Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2023 22:03
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/file/d/1_1Fzd0nInPHjrFtiPQJqK0ZJ96YpbnTr/view?usp=drive_link
Resource
win10v2004-20230220-en
General
-
Target
https://drive.google.com/file/d/1_1Fzd0nInPHjrFtiPQJqK0ZJ96YpbnTr/view?usp=drive_link
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
RdrCEF.exedescription ioc process File opened (read-only) \??\L: RdrCEF.exe File opened (read-only) \??\P: RdrCEF.exe File opened (read-only) \??\R: RdrCEF.exe File opened (read-only) \??\Z: RdrCEF.exe File opened (read-only) \??\A: RdrCEF.exe File opened (read-only) \??\H: RdrCEF.exe File opened (read-only) \??\I: RdrCEF.exe File opened (read-only) \??\N: RdrCEF.exe File opened (read-only) \??\S: RdrCEF.exe File opened (read-only) \??\U: RdrCEF.exe File opened (read-only) \??\V: RdrCEF.exe File opened (read-only) \??\W: RdrCEF.exe File opened (read-only) \??\B: RdrCEF.exe File opened (read-only) \??\F: RdrCEF.exe File opened (read-only) \??\G: RdrCEF.exe File opened (read-only) \??\X: RdrCEF.exe File opened (read-only) \??\Y: RdrCEF.exe File opened (read-only) \??\T: RdrCEF.exe File opened (read-only) \??\E: RdrCEF.exe File opened (read-only) \??\O: RdrCEF.exe File opened (read-only) \??\Q: RdrCEF.exe File opened (read-only) \??\J: RdrCEF.exe File opened (read-only) \??\K: RdrCEF.exe File opened (read-only) \??\M: RdrCEF.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 11 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\02b808ac-1f09-4edf-94fd-e5096d28d1b4.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230526000435.pma setup.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Processes:
iexplore.exeIEXPLORE.EXEAcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D51F23E0-FB58-11ED-BDA1-DA4DA442263B} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Modifies registry class 3 IoCs
Processes:
OpenWith.exemspaint.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
mspaint.exemsedge.exemsedge.exeidentity_helper.exeAcroRd32.exemsedge.exepid process 3268 mspaint.exe 3268 mspaint.exe 1996 msedge.exe 1996 msedge.exe 1892 msedge.exe 1892 msedge.exe 5320 identity_helper.exe 5320 identity_helper.exe 3840 AcroRd32.exe 3840 AcroRd32.exe 3840 AcroRd32.exe 3840 AcroRd32.exe 3840 AcroRd32.exe 3840 AcroRd32.exe 3840 AcroRd32.exe 3840 AcroRd32.exe 3840 AcroRd32.exe 3840 AcroRd32.exe 3840 AcroRd32.exe 3840 AcroRd32.exe 3840 AcroRd32.exe 3840 AcroRd32.exe 3840 AcroRd32.exe 3840 AcroRd32.exe 3840 AcroRd32.exe 3840 AcroRd32.exe 3840 AcroRd32.exe 3840 AcroRd32.exe 5692 msedge.exe 5692 msedge.exe 5692 msedge.exe 5692 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RdrCEF.exedescription pid process Token: SeShutdownPrivilege 2096 RdrCEF.exe Token: SeCreatePagefilePrivilege 2096 RdrCEF.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exeiexplore.exepid process 1892 msedge.exe 1988 iexplore.exe 1892 msedge.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
iexplore.exeOpenWith.exemspaint.exeAcroRd32.exeIEXPLORE.EXEOpenWith.exepid process 1988 iexplore.exe 1988 iexplore.exe 4200 OpenWith.exe 3268 mspaint.exe 3840 AcroRd32.exe 3840 AcroRd32.exe 3884 IEXPLORE.EXE 3884 IEXPLORE.EXE 3840 AcroRd32.exe 3840 AcroRd32.exe 1580 OpenWith.exe 3840 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
iexplore.exemsedge.exedescription pid process target process PID 1988 wrote to memory of 3884 1988 iexplore.exe IEXPLORE.EXE PID 1988 wrote to memory of 3884 1988 iexplore.exe IEXPLORE.EXE PID 1988 wrote to memory of 3884 1988 iexplore.exe IEXPLORE.EXE PID 1892 wrote to memory of 2120 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 2120 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 64 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 1996 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 1996 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4164 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4164 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4164 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4164 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4164 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4164 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4164 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4164 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4164 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4164 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4164 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4164 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4164 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4164 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4164 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4164 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4164 1892 msedge.exe msedge.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://drive.google.com/file/d/1_1Fzd0nInPHjrFtiPQJqK0ZJ96YpbnTr/view?usp=drive_link1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1988 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=21A853726EFE3A973E26400247E9AFB6 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=81A6696E2B2A8A8E32798B451675B4CB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=81A6696E2B2A8A8E32798B451675B4CB --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:13⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=506450A5568982E0B8A26B6734F04144 --mojo-platform-channel-handle=2116 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8D595454CA8DD7902C7627DE4D6AC9AC --mojo-platform-channel-handle=2272 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=59E168D411AC43229CD1F70AE33E9E50 --mojo-platform-channel-handle=2376 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc857e46f8,0x7ffc857e4708,0x7ffc857e47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11356794662175054072,16087930334119239068,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,11356794662175054072,16087930334119239068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2512 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,11356794662175054072,16087930334119239068,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11356794662175054072,16087930334119239068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11356794662175054072,16087930334119239068,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11356794662175054072,16087930334119239068,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11356794662175054072,16087930334119239068,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11356794662175054072,16087930334119239068,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11356794662175054072,16087930334119239068,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11356794662175054072,16087930334119239068,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11356794662175054072,16087930334119239068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3640 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7a1a25460,0x7ff7a1a25470,0x7ff7a1a254803⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11356794662175054072,16087930334119239068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3640 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11356794662175054072,16087930334119239068,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\CompressRevoke.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding2⤵
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
64KB
MD5f5a5f10940c3bdfc57bb8ab6c2457847
SHA102d1038c8404b25643e408e12ed9a0748ad819c3
SHA256081fd81c8c7b90984594d2fd3c85340a5cb32e67bd27a9e38e49b5959b318fe4
SHA512bee797e3979b3afcd9c25768be10fee4932858e9740eeb83e200cd2158426b1f2d4ad4e43ca41e14544f4d5baef0a1d65f13a0e2c3e8fa6c94359606824d8f99
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b8c9383861d9295966a7f745d7b76a13
SHA1d77273648971ec19128c344f78a8ffeb8a246645
SHA256b75207c223dfc38fbb3dbf03107043a7dce74129d88053c9316350c97ac26d2e
SHA512094e6978e09a6e762022e8ff57935a26b3171a0627639ca91a373bddd06092241d695b9f3b609ba60bc28e78a5c78cf0f072d79cd5769f1b9f6d873169f0df14
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD591fa8f2ee8bf3996b6df4639f7ca34f7
SHA1221b470deb37961c3ebbcc42a1a63e76fb3fe830
SHA256e8e0588b16d612fa9d9989d16b729c082b4dd9bfca62564050cdb8ed03dd7068
SHA5125415cd41f2f3bb5d9c7dadc59e347994444321cf8abe346b08e8c5a3fc6a5adae910eda43b4251ba4e317fbb7696c45dba9fd5e7fa61144c9b947206c7b999c4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD5657a2a9187f22c1440118651f5eb13ae
SHA1235cbab41c482ed0e0bdf2ac5b2adffc5c38c72c
SHA256ae2be8db6bf5b05433d03f6a57a08c124033f272ad4b8c26c7db6c60b161b3b4
SHA5128b0a5964d69686512adf9c76a1b01bcd69cc904b189d9c30483044fa1c7ab64a2e730a2a4ba645fd9fe0bb465a86c420dd87abc3af74c9c08a0714a2ab8e2aff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5af154c8e9cdee3532f77638deb32295f
SHA193da81d2ff54428db153b54a6aa16456dcf5f406
SHA2566f2b795c869745d01a7b05269ce5bcc0f920924045394b8545698af5d9d5ed24
SHA5126722e0435968af60b4dfdb91a784c26e7ccf9b81097a04365219f400848f3d805567e4673ed6ac7051e81dca67fcf7e25d3772f6abbdccc34072f1069aa5ac9b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD5066a0e4419157976f92b0b30f9617b60
SHA1d4c7906f45dd256015b19db488eee4d13d717a54
SHA256ce2e053d9867160df21dc7dde70d8aa6c304aa6e173d1efbac1ca15e4951a9b0
SHA512f4850a5c475dec23e09e19fb4ad40ea7ab5ef28cd932f2509a4f49bb7a5b136997704df7db1c97802c43ebcd2c31da6cfe041fc514a3bd957cb0c23ecc7d62d1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5c99b6574e7bae26ae1ad0639b197f3b8
SHA108a4066fbfdb241c042e000af4f427ab60183979
SHA256250b52c7e50db4af0b2db60efafff3f333419af26a794136f52bda3fcb191980
SHA51272f06cff71d15a1ba7ab2be45d3c1c368bf999c09e531c82cab4b7f09ac71e5c38404aec88a2f3cf0e219fb804f9f093c957a87c9480e751bbf96c976c1dda46
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD596e0f2c25f72a8f2bf4723bf674c56a8
SHA1c98fd8fed6a15e28375c7f01e77f834edbb7c44c
SHA2568ed1116be59ab1d6e8b041838f42a9c20e45e4790630aeab7b4173ad8a76ed3e
SHA512d6aa8cb0ada269b583eac0ef17d38f23173416f0b3d2af75fc2286640cde236eb22ab39e5e4bee3d3c841fb664189a2193e77740ee8291ce415358abdd765480
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD560b345592703258c513cb5fc34a2f835
SHA139991bd7ea37e2fc394be3b253ef96ce04088a6d
SHA2567e358b4f7553c9385e8eb2c5692d426bc257bbd4c0213e6c69294459734f6300
SHA5120346fb4096eb285ab0fdf7e7ec38c4daf7bbb0c506f09975eb2290121d169a34c886fca342c3e06371cb697f2753a697ca4f72af7817ed340eee6063897110a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD51e5ba0451ff36f3ea9e13836ff06ff26
SHA129d9432a220b56a8aff2ec973bd6006dad895117
SHA256be939c53dedb05948868aab0d04a7a31d9883884262e1da601e23cf95ca80951
SHA51210247ac659e1ad79d1984e617f9ded79cbddfe9c69177968f385729cf7d934c3ca82d4da8ad5dc025336b2ffdb0fbb7629fc0c400896304a5a71a001d030ee9c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD543a06e85643ef9685753427317339f28
SHA1f5f0532a63df48d488f4d51ecedfeb84a60bb9d0
SHA25631f17f9c97081f0e4ce3cbfff5edaccef1b3c6a86a43e7b27f347268b28cf907
SHA512366eb54cbeb8bc7da093f1f2c18d18e6c80a73f07c83bfb6a080a510e94f366534c9ea987ba6cf095ec0dc880ba3783269879c138bcff8ba645f825cd66f69ff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5d1e3542e268cd58b8173c9c0d9481c8e
SHA1899d8f7b40191b2386a1491ff5297dba7680c673
SHA2563b27c94f8776cdfe7133da74c9acca50ddaa84d88d83156664ac8f1de7a96fc8
SHA512f180c2893e738f4505ed5ee24ae1a9103a2567f8710a82eff0d70bed4fdbe9a346329c2fe003788dae2c604c7a45c4afbce887ce5587343b81ff44a6b4099fea
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdbFilesize
256KB
MD59c481a94abc7eee23cd5234262e60077
SHA12873225e708fb5461ac60c3613fe12112423f0f0
SHA256681c9665d741ca6ed709cdd79d070ff7f4fdf158e02342f7d47e90a6d962b061
SHA5120579499b5f01649f7e5e3afad07b4c7924d30fbc56dd12b37d9ad46bdefe35fcb6371694c1eff6c42d56c21b1de4c4f40531b27cd32eca1bdf51c6cac41fe668
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bakFilesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Temp\wmsetup.logFilesize
1KB
MD5a05d3da2dad46f1ef3ede769919e65fc
SHA139d87a444d17f16b0308d15d882feceb01632879
SHA256771a5bd3577f1358841a8e19da020647e484714f743fe5b1aab382b65e54e112
SHA51228f17f1ca322c36d99922e1e7662535c5b689f039d5a5972b86d31c410fd59085d0c4295f7aa1b9bcca8643eb2737905f7c26aeda3a1eccb973dfcf8f550602e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD5836c72c018bedbc452774f0cd1c533c4
SHA1362b0934c895e645163e84ded5029e9739147c4b
SHA2566a275631f3eb8b04823b00b0b16d63fae7633a8925de6587885c6f3625a3df0b
SHA5122ef934c929a22b909bae683b8f6d9b8752aef568ecea92797d1d8537758adb2e6ff4c084691cd8a2fd3988c7fdaf8d447b1302d95cffe1894a054d4606753a74
-
\??\pipe\LOCAL\crashpad_1892_KUHCGCSOFUUNCVBPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1384-171-0x000002B3CDDD0000-0x000002B3CDDD1000-memory.dmpFilesize
4KB
-
memory/1384-172-0x000002B3CDDE0000-0x000002B3CDDE1000-memory.dmpFilesize
4KB
-
memory/1384-170-0x000002B3CDD40000-0x000002B3CDD41000-memory.dmpFilesize
4KB
-
memory/1384-173-0x000002B3CDDE0000-0x000002B3CDDE1000-memory.dmpFilesize
4KB
-
memory/1384-165-0x000002B3CDD40000-0x000002B3CDD41000-memory.dmpFilesize
4KB
-
memory/1384-163-0x000002B3CDCC0000-0x000002B3CDCC1000-memory.dmpFilesize
4KB
-
memory/1384-156-0x000002B3C51A0000-0x000002B3C51B0000-memory.dmpFilesize
64KB
-
memory/1384-152-0x000002B3C5160000-0x000002B3C5170000-memory.dmpFilesize
64KB
-
memory/1384-174-0x000002B3CDDE0000-0x000002B3CDDE1000-memory.dmpFilesize
4KB
-
memory/3840-513-0x0000000008FA0000-0x000000000924B000-memory.dmpFilesize
2.7MB
-
memory/3840-517-0x0000000008FA0000-0x00000000090ED000-memory.dmpFilesize
1.3MB