e4b0e6730d39d2ae6118006cdd6
SHA2561b04bd423e961d1f1002facebfa85f2d7c10cd571ca3a0fefb675b0e9c48640f
SHA512b88fddee1e313d0ea4d01e356221d1c82949dc41fdfc1359c0a1402a10b0036ea11d8c58136f8565f6463bf8c083a4bfd714214aae00f638c4edf87433aa9f46
-
Filesize
15KB
MD5a3ccebfe3354e2275a8afc94f630282f
SHA166fe4d9cced00ef329f992bdd3ea47d5c05fb85e
SHA256eab32445b5b01e1b0218f1df192d2017b5c6b7d548ed5e3957456c49a9d1a557
SHA51240a0e7996c294975e8532ee303dbca0fee3de58b42183efd9580df80ecaf23bec71502980c7926a9071d46f8b32a509f9e229425fdd9fe04c1d9ef6703211daf
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD52fafd25a080fd0cf832d5f04dae4524f
SHA16e2cdb26ed0471c51a2aa7d975a352b1ed0ea3f3
SHA256538742737473b76f1385f55ebd6dd659ef6fe8126a250bf3a06745509e78a9ff
SHA5128a6e42bb5a5a634e35fd76100f8be2288164f9a5cffc39eeddc437e6437537564d64c3a51f358369b13bd579d85e3bc94a82e6c84891c38562c46235e8efb03f
-
Filesize
232KB
MD54ddc8cd03267bf3e33c53d5e2ee2b62e
SHA1f93d31b36acf87e73eed7e295bf227b2506ecabc
SHA2563de0aa0f09ad1a9eb26bdf4df0b186608110300498887e04cbba6006fa117502
SHA512c64bc597411ddbb163e2181ca34698a1e2bdb5db8c6c981238be982cb29228de85612261c5ad38930e7a245339b02a8d32747147a295707b3fa838afb17284ba
-
Filesize
232KB
MD5379e53f90ef5706f970d9bc05dd2650c
SHA1f52f22ac9a5e9d40a8dcb63be496374ae570fbba
SHA256bf530be9979422954410ac78d0230e5abcdc91f1c57a213f8082cd458eb4c5a6
SHA512c6936f3b2b30ae9b33d9312405b4ca82879b725cc567182ff1c5ce19ee19d88738d38688daf55046a8a3408df1ed344d84d8b76162efca1431bf797093016751
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\71eb84ff-8d42-419c-9603-5e6cd22987cc.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD55e95d9442f93900026ae26cb30da1e16
SHA1d5286a253fab713471efd6437cf472f48ddd898f
SHA256a69efdae13df1f6cfef781869713596a94e2ddd20118686725eb52d6dc22c467
SHA5127aca8b91556466ba9e8e48fdd3468a17b5681a482bb8668e88e95161a89a075c0b6e9c3eb01c52c76f128b1390ed515446c380b7f33c2c66a9783acad084b9bb
-
Filesize
934B
MD592a22324c6bb6c3e6c7681ea47f50843
SHA1014d6cc53605b5cc38544f899f2b9414e5581d75
SHA2562f27ba6923263a784680829cd74215be3b295428999af5e13c7bc2143805cec3
SHA512a327de3407f167e685b119e4357f650dfe13572b021526d312ac9ffabacda3747709a79c3987f250335d6a8fd61e91b7f3217bc7aef01057012cecd96a3b2b9c
-
Filesize
5KB
MD5205736b29a243c826c5ceaedaebae640
SHA1bfefc3e5e7a44f3bed43ffc7b18949252f77bc15
SHA256e46d91e80f53209e4b135aed09807cd55aed5844bfd8589e99581f6d6b7bf4f5
SHA512ad2e81dcb479dac55d1cc00d0b9f23202545797fb565e606fd772cc0fc0a4a3ecebc327e017104ef7c7f5837299446ed1b24c1f1a2e5f7d8474c5192829195ac
-
Filesize
6KB
MD5f8fe52672c5a0e7a63883a3e1c496255
SHA1edb0c1a18b8144a81834332f386e6fb1530e11e6
SHA25667585e475957a151678761b90ba103b0254a8a758a67a4358b53099963819409
SHA512a92e3c8a54c6ea88a7abf6291660e55e927caa1b4600262f65e329b25ee68a0755c13632047de58d2caba9403a3f5a968a58c47a28e535c08e454e654a0946b0
-
Filesize
6KB
MD5f3588fa3f267a73c283cc64c485d2d59
SHA1cf2678a3953946b3502e06c1c7ac5fc02375edda
SHA256310b21358fd01b2e60ffd1d834a9b483ae3a7b7138db98358981a1ef47306cd0
SHA5122a6e937494f3e1af8479d4e3cdc21839dfab7983cf8db3bc67b5d1fd114a94e1eb9f7ccfc9b111b5223f0f2a0144823af97f933307e54cc53a03e7b52e3b8095
-
Filesize
6KB
MD592daf17859735767bdb0732c05347311
SHA1c0113b99107c6af046dc238c12055db612401ceb
SHA256281bbd780a6a233b134ffb6e926a6e69102ae5d6ef2fb75e114de09eee82ea61
SHA512b4460f6a72e9e7a10a7358dfe952a0c00d07693eeb630e1d7483ab66debd6f1b198e6b814bd8862b3cfb6c10d0ba9e1555b684f04983589fca4f109101f4a799
-
Filesize
6KB
MD5f49fcdadc998e9dcc7c032818fcdbd14
SHA1ea4e59675363bff193b1bb4423801e6a0f4c138a
SHA256e4d951f3318333d3ee52a2c2a85a51c532206c73ba5950bf4f8ded0c5cea8a71
SHA512a2bcc99d413c1ae9b71eb9587231f2b85d1dc755f042c843884dc0a456d341ef7b2d8dc7ec708d6dd5ec28f0e05524c6ae609e858810de5ddb1e19d313a7ebf0
-
Filesize
1KB
MD5da2cbfefb2da22f078f85c9b12aa6eee
SHA1344b86ef555ee2738dfba2f69cbfb8a0ae449edd
SHA256ac8aa9c3352559cdc299434e72ad2817ceaca295be6bf7c4c6b44e5a17ada630
SHA512334e73016a972929f36c598b555a834f770ff288eb19ae8cb4df40ed28a21f55739e66ce29090891da23c18c12d964fe17c0369a06f954958a688fc775d8fb17
-
Filesize
1KB
MD501af9c45a93ad02d183abd27e3927b9d
SHA19b621cf8da340a440b9c1dff013a1ddf397d3bb9
SHA256e6125b3255d7c924b8d76086610ca0c69866d4547bcc615fbacd0768e506d087
SHA5120dba14a518ddff78ccd44ef83d638b0cec4760d4a583fd41e34576f5cf97d9d2a2e18b65d2ac05e7e4e7628de8dd10135c996b7c66bee902b3ab092be1acc46f
-
Filesize
1KB
MD5318eca88ac5bcfe23606004af57ed90f
SHA1ae49eeaabafb2ac10c84dbaea932de5daaf0d287
SHA256153a52836d021ccbeb9cea07bd8db3833631b83873c4668c2c6e4c98ad45f21f
SHA51231301860c9cab3e24f0660ad99776c687d1336a89161f4c8a5400468e60582906de8bc976b3bc5533a15a1dbb001675db81cf3d21f82b031661edbb7f1d937ea
-
Filesize
1KB
MD5f5c3a7cde20d3d17a4a7bac9f95bc77a
SHA114f9ed2cc679aa50f57889cf0d96678ad42d8858
SHA256243d7e21cef0e1efe459912fdd06b97ebd232e4e8d52c1d00a298a601cb1f148
SHA512492e7c4bc245c623a6c110b3055c8e852c96bb2a03af3ad15cf76a8776174022666255337de6bc4cbb4ce613f23813ad21da5395bc3f81113fd89afeb421b140
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5cfe98c4d8f433e1cafb5e10e52fbde9e
SHA1377936e1994854ab023c24b381c63c34b115fa20
SHA2564c8b169a822bc43381c68bd5c077152fe2d6070952ef018f27e19d05769da039
SHA5126a3fb99e231aaafc428e5733b2cde182c6b0a9ac658d306f34819275355870e32d3deb7c333646e775c96e7066303a015ab2086a0953e72f07b91aa902dd270f
-
Filesize
11KB
MD5103a415dae5ec7df35881e2c5ef5fe1c
SHA1f712eb8028e6ad17f932262c2b9bc1f7e17ff79c
SHA256b944f42334dd8f7340a5d851a33ffa76733e3c6ae135004bb0efd9e5f7be3f1c
SHA5121032d73283070283f367ba3dc5eed8315372a9726891521dd92f061aa5412c7c7180ab6dabaf8a64bf853b67e8410b9871384f70c1dfb358896d10881f70c464
-
Filesize
256KB
MD5adbd8353954edbe5e0620c5bdcad4363
SHA1aeb5c03e8c1b8bc5d55683ea113e6ce1be7ac6e6
SHA25664eff10c4e866930d32d4d82cc88ec0e6f851ac49164122cae1b27eb3c9d9d55
SHA51287bf4a2dc4dd5c833d96f3f5cb0b607796414ffee36d5c167a75644bcbb02ab5159aa4aa093ed43abe290481abc01944885c68b1755d9b2c4c583fcccd041fd2
-
Filesize
1024KB
MD586415dbd028e71b44f58b671a5b3d152
SHA1d025a578f168614ee46c6644ae025b28d3161932
SHA25618a0b3db1f04c10bb3f2a799dd7b06c47a606638ba77149800b22aadf6c5cdc2
SHA51241bece79715bdc68aeecec2d64f7d223d6292afb00d5e53b607ba4cad3645b818f1bf6893a3b1e9332224e016445436e7922a8c0feb1a87abcf2bc57f3633268
-
Filesize
68KB
MD5bcf98164b9ea607ecf0f3fd6ee4bae2c
SHA198df8d04b473c745a2529b036155bbb38c1b748e
SHA256c6dfe1fc80d55ae2a3e9ecd3d5f0ee30edc9ab17126de4fc8deb7665917b1163
SHA512c66a56ab365ec0ef408351aa15d2acce9918a535825b63bdef0bcc00c5213e7e6ddf1913075e0f026c0c0489e92a5a6b6fe32b04801eb3c8b9039ec7f2f89b8f
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir4960_1781071359\CRX_INSTALL\_locales\en_CA\messages.json
Filesize711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir4960_1781071359\b65e67b9-343f-4b2e-bba8-66f080043ed0.tmp
Filesize132KB
MD5da75bb05d10acc967eecaac040d3d733
SHA195c08e067df713af8992db113f7e9aec84f17181
SHA25633ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA51256533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef
-
Filesize
1KB
MD59743a3a585131c917e7ae2c7c8cbdd7f
SHA1690185548a75cb1d11ef8454efef4568e91a45ef
SHA25623d7aa50ba05b31bc4dffa0f5b83812c69a8be07987890f6d051a27afea02b8a
SHA512265a815e6225eb09d60a6865b7a95c53c3ec5b6db46de1385e380eb46f5317d9426efb2131feaee81c38d71d6b4c0a9a1a17b140c09a78c6f8609d8122a6e084
-
Filesize
132KB
MD5919034c8efb9678f96b47a20fa6199f2
SHA1747070c74d0400cffeb28fbea17b64297f14cfbd
SHA256e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734
SHA512745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113