Analysis
-
max time kernel
262s -
max time network
265s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 06:31
Static task
static1
Behavioral task
behavioral1
Sample
Revised_Order_Documentfdp.scr
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Revised_Order_Documentfdp.scr
Resource
win10v2004-20230220-en
General
-
Target
Revised_Order_Documentfdp.scr
-
Size
300.3MB
-
MD5
03a5de4492a409b3fd4dcadb87f6e140
-
SHA1
bb280dad0be2f7641bb83ca7429dc1861f90b39a
-
SHA256
07d8b0e5d6e43ea033dd06335b5b19c179f78733648a79006f9ac20b5c22042e
-
SHA512
2d8c5e179581e7633285df8e5ebcbe39bfed288b4416899d8941b5b138ae3d16b94fe612ea0a6cd1d2db303117b2881e678ffb2017a312b787935ea082589a59
-
SSDEEP
24576:ZTbBv5rUmlWpuLPF/q0f6PoedrSO67Lot/uMrD3gi64o:TBqaPdfuokSHOGMrD3364
Malware Config
Extracted
remcos
RemoteHost
185.246.220.63:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-0ILS8U
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exeRevised_Order_Documentfdp.scrLocalISaKC_QNKT.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation Revised_Order_Documentfdp.scr Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation LocalISaKC_QNKT.exe -
Executes dropped EXE 2 IoCs
Processes:
LocalISaKC_QNKT.exeehkbu.exepid process 4864 LocalISaKC_QNKT.exe 1236 ehkbu.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ehkbu.exeRegSvcs.exedescription pid process target process PID 1236 set thread context of 4140 1236 ehkbu.exe RegSvcs.exe PID 4140 set thread context of 3784 4140 RegSvcs.exe iexplore.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\c9dcabee-6b85-4bdb-bde3-2bb8e5b6fea3.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230328083344.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 3 IoCs
Processes:
Revised_Order_Documentfdp.scrwscript.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings Revised_Order_Documentfdp.scr Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
AcroRd32.exemsedge.exemsedge.exeidentity_helper.exepid process 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 3888 msedge.exe 3888 msedge.exe 2568 msedge.exe 2568 msedge.exe 2844 identity_helper.exe 2844 identity_helper.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
RegSvcs.exepid process 4140 RegSvcs.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 2568 msedge.exe 2568 msedge.exe 2568 msedge.exe 2568 msedge.exe 2568 msedge.exe 2568 msedge.exe 2568 msedge.exe 2568 msedge.exe 2568 msedge.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
AcroRd32.exemsedge.exepid process 4404 AcroRd32.exe 2568 msedge.exe 2568 msedge.exe 2568 msedge.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
AcroRd32.exepid process 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe 4404 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Revised_Order_Documentfdp.scrLocalISaKC_QNKT.exewscript.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 5032 wrote to memory of 4864 5032 Revised_Order_Documentfdp.scr LocalISaKC_QNKT.exe PID 5032 wrote to memory of 4864 5032 Revised_Order_Documentfdp.scr LocalISaKC_QNKT.exe PID 5032 wrote to memory of 4864 5032 Revised_Order_Documentfdp.scr LocalISaKC_QNKT.exe PID 5032 wrote to memory of 4404 5032 Revised_Order_Documentfdp.scr AcroRd32.exe PID 5032 wrote to memory of 4404 5032 Revised_Order_Documentfdp.scr AcroRd32.exe PID 5032 wrote to memory of 4404 5032 Revised_Order_Documentfdp.scr AcroRd32.exe PID 4864 wrote to memory of 4036 4864 LocalISaKC_QNKT.exe wscript.exe PID 4864 wrote to memory of 4036 4864 LocalISaKC_QNKT.exe wscript.exe PID 4864 wrote to memory of 4036 4864 LocalISaKC_QNKT.exe wscript.exe PID 4036 wrote to memory of 1236 4036 wscript.exe ehkbu.exe PID 4036 wrote to memory of 1236 4036 wscript.exe ehkbu.exe PID 4036 wrote to memory of 1236 4036 wscript.exe ehkbu.exe PID 4404 wrote to memory of 5052 4404 AcroRd32.exe RdrCEF.exe PID 4404 wrote to memory of 5052 4404 AcroRd32.exe RdrCEF.exe PID 4404 wrote to memory of 5052 4404 AcroRd32.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 4028 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 1144 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 1144 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 1144 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 1144 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 1144 5052 RdrCEF.exe RdrCEF.exe PID 5052 wrote to memory of 1144 5052 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Revised_Order_Documentfdp.scr"C:\Users\Admin\AppData\Local\Temp\Revised_Order_Documentfdp.scr" /S1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\LocalISaKC_QNKT.exe"C:\Users\Admin\AppData\LocalISaKC_QNKT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" pxbffb-fpkmd.bmp.vbe3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cppv\ehkbu.exe"C:\Users\Admin\AppData\Local\Temp\cppv\ehkbu.exe" osoek.dat4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"6⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.07⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x7c,0xdc,0x100,0x78,0x104,0x7ffbc13f46f8,0x7ffbc13f4708,0x7ffbc13f47188⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,16843638899265089614,11749350361080626700,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:28⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,16843638899265089614,11749350361080626700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:38⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,16843638899265089614,11749350361080626700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3116 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16843638899265089614,11749350361080626700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16843638899265089614,11749350361080626700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16843638899265089614,11749350361080626700,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16843638899265089614,11749350361080626700,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16843638899265089614,11749350361080626700,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16843638899265089614,11749350361080626700,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16843638899265089614,11749350361080626700,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16843638899265089614,11749350361080626700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3716 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings8⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff74f115460,0x7ff74f115470,0x7ff74f1154809⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16843638899265089614,11749350361080626700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3716 /prefetch:88⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16843638899265089614,11749350361080626700,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16843638899265089614,11749350361080626700,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.07⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc13f46f8,0x7ffbc13f4708,0x7ffbc13f47188⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\LocalEakfkhbzPY.pdf"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=59AE91D8DAB7D7D1484AC7FEBFE7D47C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=59AE91D8DAB7D7D1484AC7FEBFE7D47C --renderer-client-id=2 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D581DD395C6C32226DA706232A777508 --mojo-platform-channel-handle=1824 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=26C6F8394757EFC42BCD7C232BF7886B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=26C6F8394757EFC42BCD7C232BF7886B --renderer-client-id=4 --mojo-platform-channel-handle=2156 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1E86F92DA817000FA9FD2FD05C31142E --mojo-platform-channel-handle=2588 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C12E186872467559C870E6AF2C8FB404 --mojo-platform-channel-handle=2788 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AB7D6CEE5E854EDA3914C661F9B65470 --mojo-platform-channel-handle=2812 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalEakfkhbzPY.pdfFilesize
167KB
MD52cfecbd58e0eec099942e74f05c38cff
SHA14cf962574cacef01d9f5ec911542c55c2af0c64e
SHA256b218d8a4ee4c29a98a3a5e6218a1836d7dfd36f5565117dc15b7a0c903da8abe
SHA51287ef346dc8fff5de0663e9ade5a98f5436a594e0f57390bbb242b09897690d77d01e6f7cee25af5aaf65f7d406a765520e5b98c60c873e4f4fc3d58c248a5304
-
C:\Users\Admin\AppData\LocalISaKC_QNKT.exeFilesize
300.0MB
MD59dbf6919c0982fdf363d666b9cea97ee
SHA104664634a6d9e87286e27a30ef8117e198669647
SHA25674180ea67b2047e7225720e1735ecb9ab1322797704bd606ac54f4c1c9c4afc2
SHA51271488336954aae0233bb0e822934a69d28aa8d4b1542780a2c22b82e45e45a4798f539fa0510f264753b3548dc439a71f9385b2ab7faeb3488b56fd0427e6ed8
-
C:\Users\Admin\AppData\LocalISaKC_QNKT.exeFilesize
300.0MB
MD59dbf6919c0982fdf363d666b9cea97ee
SHA104664634a6d9e87286e27a30ef8117e198669647
SHA25674180ea67b2047e7225720e1735ecb9ab1322797704bd606ac54f4c1c9c4afc2
SHA51271488336954aae0233bb0e822934a69d28aa8d4b1542780a2c22b82e45e45a4798f539fa0510f264753b3548dc439a71f9385b2ab7faeb3488b56fd0427e6ed8
-
C:\Users\Admin\AppData\LocalISaKC_QNKT.exeFilesize
300.0MB
MD59dbf6919c0982fdf363d666b9cea97ee
SHA104664634a6d9e87286e27a30ef8117e198669647
SHA25674180ea67b2047e7225720e1735ecb9ab1322797704bd606ac54f4c1c9c4afc2
SHA51271488336954aae0233bb0e822934a69d28aa8d4b1542780a2c22b82e45e45a4798f539fa0510f264753b3548dc439a71f9385b2ab7faeb3488b56fd0427e6ed8
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
64KB
MD5377799e0a23ffe4e65685c17e86703a2
SHA1a384e78eb7bbecc3eb77b34b9e37f7793fc9de69
SHA256fe6d160489bc09b676bd7ff2def9ec76793802538ee6e569b5b48b12b79a836a
SHA512a387ce14d40b3a53179d807f96d0cc72f909dc0dbfbf6729ae4fbfade85eaa12441b541be4c8eef318753263df7ee3055acc57c77ca83ffbcb707abb71c370fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04Filesize
471B
MD5c0beffd3dd0db195fe31ce8265e9094f
SHA1bf9e183202f8283aad218eda5049abc566903ae0
SHA256e769ed75ff7a96b74a16fcd412d683686bcb611a0b7905808c139f15526cd7c0
SHA512369253adaec3d990c0dcc99c8450900ae8619db635b9c2b35e9515f39ec903469ef4faa4ee4a85f31158dccbd4991700478c27e613dafbc5e26817c32fa58e83
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04Filesize
400B
MD5904125f8465092e4e43ff285b4866890
SHA18159aa2857adf76f353b7fcb94f4ff2bad7a6223
SHA256982ab40fc4c1d66743d290549db405b19ee137a2445cf8686b37ad53c0e04389
SHA5129cb21dc8b95116fc83ba7cbfaff47e3b6480ed6ed16f29b04b3918750da9d4051b6b5b9c60182033a2c273dfab6a81ddfc9d5d9e020e7bac836cef3e0741e985
-
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEventsFilesize
12KB
MD557ec60f7696ace4ecdfc371cca41050c
SHA1d856bc48e10d234d75de4f3a978cf074d4e04e94
SHA2566d361664c51ebdf8cebce5f0d4de3eec46c751abf0dc4d94ada610a5b19b22f0
SHA512009ed6fffb818929b4e0776994208653cd6f1495b631a9712efe3ffd5d70c51d2486db5cf06750a41f7b216ff0f6e8dd4a1f8f542eee7f11c92b4a4e1070b581
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b8c9383861d9295966a7f745d7b76a13
SHA1d77273648971ec19128c344f78a8ffeb8a246645
SHA256b75207c223dfc38fbb3dbf03107043a7dce74129d88053c9316350c97ac26d2e
SHA512094e6978e09a6e762022e8ff57935a26b3171a0627639ca91a373bddd06092241d695b9f3b609ba60bc28e78a5c78cf0f072d79cd5769f1b9f6d873169f0df14
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD591fa8f2ee8bf3996b6df4639f7ca34f7
SHA1221b470deb37961c3ebbcc42a1a63e76fb3fe830
SHA256e8e0588b16d612fa9d9989d16b729c082b4dd9bfca62564050cdb8ed03dd7068
SHA5125415cd41f2f3bb5d9c7dadc59e347994444321cf8abe346b08e8c5a3fc6a5adae910eda43b4251ba4e317fbb7696c45dba9fd5e7fa61144c9b947206c7b999c4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD591fa8f2ee8bf3996b6df4639f7ca34f7
SHA1221b470deb37961c3ebbcc42a1a63e76fb3fe830
SHA256e8e0588b16d612fa9d9989d16b729c082b4dd9bfca62564050cdb8ed03dd7068
SHA5125415cd41f2f3bb5d9c7dadc59e347994444321cf8abe346b08e8c5a3fc6a5adae910eda43b4251ba4e317fbb7696c45dba9fd5e7fa61144c9b947206c7b999c4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD591fa8f2ee8bf3996b6df4639f7ca34f7
SHA1221b470deb37961c3ebbcc42a1a63e76fb3fe830
SHA256e8e0588b16d612fa9d9989d16b729c082b4dd9bfca62564050cdb8ed03dd7068
SHA5125415cd41f2f3bb5d9c7dadc59e347994444321cf8abe346b08e8c5a3fc6a5adae910eda43b4251ba4e317fbb7696c45dba9fd5e7fa61144c9b947206c7b999c4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\92e0a363-2de5-4ff3-9035-a069fe6aefb7.tmpFilesize
4KB
MD5487425711ece49e78aba3624323b30ea
SHA16d47dde4e9496af7aafa8aa32044cfe708152d02
SHA25641536c9841d816623fb0878da598be4b03e50960835142c13b605a9d89e210dd
SHA51283b72c119f14abb37cfd73589aac5f2a7920e816ce10ca26e43995045194a16bcaaff8c8e8c5db4d1289a045333b3caf4e3669a759038f5710cfe56437243584
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
48B
MD51602ceaa772ca25832c0b462fa905116
SHA1827a20573635911ac08598dbcedfc912d750c8a4
SHA256478f843b2879f007a0dbd4114655aa8ec3fecd1a98ee906b5687a9a26079d3e9
SHA5121e8fb9a3d8bfddabffc39d6daf13a157ec1bf3539ce8e90567b5815d7427d084ab534f5c4a5500102f5e9f3b588c3a88529ced554bfc1802c454512532354fb4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
216B
MD5d89de617a99d48d84c683f8fed74eac2
SHA1e9d5ba53724791c98eed25d12ebf07a872f9c31e
SHA256c9f84afaec67a92e5c2c9b3e39c58f8daa7db9701edf958131c7cba6cb1e2f85
SHA512e70a35c52e0fd0cf8eab43031589c9927dd029fdfe8ffa3ce5327c1341f1eba51fcbd3090e9daa44e8fd47da4c1dd1800393b2f8b239d963388c1d8e44ae6864
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD502a4c53092fe9bd7e50473f46b7f5f74
SHA132c4623defbcc346c4c9939fe1f48e9b50e48db1
SHA256dc8100713dea054f7e755be89140f979f8835acaadfc05762899a1c4a9c4d698
SHA5127bf8ef6e7a995f061fbe5edfd76074eddf3cc5bfc406bdad08547fe0227edd388da286b0e557e80fcd08c0762fdafb3a2ac7b1c785c0b24d6e372bc766cb66ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
488B
MD55f536b46bf614a78c0b1e2f5369feb2d
SHA1f90dcb28435f29b4ca9510d748f59f8efb4edde5
SHA25668ece087b9025630eb0d58c45305224f8a4a19543ce000c71664081cb109763a
SHA512882be278461a04400954f94b533c9918c837820780f16cf90386bfe88dda7945eb6e294c41d7d8c381d5f087ea332e703f71eca24a3a9b3d4fef96a1460650df
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD528acef6b57f4dbccb0279831037d5dc0
SHA15868dc3bab8258d336e9e9a567b4295d61a9bfed
SHA256d1e93c3e8b0fd1c48280043114da0f73932ac8fa935eee7af7f896f613473dac
SHA51221e032b955448c28a8c9f68c2dfaf56596449a43616d33f072715cc7a6ac9eb84ae9f507490296ea96aca820365fcd6f38a6f00bfa97ff9681ef5b50e6bf5fc3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5d38b87c7cf2816c3fbbed28deca36ed3
SHA13c53ba49ad55e654059aa7ed1cef64494dbaa4bf
SHA256e4729f6ee13de4630e0935f51b53911a38788ca9bdfd47d93ac54397e518c09a
SHA512610672125799890a3826deceb494be255cc8754b2b888c5363d710e7f04a6ef7b990fb68a0a7c1c74f34e0b45b59cc8476af082a9194bfaf5e65b42c008a7559
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD560b345592703258c513cb5fc34a2f835
SHA139991bd7ea37e2fc394be3b253ef96ce04088a6d
SHA2567e358b4f7553c9385e8eb2c5692d426bc257bbd4c0213e6c69294459734f6300
SHA5120346fb4096eb285ab0fdf7e7ec38c4daf7bbb0c506f09975eb2290121d169a34c886fca342c3e06371cb697f2753a697ca4f72af7817ed340eee6063897110a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
369B
MD5d48107f8140b9d500588462cda78703f
SHA13e98299221da0b16927aacb8f1f21b63353eb250
SHA256ff4a344dd0da967f970e29afa35545fc707cb29117c77615cd01279e2fe92325
SHA5122bda6657d26e741243f4318d68ae3676fe080a2cb901371cdad1a90a3e7a7823f1738404de630314100ce80320a6a16973485f46da45464198b1f5712b61b776
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585afc.TMPFilesize
369B
MD510cbf7a204cee1e5339ebd3f4ecb4523
SHA12acf5756309878a0842a84c116d8c918960ce652
SHA256c3faa14ee6156dc3bda4ae5d025fb17c2fba7abb1823befa7655764ef504ad87
SHA512b5bb69b0a2851c5f88db6a286bc040f986c03a51b8ddfb9f8ddd516bce3c0296665667703015e62d62393c859ab789ebc234ba8e7cf06f6a9335d6955877d208
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD55fb0f00bbb6e6bf5e3f047bf974a9df6
SHA1784600a4fe947c01dba0a04647ffa4451813db7d
SHA256a0da6225c2687a13aeb2b01b79da67a3ca1d9bf7691cc0f03ed7a5b7c6654cd8
SHA51219c1f1da8b1c496a91be83b82755908a7162a8b1b472762c29790e6ad7131938672ae2e30cd70f00be6f94b15aaab8273496a1a46e4f65b694f525490669a437
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD51f74091730ea4fbc4c828d63c9fd1674
SHA197672be48eed96c1e4d1374038be03df62962dd7
SHA25623076267083ea349f303c917f278164dc64a30eb742a749e188a9d9f88648a32
SHA512a5624e09ca67f251c9a37c30dfc94eeb157c1459201489fe95e07c5adb5bf3fd0b74ff1d9701d0f46e94f26657aa6cde1d893b0071de44d737a34b5f63d37be3
-
C:\Users\Admin\AppData\Local\Temp\cppv\dbamss.rpgFilesize
868KB
MD53018e14b39c9633d246c9d5e2bff88fd
SHA109ca88027622c823f804786f9192f3e0dadad09d
SHA25632e400fd227d0590d1ba5628ffc300d4c67a1e26764ae6ebae3cf74762e8a6d8
SHA512bfbb15efb7d38e6917898402406031c84c20efcf07ccdc28c6ad2bced9165037a0341e0471443a9adffa82dd878decc35d866064cf2914221b53ec3969d8f827
-
C:\Users\Admin\AppData\Local\Temp\cppv\ehkbu.exeFilesize
944KB
MD576ab3e669b01f2a037c34060a4e9ea02
SHA18a04e160052b1fcf803c7d867f8b1c3682ecda62
SHA256c060f8a33c68264bb01616527642a4432ac4ddbecaf006c585e8199593f31583
SHA512d728cf3c4e12845f8efd05a8d9e2e2e2f0c13de85806cbd4d96c5f97ce823c115c827ec16dd87a93c7f11e80a12afce076724d8cc873d130be9464438c0b3223
-
C:\Users\Admin\AppData\Local\Temp\cppv\ehkbu.exeFilesize
944KB
MD576ab3e669b01f2a037c34060a4e9ea02
SHA18a04e160052b1fcf803c7d867f8b1c3682ecda62
SHA256c060f8a33c68264bb01616527642a4432ac4ddbecaf006c585e8199593f31583
SHA512d728cf3c4e12845f8efd05a8d9e2e2e2f0c13de85806cbd4d96c5f97ce823c115c827ec16dd87a93c7f11e80a12afce076724d8cc873d130be9464438c0b3223
-
C:\Users\Admin\AppData\Local\Temp\cppv\ggcoopcd.exeFilesize
36KB
MD5ae20d990918c3003eadad115c7c54c9c
SHA1f9e72d61f73fe382143cc4f2a52d3e76c71a4d3b
SHA256ea266dc747fd492bae1682595dbb066fc0cca80db84c8757c5c719a7af5faa4e
SHA5124bfc52bbeba535d5674b2cb6713c9d8eef7e716169ec64e6b6f90ad22a43d7bd3aaa0c5ff4c6a6e9745849d35641b4eb1f13cbacf895b4592d0c4dcde9c64aa4
-
C:\Users\Admin\AppData\Local\Temp\cppv\osoek.datFilesize
93.1MB
MD510bf7c6ad8a79508841359d1e00487de
SHA19b9d4294260b86ac0d9d6307830329aeff4cff6c
SHA25634d15509786fac4f4ca1d7181e10614b1fc5fc3e5c1add6428e64594fec43ebf
SHA51204ad60f5fd4ef57d884f421e46c56d29a30c2633cab37be36778b78bd858434a6746180f0c107f27c999cd4e162a612f853df8ab575d4ffc9e081e84fe01d87e
-
C:\Users\Admin\AppData\Local\temp\cppv\pxbffb-fpkmd.bmp.vbeFilesize
47KB
MD53345543b3aa28f415cfc7665cd95b02a
SHA13f1a2588ea4b36eaee50ec5146df7f42a8b063f9
SHA256260b3c71b33ae80765af93908120ff5948cb65daca9dca2165f6807b20c41853
SHA51253794a66f55395af601bff752e113cd7d5dc02b4d187bb6e9ab54e7e7abd9c9f399d8a7c40f45a5a023ac919218495b78b589ffd47eb5923f402ec68b2d28b26
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD5cddce33234d3943cad74bd49b72dc659
SHA104ca05fd9b3751228bd3f92c3b33f24894ab5a4f
SHA256a28e6f59031dd7226003ae1f9eb761aa22b1c6873c4ccb0fd85e75a2939759f1
SHA51294fe7492e51d0b281603bafee8918ee807bfdfc4f40a10fe634a5fe7bed4cf4e1e907fc2c64727155297e50d0e460827ca328437f0501a05068b89193ee82483
-
\??\pipe\LOCAL\crashpad_2568_OGMHPCWVHKEWDKYUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3784-290-0x0000000000F30000-0x0000000000F3E000-memory.dmpFilesize
56KB
-
memory/4140-270-0x0000000000730000-0x0000000000D67000-memory.dmpFilesize
6.2MB
-
memory/4140-271-0x0000000000730000-0x0000000000D67000-memory.dmpFilesize
6.2MB
-
memory/4140-274-0x0000000000730000-0x0000000000D67000-memory.dmpFilesize
6.2MB
-
memory/4140-291-0x0000000000730000-0x0000000000D67000-memory.dmpFilesize
6.2MB
-
memory/4140-309-0x0000000000730000-0x0000000000D67000-memory.dmpFilesize
6.2MB
-
memory/5032-133-0x0000000014020000-0x0000000014030000-memory.dmpFilesize
64KB
-
memory/5032-134-0x0000000000A10000-0x0000000001A10000-memory.dmpFilesize
16.0MB