hxxps://drive[.]google[.]com/open?id=1q69AoV7rH_k11fDHzl5Jja7VfZ9Vsm7y&data=05

Analysis

max time kernel
457s
max time network
462s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/open?id=1q69AoV7rH_k11fDHzl5Jja7VfZ9Vsm7y&data=05

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	BitberryFileOpener.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 9 IoCs

pid	Process
5564	BitberryFileOpenerSetup.exe
5088	BitberryFileOpenerSetup.tmp
3256	vc_redist.x86.exe
5380	vc_redist.x86.exe
5704	BitberryFileOpener.exe
4588	BFOCFG.exe
4856	BitberryFileOpener.exe
404	winrar-x64-710b1.exe
4988	winrar-x64-710b1.exe

Loads dropped DLL 24 IoCs

pid	Process
5380	vc_redist.x86.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe
4856	BitberryFileOpener.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	drive.google.com
8	drive.google.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\BFOShellExt64.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\libav\avformat-60.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\libav\avfilter-9.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\CORE_RL_jpeg-turbo_.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\IM_MOD_RL_xps_.dll	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-D4VML.tmp	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\BFOCFG.exe	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\CORE_RL_pango_.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\IM_MOD_RL_pes_.dll	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-RH6V9.tmp	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-5BKPH.tmp	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-H195C.tmp	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\CORE_RL_exr_.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\IM_MOD_RL_cals_.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\IM_MOD_RL_miff_.dll	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-V85BK.tmp	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-NCG9U.tmp	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-JB802.tmp	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\libav\avutil-58.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\IM_MOD_RL_json_.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\IM_MOD_RL_mat_.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\IM_MOD_RL_ps2_.dll	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-AE6M9.tmp	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-E39GU.tmp	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-ABFOO.tmp	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\unins000.msg	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-OB33F.tmp	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\libav\swresample-4.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\CORE_RL_libxml_.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\IM_MOD_RL_pcl_.dll	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-QOE7L.tmp	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\IM_MOD_RL_ps_.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\IM_MOD_RL_ttf_.dll	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\libav\is-DJ9HL.tmp	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\libav\is-FCOH0.tmp	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-GAVGL.tmp	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\libav\is-41QNJ.tmp	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-VG874.tmp	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-Q8DVM.tmp	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\CORE_RL_cairo_.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\IM_MOD_RL_exr_.dll	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\libav\is-TK3I3.tmp	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-H3AFI.tmp	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-NJLLQ.tmp	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-CMEH1.tmp	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\CORE_RL_harfbuzz_.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\IM_MOD_RL_psd_.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\IM_MOD_RL_video_.dll	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-GHBVE.tmp	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-BBIM7.tmp	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\CORE_RL_liblzma_.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\IM_MOD_RL_jxl_.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\CORE_RL_tiff_.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\IM_MOD_RL_dpx_.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\IM_MOD_RL_xcf_.dll	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-0P5GT.tmp	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-4OV59.tmp	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\is-83DQA.tmp	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\CORE_RL_freetype_.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\CORE_RL_bzlib_.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\IM_MOD_RL_pdf_.dll	BitberryFileOpenerSetup.tmp
File opened for modification	C:\Program Files (x86)\BitberryFileOpener\IM_MOD_RL_svg_.dll	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\libav\is-IPRGR.tmp	BitberryFileOpenerSetup.tmp
File created	C:\Program Files (x86)\BitberryFileOpener\libav\is-B2HMF.tmp	BitberryFileOpenerSetup.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitberryFileOpener.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitberryFileOpenerSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitberryFileOpenerSetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BFOCFG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitberryFileOpener.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.AR	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.DFA	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.LYR	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.LZMA\shell\open	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.MAT\shell\open	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.QCOW2C	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.XMV	BFOCFG.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	BitberryFileOpener.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.EAC3\shell	BFOCFG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.FLC\shell\open\command\ = "\"C:\\Program Files (x86)\\BitberryFileOpener\\BITBERRYFILEOPENER.exe\" \"%1\""	BFOCFG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.GSM\ = "BitberryFileOpener.GSM"	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.EXT2\shell\open	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.NTFS	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.PDFA\DefaultIcon	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.PICT	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.ZIPX\shell\open\command	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.8SVX\shell\open	BFOCFG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.APM\ = "BitberryFileOpener.APM"	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.AR\shell\open\command	BFOCFG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.DSS\shell\open\command\ = "\"C:\\Program Files (x86)\\BitberryFileOpener\\BITBERRYFILEOPENER.exe\" \"%1\""	BFOCFG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.XAR\shell\open\command\ = "\"C:\\Program Files (x86)\\BitberryFileOpener\\BITBERRYFILEOPENER.exe\" \"%1\""	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.XIF\shell\open\command	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.BFI	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.VP7	BFOCFG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.VP7\ = "VP7 File"	BFOCFG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RGB\ = "BitberryFileOpener.RGB"	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.AEA\shell\open\command	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.AUD	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.CONFIG	BFOCFG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.G3F\shell\open\command\ = "\"C:\\Program Files (x86)\\BitberryFileOpener\\BITBERRYFILEOPENER.exe\" \"%1\""	BFOCFG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.H261\DefaultIcon\ = "C:\\Program Files (x86)\\BitberryFileOpener\\BITBERRYFILEOPENER.exe,0"	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.RGB\shell\open	BFOCFG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.XCF\shell\open\command\ = "\"C:\\Program Files (x86)\\BitberryFileOpener\\BITBERRYFILEOPENER.exe\" \"%1\""	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CAM	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.CPK	BFOCFG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.DSS\DefaultIcon\ = "C:\\Program Files (x86)\\BitberryFileOpener\\BITBERRYFILEOPENER.exe,0"	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.VC1\shell	BFOCFG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.ANIM\shell\open\command\ = "\"C:\\Program Files (x86)\\BitberryFileOpener\\BITBERRYFILEOPENER.exe\" \"%1\""	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.FLIC\shell\open\command	BFOCFG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.PCC\DefaultIcon\ = "C:\\Program Files (x86)\\BitberryFileOpener\\BITBERRYFILEOPENER.exe,0"	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.FLIC\shell	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.WBMP\DefaultIcon	BFOCFG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.XPM\DefaultIcon\ = "C:\\Program Files (x86)\\BitberryFileOpener\\BITBERRYFILEOPENER.exe,0"	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.CAM	BFOCFG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.DICOM\ = "DICOM File"	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.FITS\shell\open	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.SQUASHFS\DefaultIcon	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.XWMA\shell	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.QCOW2C\shell\open	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.RPM\DefaultIcon	BFOCFG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.SKM\ = "BitberryFileOpener.SKM"	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.PKG\DefaultIcon	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.SVGZ	BFOCFG.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	BitberryFileOpener.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.AA3\shell\open\command	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.MV8	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.P64\shell\open	BFOCFG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.CPK\shell\open\command\ = "\"C:\\Program Files (x86)\\BitberryFileOpener\\BITBERRYFILEOPENER.exe\" \"%1\""	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.DSS	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.FAX	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.G3F\DefaultIcon	BFOCFG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.MAT\DefaultIcon\ = "C:\\Program Files (x86)\\BitberryFileOpener\\BITBERRYFILEOPENER.exe,0"	BFOCFG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.AA\ = "BitberryFileOpener.AA"	BFOCFG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitberryFileOpener.CFG\shell\open	BFOCFG.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 984510.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 378568.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
1388	msedge.exe
1388	msedge.exe
4668	msedge.exe
4668	msedge.exe
980	identity_helper.exe
980	identity_helper.exe
2536	msedge.exe
2536	msedge.exe
644	AcroRd32.exe
644	AcroRd32.exe
644	AcroRd32.exe
644	AcroRd32.exe
644	AcroRd32.exe
644	AcroRd32.exe
644	AcroRd32.exe
644	AcroRd32.exe
644	AcroRd32.exe
644	AcroRd32.exe
644	AcroRd32.exe
644	AcroRd32.exe
644	AcroRd32.exe
644	AcroRd32.exe
644	AcroRd32.exe
644	AcroRd32.exe
644	AcroRd32.exe
644	AcroRd32.exe
644	AcroRd32.exe
644	AcroRd32.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
1104	msedge.exe
1104	msedge.exe
5088	BitberryFileOpenerSetup.tmp
5088	BitberryFileOpenerSetup.tmp
2808	msedge.exe
2808	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4760	OpenWith.exe
4856	BitberryFileOpener.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

pid	Process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 728	4668	msedge.exe	83
PID 4668 wrote to memory of 728	4668	msedge.exe	83
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 2080	4668	msedge.exe	84
PID 4668 wrote to memory of 1388	4668	msedge.exe	85
PID 4668 wrote to memory of 1388	4668	msedge.exe	85
PID 4668 wrote to memory of 820	4668	msedge.exe	86
PID 4668 wrote to memory of 820	4668	msedge.exe	86
PID 4668 wrote to memory of 820	4668	msedge.exe	86
PID 4668 wrote to memory of 820	4668	msedge.exe	86
PID 4668 wrote to memory of 820	4668	msedge.exe	86
PID 4668 wrote to memory of 820	4668	msedge.exe	86
PID 4668 wrote to memory of 820	4668	msedge.exe	86
PID 4668 wrote to memory of 820	4668	msedge.exe	86
PID 4668 wrote to memory of 820	4668	msedge.exe	86
PID 4668 wrote to memory of 820	4668	msedge.exe	86
PID 4668 wrote to memory of 820	4668	msedge.exe	86
PID 4668 wrote to memory of 820	4668	msedge.exe	86
PID 4668 wrote to memory of 820	4668	msedge.exe	86
PID 4668 wrote to memory of 820	4668	msedge.exe	86
PID 4668 wrote to memory of 820	4668	msedge.exe	86
PID 4668 wrote to memory of 820	4668	msedge.exe	86
PID 4668 wrote to memory of 820	4668	msedge.exe	86
PID 4668 wrote to memory of 820	4668	msedge.exe	86
PID 4668 wrote to memory of 820	4668	msedge.exe	86
PID 4668 wrote to memory of 820	4668	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/open?id=1q69AoV7rH_k11fDHzl5Jja7VfZ9Vsm7y&data=05
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd94b946f8,0x7ffd94b94708,0x7ffd94b94718
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6036 /prefetch:8
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:6012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6832 /prefetch:1
  2⤵
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7088 /prefetch:8
  2⤵
  PID:6068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1104
- C:\Users\Admin\Downloads\BitberryFileOpenerSetup.exe
  "C:\Users\Admin\Downloads\BitberryFileOpenerSetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5564
- - C:\Users\Admin\AppData\Local\Temp\is-JS92D.tmp\BitberryFileOpenerSetup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-JS92D.tmp\BitberryFileOpenerSetup.tmp" /SL5="$80116,50599746,780800,C:\Users\Admin\Downloads\BitberryFileOpenerSetup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\is-N7TMQ.tmp\vc_redist.x86.exe
      "C:\Users\Admin\AppData\Local\Temp\is-N7TMQ.tmp\vc_redist.x86.exe" /quiet /norestart
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3256
    - - C:\Users\Admin\AppData\Local\Temp\is-N7TMQ.tmp\vc_redist.x86.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-N7TMQ.tmp\vc_redist.x86.exe" /quiet /norestart -burn.unelevated BurnPipe.{84D83E4E-34BA-4C77-86E1-2A2A81422775} {9B123F6B-79ED-4168-A9E6-35E37CB54A18} 3256
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5380
  - - C:\Program Files (x86)\BitberryFileOpener\BitberryFileOpener.exe
      "C:\Program Files (x86)\BitberryFileOpener\BitberryFileOpener.exe" -program install
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5704
    - - C:\Program Files (x86)\BitberryFileOpener\BFOCFG.exe
        
        "C:\Program Files (x86)\BitberryFileOpener\BFOCFG.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
  2⤵
  PID:180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7308 /prefetch:8
  2⤵
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,3478137785545290892,13823718924118163187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2808
- C:\Users\Admin\Downloads\winrar-x64-710b1.exe
  "C:\Users\Admin\Downloads\winrar-x64-710b1.exe"
  2⤵
  - Executes dropped EXE
  PID:404
- C:\Users\Admin\Downloads\winrar-x64-710b1.exe
  "C:\Users\Admin\Downloads\winrar-x64-710b1.exe"
  2⤵
  - Executes dropped EXE
  PID:4988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4184

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4760
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Por medio de la presente, se notifica la apertura de un proceso judicial por injuria, en virtud del artículo 220 de la Ley colombiana. Se le solicita que se presente ante el JUZGADO 18 ADTVO DE BOGOTÁ SEDE JUDICIAL.uue"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:644
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1144
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EDB0B3F8FDC54CE106D8D965E5813494 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2536
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8F4FFCF13616B7F37706275B44C0098C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8F4FFCF13616B7F37706275B44C0098C --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:3692
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=56264FF9E6E5C38AD1520C61BB84DAF0 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3000
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C2C122310EBBBAB3C4CEB66147D01B60 --mojo-platform-channel-handle=2344 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5056
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9D21A94F51B2705CFA8B5D0FF1A1D0F5 --mojo-platform-channel-handle=1960 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:224

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6100

C:\Program Files (x86)\BitberryFileOpener\BitberryFileOpener.exe
"C:\Program Files (x86)\BitberryFileOpener\BitberryFileOpener.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4856
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1508

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\ddfec705d15e44c19d6ae2b1de5241eb /t 1416 /p 404
1⤵
PID:1868

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\8ad61ea6914c4162af943d56757cd98e /t 5424 /p 4988
1⤵
PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BitberryFileOpener\BFOCFG.exe

Filesize
3.3MB

MD5
74732079c7984e8abe38f1360008e55e

SHA1
d0855af6829469cfe043152e6b213538851caf62

SHA256
f888210cf998940d777568cf420e15d7c6d24f458294f458de9bd2de030fcc03

SHA512
fa622a74b59797817e4fd3adc2a39a1427e1e5a806dc3fdc8ba4a9c1dc89b8455e6d5bf29c3815c9187ea1d488d556313826ebf030f1cc13d61a5367147fd124

Download Submit
C:\Program Files (x86)\BitberryFileOpener\CORE_RL_MagickCore_.dll

Filesize
1.7MB

MD5
caefa1f9551b65982e4a2fe527cd3cf1

SHA1
e8264d4f3a80b49fcd57d2f0de6fa6fc9f9ca75f

SHA256
7dcf3e0b18482d15badcf29f3b99122e2de4f4e4db4da1469450eacfaf18c9b5

SHA512
fa90f52174e0b97e39861fc71fb49a820b21694c9ee392ca279f63a32a75d5d4e8bd6c01af34fa640a5654b7e31c9887a8909a0febf485654964c3ed116b2b0c

Download Submit
C:\Program Files (x86)\BitberryFileOpener\CORE_RL_MagickWand_.dll

Filesize
975KB

MD5
2bdedb9d046e6e585904e4cd0f707ac3

SHA1
a7b5c305d55f4fe6e01bcd0dac5d9df3cbfabe6c

SHA256
9e1c295c9bdffadf52fa95e197a9f92dd393d1a20482c7841f06d9b29dbcb70f

SHA512
1ac5dac52e6fb603d5c5eff21d4e61e5fae6939ecd66c8f33bceece604da16c7475baa2b08eac7e505291225bd6b0876f9f97110e19512b32224d1872c07acf5

Download Submit
C:\Program Files (x86)\BitberryFileOpener\CORE_RL_bzlib_.dll

Filesize
73KB

MD5
33c53c9e092f97d77e1a079bb3fe75d9

SHA1
3084bb8cb665b78cef9bec876b6163f7b1a0082c

SHA256
1fe1ea8871609cd34563192caeb164a8b88fa325d3af7fcd1202680345afb662

SHA512
e319f24c770f36e6f1570da9a09a7f438da502e0f25e86982c8b21fdfe92a5ecd1fe600aab0c676091d5891040ab584eb8feef1545a00b12f8f3ad0409a7d34c

Download Submit
C:\Program Files (x86)\BitberryFileOpener\CORE_RL_freetype_.dll

Filesize
543KB

MD5
b0c78354b4965fd00eb25914f2aa96b8

SHA1
9faf8f0de31ae41b630a177052284a0d45a64015

SHA256
9db0434721d1f49121a7dd716714ac34cebdb319b8330e09cb0587ea3645bb5e

SHA512
3ef498c37d297c5e3108bc61b71cf223e96f14ae397ec369ceecf0a6170827da423f207d51def422012612e6fab1ae7639ad7e64914cc781fc32bded8b1ebf02

Download Submit
C:\Program Files (x86)\BitberryFileOpener\CORE_RL_fribidi_.dll

Filesize
114KB

MD5
3b9ea1dc4e62862a645cedb6b5e5c56d

SHA1
0eed4acc570a80660f1cf941cb476a465b189f0a

SHA256
2df5f7695575b065e3e10b49db9dd2cd20e5ab32062533ab55bcf2f0ae3805ed

SHA512
f3a58af522e531021092a27177973d8bdb54579366a4086fd8cc7e14c9df4a978d5a5c16c7f2e9335aee1fc61435f1c2e246692997b34f19973ec966bb8e790d

Download Submit
C:\Program Files (x86)\BitberryFileOpener\CORE_RL_lcms_.dll

Filesize
287KB

MD5
83d25fe8a6678eb799595ef20f0d8eaa

SHA1
026d0dd17e2b57823f9f9552ffebdb6953353844

SHA256
aab1da1914ed4d9348b1295356e01d5b5489b41ea5542e94beae09000cb5428a

SHA512
b9161f74d6c1d4056a8b354f8242fb6d621dd9c17fd805feb615d39832e12aaeb12d221df615c9a3f73478a4dc02783a2061b4e679dca7b3684f54aeed371c56

Download Submit
C:\Program Files (x86)\BitberryFileOpener\CORE_RL_libxml_.dll

Filesize
357KB

MD5
c844bbdd0e49ae52f91723f59feddc27

SHA1
d2064aeb79058fc4ed1ceb2e73b834ff925fd061

SHA256
15140b78a002bcce187748ec0883afcb121516511c1f315ada01f2d18ebab072

SHA512
56ad2e35b8d34a7fcfb6eb6736dcd71c42adcfe5886cb7c6829f70a5e73b5f6d4c99b15f0880412ee24c0440b29f2191d9290197388fa850c74a9dd4be1992c6

Download Submit
C:\Program Files (x86)\BitberryFileOpener\CORE_RL_lqr_.dll

Filesize
56KB

MD5
7348a7568e75fc7b855c074cd756ab77

SHA1
655ac7d25f26e9a5ad20473fa003f85c16ecd045

SHA256
8bbeb98e07e317e3a0876486780168314ddc7eb425cc080b89b0b77abc7b4d61

SHA512
5342d91733fc959ce79576ccaad7cd1bff55b9ebb83d09c299d8910309c7a60ec83d271e49ecaaf303b1f66e70e4eacc524b865d0b57f69ef02a867ce6ab0863

Download Submit
C:\Program Files (x86)\BitberryFileOpener\CORE_RL_zlib_.dll

Filesize
80KB

MD5
e05864d06ae26f77cff0eb599ee9a0e1

SHA1
bf11ffe49d6ef8d2f66f84274c3183d6048b8b16

SHA256
0a3874e52c32f21e888101aec635d6a59f211e66533700139575faffa860de66

SHA512
65af3b3a80a874597c50e64870f807907ca37777572b9b60e590f36bd28f7704895f3959e1906cf111e730ad4688f4eae5ea04b3da03034703559d5d6d2917a5

Download Submit
C:\Program Files (x86)\BitberryFileOpener\ielib32.dll

Filesize
2.7MB

MD5
6d140ac81a3cc331c8454ea0017c9eb4

SHA1
4c11ccf2b539ae7ef9fb79cd1c1114d690b3c50f

SHA256
b2c84583fb6d47f7b72a2c849ed1d86b2217b415586ca7107665da5ccd261460

SHA512
f1b046bd26ee595bd27bdce0ea48d197313207d12d0ff0fb1876d730e02d9680899278bdb4d8019358cc88a1885c0addb5231383b224b021a0ad8a73757adc5e

Download Submit
C:\Program Files (x86)\BitberryFileOpener\iepdf32.dll

Filesize
4.1MB

MD5
8035f2f09522650492ade087187f9fd2

SHA1
229ef4ee8c926fe3ed5411905b721a3577fe6ba5

SHA256
a580fb3b535c0518bc66f4b79fcac39eb4996c4215236b901d1c765513717d85

SHA512
e0b3802755af5a12d2502ff2f12d7cc12c67fda2a5383e9581013881554713dbe73e50c36eb2ac583e5ce3b78d182d07a0ce6b6b1e58a718eaa1498335eebe94

Download Submit
C:\Program Files (x86)\BitberryFileOpener\license_imagemagick.txt

Filesize
12KB

MD5
41b4fa9af60c88e61484b02c0561181a

SHA1
1de15ef06b3465e1bb922ba9c69a2a67a0263455

SHA256
e2d364de83dd9e7c866bd99ee7dac2fe92071fb70e9b187293353fb285cf09ac

SHA512
477de77d4fbedd4b0a14d2a15cb0a8ceb8b2e0f6a7d73f8d447fb751c169cf0ae370e69592b516bfca5c4ceca8d71bdefa39e4b963a17a09abe7dc30465fff2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
85a87c94c9eb1dcd5344767c535b9d38

SHA1
2b9ee96aa96d56934711f2f17e89fc3d48efa44a

SHA256
fdf18884e5f03b4fbc48ad5383ff89eadcb474b25f68b4ca7905224c4689a73a

SHA512
7b45d2d4513a9319e878b9d19f786fd22f2dbc4f6e522214b28f65d8a2350a801ca3bcd3e6166dac47e19a345f8cdd2abc586322bc5a892bde556e4dd1247f35

Download Submit
C:\Users\Admin\AppData\Local\BitberryFileOpener\BitberryFileOpener.dat

Filesize
114B

MD5
a839077d8e48e4683feb9c283e085736

SHA1
d6d384d5c911a0d021823faa2cb4bcd8daa43cba

SHA256
7025cb9ca11ec8d2e14f281bcfcb3f9484d37485c3a63ac832848ea95fe5615a

SHA512
bb7b789ec54004d31a9de4fbcd96a49ad6f5e4196b415b47460c8959d05f7260e72c125100549cb2f382b425433e7f77b2e553c17cbb6941be742aa09f01cf93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
39d7227578feef76462455bda60d8085

SHA1
5ab79f2e1f045f46ef02bbf43627f6dd6cdd2e2e

SHA256
2587871ef47ed5b8ca9c2ba1b59d9a2f8f1aa884a6bc267e80c3ceea3f819884

SHA512
7b970b64ccba90211d37fc67866da017ec8b88234ab8175f60f5cb7dbc36a2890d2c6187bb9da78c0afb40300539ba19d4f90bb022ce7edd20bc95802594fbdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4b6d1675db5fee754e51807e20e72e4c

SHA1
7534e3ef31647b2011faaa1b02f000990587d2a2

SHA256
1127e0992964fc30ec9e7ede0a92d096bd2cc64349f23df65815a7561b592174

SHA512
e163c73c8db7c1607cdec6a0405a50de24720563327bf7848ee968d47ab1e4b707f62e44aa700b8074e9c6ecc29a91afec8d5cf19e22e31c866710142ee060a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
372917d1c8a4adcf9760ec1b5bb766e7

SHA1
9b43ac9dc614365cb6c0bd68a1355294d31efe4d

SHA256
35f2da938ec0b6705f75c665273275b3cfce0f734ddd06af528adaee03a0cb57

SHA512
99595ba93c8cea7074169c122b580498884fbc78d18657bb923856402e3ba6fabbcf481f8dc1769d8fe008505b1841966f80d0f3e7421e99ec46a8ba4eb18565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
ae6db5d529973f288c36135c21907abe

SHA1
d242236c82829611d093ab0ae572246dd352aa5a

SHA256
2f6beb9b220b94779d2f2f8edb73f91a35b9c88ed02c32af3632966fa6e0d2b9

SHA512
2e57ad8797d6e2a3bafa12e4bc4fec9186a81bb5baf8b74674febf550a8ee4fecef8f3cbe9f5da0f09d61a8fd6924483e6a4e703877b36e337eff089b8d93e54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
4af1f739939fcfa9a7e958f9a716d56b

SHA1
2539ef5cecc40831c919a99a19d01b113590a9e1

SHA256
0ce23e2e31e4e9113f26259bebb64171fdd1aa00dbeb29004ffcc8c96e24cfc9

SHA512
6635877ef375a33ec621d0d299b132a96e5464c31d72bcaab7849baf2d504e8b134299bbfec7bf3069e0c8465cbe76b8c40be6bab15d19a1b14e7008d708a397

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
887f1964ffda79e5a656828a7ed9c433

SHA1
95ebebdf02f890a48b5ea57bc3a6d5cc8a0f1945

SHA256
b686c9c3702b2b916184a9053138aad06a082c215e6700fdcb28318c4ae45f4f

SHA512
5bf15ce2e76880e362d368fc3731d8fcf6a2ac1d94b1d89f2da3266ee1a78092122af149c7fb68fed080cc985f62db5165292c13d2e3924c1c6719448bd6e2ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
fa9b4493fc7e4144279d7d772b0bc88e

SHA1
e455c715b76c70d4b4f4fed31ca481a1f39fbccd

SHA256
d350e4f9051b27a083c05083ed1e65e2c46b5f563e68047dd56f9def1d15fe75

SHA512
b3fefadedebda0dd9e93a8555ddb924de2e6d056992fba7e89c529af7cfa2ae5a5a3f97e2590b61be77a39ec4624435c5e1403c4a51a031dfcdfe03abe4f716e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
266798c84090d0da35c357603cc04b1e

SHA1
74a5caf63fee360807bacaaf86ce7da4efc6df43

SHA256
737b0256f377fbc7c8764a99ffa5edebc4d086cac89bdc15c64b12302e245413

SHA512
119fab2cbb22a5f0e95addd736413ac65c66cef48d972ac83282c7128883f33a5f03b0b03df04802700a7e1a3d04bf7b82ff0f512a529b4dcd5e8e48692025f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
36ea4aa75fdfe4066e7faaa7b016f108

SHA1
f350acc4933f453296fea1ed50d688d7d12e8650

SHA256
7e67de759d977665687dda1bfc398d68faccce66a320a8fc6064461081bcccec

SHA512
b2bdbf4d41f137c67cbfb355b7f3dfdf38c63e9e4a3d224c34588610bc440391eab85a1300d22e12ce1e6e980882e330745576b0d1fd6ce2a9ba60f4136e4eca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
31ed3d1316c1685e473600c9326f2fc0

SHA1
6db3ef6d37951b6085611dd75bb65a54dc82e8ee

SHA256
f9acc89ed4c103e52b48068fb489e86070c3fd0a5a205dc51a319fe6cdc887cd

SHA512
e082e59376c6ce314128d1feb4ad67fa00c213bb2fffff860b174506e68c068c39c71c6fab8b72877cc021c6d58132a02397ee0b048f2d70e7206af0f87e4fea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
45d8a5753380918191988e4770d81804

SHA1
cd0394718e60d733d91dbd91fb9d51912baf8876

SHA256
c2291ad42d9657762c0b01831a7908927652e6cbd45804f8bd1038bd2a6a98c0

SHA512
a49378c011ac74afc0e44ecc8cbded4caf6ed9a07f9ee17a05aacb074dd5fd68196a496a2cf69d71688a61f772e3932951e50d3f507a8aa5037d79669bf49ffe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
413e482b96fa00c24384dbc7e046f7c3

SHA1
5c9e6dbc2d89a1874b8b9578b3ac9ad7930a2f9f

SHA256
a34ea1da72d485311eeeb071c3ed6cb71007666e74ad8c15f5be80eeff2a4cdc

SHA512
6636f5d940d861abf2a9b9abcc59880b2b4f0ba33864edace8a0596b9ec597790e99c2eb9374180341d4b1c015289f827c42a33bcddf51d9aedf76808aa612c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3b7270a036bcf8163db486a98dd4cdf5

SHA1
507f386aa21fc9025677f26c272c8b73bbb57173

SHA256
377860289e99322970e49b298f67f14c6e45c71a4876f8a948237e9eb27f2be0

SHA512
4716995103fd463658633cdedee59df38e86a077bee6caabe1af604af517207fe88499171273581702c59eda24a2ceb1bb7d871e9b3d81721d0a0865b30e0847

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a1867194446587b4c2a28f6ab368db18

SHA1
66866961c5053572e5fcdc0e2b955bc6a789411d

SHA256
ff1cc956daeb1fc5f4b691fb9304dfdd460677c4409110b807bfc62fa0235fbb

SHA512
85a00f4b4478891baa963ffb4e4a0bdf2294f44f2531debb35b6a7f027a65deb824c50bb63c1fc4f5cad789f175cdcb18afe6b2d5ab9445d6e3e2ecbd8e06270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
619efd4380ffe216faaaf149830ea7c9

SHA1
7019e89c8dde35c147f8bafcc52e2f13f22b47c8

SHA256
fa36b354e3dfa9c1821b62bbddbe4e0333bcbe6ded58052021bb3c443cd49692

SHA512
57e87493be1ce33cb3c5956d37ef3f6d5de3dc079f8ce0fe8bd5ada4de38e39c81e40aed8288d0ebafe7bf1bc652a9be9b9c00c7e74c36eb80678fcac16e3a60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3a829287cb9d1ffd7f4bfc1d4eca0a18

SHA1
753bbb4bfdaa97b8cc35b66296d3cb2a5c6a198c

SHA256
266f190ee49b8826eaa73258160d0b19f2add0e84c298b2153d8d317942a02b5

SHA512
37c17aaf706db99689947c6a591a29c8c36f97813df69f4f0fc771c9aa02577b08a44526190352e6ba02f0c490aeb07382450cb1c8fc5cfc3b1b393e9f19ef05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
17d569bf8fd4537a68c5ed681cad901e

SHA1
48e3b44b08525f7fb669fbdd052f61f58aae0f2e

SHA256
f78fad6783a1af5f2acb874d15052bf3046f6a9d814d86de0f47cf833727cf0b

SHA512
ece58a757a8b4438312b07fb6faae364cb904fe261249fc1118ad162c4d2ccf7b39f4f1e5e425dad2b79b942540a5d8e74e07f9502e0fa4fb15ad062210fdd68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dfb4d1eeb7fe3225ffaa6b724553dd23

SHA1
d327aba74a6f95eec8fa3025d36ecfbe2596611e

SHA256
5fdd61f7740860d19ab214e201b8645f61c788b4966d07ace07bcdf8ec90524c

SHA512
99fa8ef971614aca570729cb71a735d0ec08d357f0d3a1e85847f90f462aa5b856cb6744c5a110c0061f717b47f37e18b53dfb8332f0c8385f45ec216ad0efb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
693b3cbfdf1167e300130f142dd11fbc

SHA1
e1175129fa6d485b686b497a07d20ff5547d55c0

SHA256
e11cdef8e603caa287536e9e5e42445528c46c2771c42aead64bd5b3b53662f1

SHA512
31889dfc19a54b2e5771f1129de6e73958055f3f2ad01580a5bd284e31237eced5af899dcc855bc19254d7a83f816251e846e05739aaba797b8b5e22f22994ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cabda83f629ccb4bc3a62fca798b4fe4

SHA1
a1ae3101f422ecf863756a1c43d703f98550449e

SHA256
9608f7546ef684855d08587eba1b45c34b9176d0f8cde23bfd9761b165669590

SHA512
c3ab673e58234dcbc0cebcca4972e1b6e9c6068e99b0f046c1ab736d90196b18938f06c7b470a0b20a6aa48d659e1e7d11c45e8b5119464a459542c11d7f134e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6979f3edec71ac5af0571fc536923115

SHA1
f99135e05f10e67ece8173e87391b3395d1fba89

SHA256
242723b4af45ea8c0727978eacd079fe0cdb189cb8483d49237e322648efa2d0

SHA512
1d5e1cdea70b11b87ecbc06b8af9c5e36e38e4250c209d9bbc686677d3be8748f8c79268a91d3149d32d6f8f1978acd1babe8783c4906518c64ef9e58a4ab541

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5961be.TMP

Filesize
1KB

MD5
3108fa4daa1e1180f5b15507bb2e9cb2

SHA1
f589d1378a9cf6c787959ccd74466909f664b1cf

SHA256
7cc39e27f4e4710bc54572d15d68f628264c3919cf1464ff62fa603ec08a2d1c

SHA512
e8c42bee58f0bdaf3ce63aaa688ed95899fcf8b2fa5eec0f56a10cd6bf9c2ffcc46082de08cbcaf26f37faae0a5a30d0cfeb7a82bc43a8777413b195624f6063

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
aff4ce88bd3f21e0594354ffe03b98af

SHA1
42872b2f32f2fc7a3b6876532f397c800d7f30b0

SHA256
d87c14ff222eb717768dd6c41d0962559a78cab96cd98e168b4ab0d15a9310ac

SHA512
03f2dbdf69eff4a1fd181610dc5d9facb5ba6a2cbd6248f5c9209e67406ba28bf64b62092d6527425052aaabefe0c52f1d008b81f4c7d1b4bafdcda2f6b44b61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7560416848de45f541801f37870ed690

SHA1
f689be02d25806d9798137992a121d660f2432b8

SHA256
15d830f0a85cf3168f1131069b54ea95022aa586e0e5063678e8b5c89daca2e7

SHA512
d5fc65ecc2bbeb3bc30e46bccb78222b92c77f9bdbc44f7528b0628ebefc5274e26dbf204f8de910a0015bbb49f80bb90591f8d326edae7c4f2ab16ee3e55e65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8b4cb321f8e538d66f32d1cb7fac2f6d

SHA1
5341db5602d1c621b922d5e9743ac2db31924255

SHA256
bf40c8208086e6d1917c015cb248f015b24f009c388a83b41a7fda72dbbf94f9

SHA512
8cdd6a7e112fcaf2c907a18c0512b4d12782937e710bd41c9be1abe4b4fd61ff5c35a2b5aab05299464ec4cf1c5dd3e13ae45163cb9651ecceddde705bc638be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ffbcf488259dffce2d77afd44be2ecba

SHA1
7047ff0cd215f2f85bf64f14af9c79942a1ba68d

SHA256
a0c8bebe9af477fe83ab085ee3581aa4a0c736dcaf324e1ec58bb7197895da8b

SHA512
42771ce11f90ad92dbb1068753e36cbe221eca99417a590954fa4362de245f55040d3eaaaabe521f9e4074c26e4f58c0ddfd6c958bbe2e3ad07513d9e53942a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JS92D.tmp\BitberryFileOpenerSetup.tmp

Filesize
2.5MB

MD5
57ff94c3cefc6a7489944a74feceb4da

SHA1
03e6b2144f6c282797014e42c34b12bab9e97554

SHA256
abb77df93efbeafcdf768f94734cc88614e3f7f4789cfa73840f9cbd017597de

SHA512
ab09acfde6714b216aa96cee82ea111a2b9af5814e5ca6b9f9a5082095963f0efe980dfbb13948e65dcf47271c9d88d1c825d9bd161459edb81488fc5c0e6afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N7TMQ.tmp\vc_redist.x86.exe

Filesize
13.1MB

MD5
1a15e6606bac9647e7ad3caa543377cf

SHA1
bfb74e498c44d3a103ca3aa2831763fb417134d1

SHA256
fdd1e1f0dcae2d0aa0720895eff33b927d13076e64464bb7c7e5843b7667cd14

SHA512
e8cb67fc8e0312da3cc98364b96dfa1a63150ab9de60069c4af60c1cf77d440b7dffe630b4784ba07ea9bf146bdbf6ad5282a900ffd6ab7d86433456a752b2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\wixstdba.dll

Filesize
118KB

MD5
4d20a950a3571d11236482754b4a8e76

SHA1
e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

SHA256
a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

SHA512
8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

Download Submit
C:\Users\Admin\Downloads\BitberryFileOpenerSetup.exe

Filesize
49.0MB

MD5
7a9074c1c8ee2079138ee577f79d22fc

SHA1
e8f1175ddc6aaf01417d858dcdfd755c8da3fa47

SHA256
2425e32388909b96cfebc48ab16006abf0e6d7106bdde27088e4f48c049ff89e

SHA512
b0813f30c37f9c0976a13cade83c226fb9fd33939991a5f99300be984243c8dd1dd77a555ff9061ca1aef175f20e0ac454f2b1b9ccb8a82542a5f9fb9be2dfa0

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 762031.crdownload

Filesize
786KB

MD5
f4c087b05fa32ce7a132598e5d028f76

SHA1
fabd3cc3b409e14b6ab1b056df5da45aced2e7f5

SHA256
dcd5f9eb6bcbfaad0c59964a292bb5b9246ef459e53a4b1d744d2314e59c2aea

SHA512
cc1dd48cbea55f3f026fec3f4e7d9fe5f0ba962959c1251587a1b4025d24ac087f9d31be4a2c7547b238fcae3a19123f79416bd5c0dcb7e5195438bcbb51e8af

Download Submit
C:\Users\Admin\Downloads\winrar-x64-710b1.exe

Filesize
3.6MB

MD5
a45673cbf245afb3ff461a06b27959f3

SHA1
8ff52ea98ef4b508584dd3a1a84f9adb8c233eaf

SHA256
3ddf96e686666ea923b17382a10d707876a888d012b9d4dace1005792cb7ab96

SHA512
a429e208a24aa99a5ac6487a061da975c7d18e7d4155788ddf1e1d589ba8124589d8497cf7cfe1848d0808cbe041e1db38001d0bf982f348dd83ea22054dcb07

Download Submit
memory/4588-870-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/4588-871-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/4856-980-0x000000006E970000-0x000000006EB21000-memory.dmp

Filesize
1.7MB

Download
memory/4856-999-0x0000000000400000-0x000000000412E000-memory.dmp

Filesize
61.2MB

Download
memory/4856-920-0x0000000000400000-0x000000000412E000-memory.dmp

Filesize
61.2MB

Download
memory/4856-979-0x000000006EB50000-0x000000006EB7C000-memory.dmp

Filesize
176KB

Download
memory/4856-978-0x000000006EB80000-0x000000006EF3E000-memory.dmp

Filesize
3.7MB

Download
memory/4856-977-0x000000006EF40000-0x000000006F31D000-memory.dmp

Filesize
3.9MB

Download
memory/4856-972-0x0000000000400000-0x000000000412E000-memory.dmp

Filesize
61.2MB

Download
memory/4856-981-0x0000000000400000-0x000000000412E000-memory.dmp

Filesize
61.2MB

Download
memory/4856-990-0x0000000000400000-0x000000000412E000-memory.dmp

Filesize
61.2MB

Download
memory/4856-961-0x000000000C830000-0x000000000C831000-memory.dmp

Filesize
4KB

Download
memory/4856-1009-0x0000000000400000-0x000000000412E000-memory.dmp

Filesize
61.2MB

Download
memory/4856-976-0x000000006F320000-0x0000000070746000-memory.dmp

Filesize
20.1MB

Download
memory/4856-973-0x0000000071050000-0x0000000071250000-memory.dmp

Filesize
2.0MB

Download
memory/4856-974-0x0000000070FB0000-0x000000007104A000-memory.dmp

Filesize
616KB

Download
memory/4856-975-0x0000000070D80000-0x0000000070DA9000-memory.dmp

Filesize
164KB

Download
memory/4856-962-0x0000000000400000-0x000000000412E000-memory.dmp

Filesize
61.2MB

Download
memory/5088-875-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/5088-575-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/5088-774-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/5564-549-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5564-574-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5564-876-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5704-866-0x0000000000400000-0x000000000412E000-memory.dmp

Filesize
61.2MB

Download
memory/5704-872-0x0000000000400000-0x000000000412E000-memory.dmp

Filesize
61.2MB

Download